This entry is part 3 of 5 in the series letsencrypt

Registering the certbot client and requesting a certificate

     - sudo yum -y install yum-utils

    - sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

    - sudo yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

    - sudo yum -y install certbot

    - sudo certbot register --server {{ CertServerUrl }} -m {{ contactEmail }} --no-eff-email

    - sudo certbot certonly --server {{ CertServerUrl }} --cert-name {{ certName }} -d {{ certDomains }} --webroot-path {{ webrootPath }} > /home/certbotout.txt

The terraform file (ssm-certbot.tf)

# input variables

variable "instance_ids" {

  type =  list

  default = [""]

}

variable "cert_common_name" {

  type    = string

  default = "avTestCert"

}

variable "cert_domain_names" {

  type    = list(string)

  default = ["example.com, www.example.com, mail.example.com"]

}

variable "web_root_path" {

  type    = string

  default = "/var/www"

}

#Permissions for SSM to run

resource "aws_iam_role_policy_attachment" "ec2_ssm_policy" {

  role       = aws_iam_role.aws_ec2_role.id

  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"

}

# SSM document 

resource "aws_ssm_document" "my_ssm_doc" {

  name            = "test_document"

  document_type   = "Command"

  document_format = "YAML"

  content = file("./ssm-content.yaml")

}

# SSM association

resource "aws_ssm_association" "assoc" {

  name = "${aws_ssm_document.my_ssm_doc.name}"

  targets {

    key    = "InstanceIds"

    values = ["${aws_instance.anujtf000000.id}"]

  }

  parameters = {

    certDomains = "${aws_instance.anujtf00000.private_dns}"

    certName = "mycertName"

    contactEmail = "blah@blah.com"

    ServerProvisioningUrl = "https://acme-staging-v02.api.letsencrypt.org/directory"

  }

}

The YAML file (ssm-content.yaml) – content for the Systems Manager doc association

NOTE: Beware any whitespaces in the yaml. You will see a mysterious Invalid Document Content error from the terraform SSM document resource. The error is simply telling you that the content (this yaml file) is inavalid – usually because of an extra whitespace.

---

schemaVersion: '2.2'

description: Certbot Install on EC2

parameters:

  certDomains:

    type: String

    description: "Comma-Separated list of domains for which a certificate will be installed. e.g. example.com, www.example.com"

  certName:

    type: String

    description: "The CN (common name) of this certificate. e.g. example.com"

  contactEmail:

    type: String

    description: "Email address for certificate notifications."

  webrootPath:

    type: String

    description: "web root path of webserver. e.g. /var/www"

  ServerProvisioningUrl:

    type: String

    description: "The ACME server endpoint URL."

mainSteps:

- action: aws:runShellScript

  name: configureServer

  inputs:

    runCommand:

    - sudo yum -y install yum-utils

    - sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

    - sudo yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

    - sudo yum -y install certbot

    - sudo certbot register --server {{ ServerProvisioningUrl }} -m {{ contactEmail }} --no-eff-email

    - sudo certbot certonly --server {{ ServerProvisioningUrl }} --cert-name {{ certName }} -d {{ certDomains }} --webroot-path {{ webrootPath }}

Creating cert in –standalone mode

sudo yum -y install yum-utils
    – sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    – sudo yum-config-manager –enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
    – sudo yum -y install certbot
    – sudo certbot register –server {{ acmeServerUrl }} -m {{ contactEmail }} –no-eff-email
    – sudo certbot certonly –server {{ acmeServerUrl }} –cert-name {{ certName }} -d {{ certDomains }} –webroot-path {{ webrootPath }} > /home/certbotrun.txt

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.


Series NavigationLetsencrypt Certbot Common TasksTroubleshooting letsencrypt and certbot