Today I gave another go on Let's Encrypt. Yesterday I tried with official client and even I succeed, there was no feeling of any success. It had to be easier and faster.
After some research on alternative clients I came across lego. It's written in GO programming language, provides single binary file, have option to provide ACME challenge using DNS and saves everything inside
.lego directory in your working directory. You can download precompiled binaries on github, but at the time of writing those binaries ware too old and without DNS acme challenge support. So compilation from the source was needed. If you don't have go installed, download installer from official website.
$ export GOPATH=`pwd` $ go get -u github.com/xenolf/lego
That will create
lego executable inside
bin directory. You can copy that file wherever you want to run it from.
Then I created IAM policy in AWS console, as explained on lego's github page. After that it was easy:
$ ./lego --email="[my e-mail]" --domains="simplify.ba" --domains="www.simplify.ba" --dns="route53" run
In a few minutes I got SAN certificate for both domains in
.logo/certificates. Same as yesterday, from that directory I used
aws cli to install certificate on CloudFront CDN:
$ aws iam upload-server-certificate --server-certificate-name simplify.ba-ssl --certificate-body file://simplify.ba.crt --private-key file://simplify.ba.key --path /cloudfront/prod/
After confirming that this work I removed old one:
$ aws iam delete-server-certificate --server-certificate-name www.simplify.ba-ssl
Everything took about 20 minutes. After loosing several hours yesterday with "official" Let's Encrypt client, this was like a vacation! No need to create any files on S3,
lego solved DNS ACME challenge without any intervention on my side.