Skip to content

Automatically Create and Renew Your Let'sEncrypt Certificates on ELB

License

Notifications You must be signed in to change notification settings

FlexibleEngineCloud/fe-letsencrypt

Repository files navigation

Flexible Engine Let's Encrypt

Certbot is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring webservers to use them. This client runs on Unix-based operating systems.

These scripts are extension to support Flexible Engine Cloud DNS provider. for generating/renewing letsencrypt certificates and loading them to FlexibleEngine Load Balancer (ELB).
The diagram below describes in detail.

Make sure to have already installed Certbot client on your linux machine, for more details, please refer to documentation: https://certbot.eff.org/instructions
these scripts are devided in two parts.

  • Script for generating the first time Letsencrypt certificate using certbot client.
  • Script for renewing the certificate (renewing script can be scheduled as cron job to run in a regular timing)

Setting Env variables:

Environment variables must be setted, allowing authentication and gettig API Token on the required resources.
https://docs.prod-cloud-ocb.orange-business.com/en-us/api/dns/en-us_topic_0037134406.html

Generating Certificate:

'./create.sh'
by loading first environment variable (environment-variables.sh) and running certbot command.
Certbot allows for the specification of pre and post validation hooks when run in manual mode. The flags to specify these scripts are --manual-auth-hook and --manual-cleanup-hook respectively.

This will run the authenticator.sh script, attempt the validation, and then run the cleanup.sh script. Additionally certbot will pass relevant environment variables to these scripts:

  • CERTBOT_DOMAIN: The domain being authenticated
  • CERTBOT_VALIDATION: The validation string
  • CERTBOT_TOKEN: Resource name part of the HTTP-01 challenge (HTTP-01 only)
  • CERTBOT_REMAINING_CHALLENGES: Number of challenges remaining after the current challenge
  • CERTBOT_ALL_DOMAINS: A comma-separated list of all domains challenged for the current certificate

more details, please refer to documentation: https://eff-certbot.readthedocs.io/en/stable/using.html

Renewing Certificate:

'./renew.sh'
The 'renew.sh' script will attempt to renew certificate previously obtained for the specified domain. and load it to FlexibleEngine ELB (domain, and auth credentials... will be retrieved from env variables script)

Diagram:

alt text

Links:

License :

This repository is licensed under the Apache 2.0 License. See the LICENSE file for more information.