In this article, I will show you how to renew Let’s Encrypt certificates automatically. This might sound a little bit boring… so I will use a simple Pacman game to grab your attention. Although it was developed as a support tool for non-technical people, it can be used in new projects, both for business and personal use. And it is only a mouse click away!
Technologies? Tools? Apps?
Technologies we’ll use:
|AWS||Amazon Web Services provider|
|EC2||Compute instances over AWS|
|ROUTE 53||Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service|
|APACHE||The Apache HTTP Server Project is an open-source HTTP server for modern operating systems, including UNIX and Windows|
|TERRAFORM||Terraform is a tool for building, changing and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers, as well as custom in-house solutions.||v0.11.|
|O.S.||Ubuntu is a free and open-source operating system and Linux distribution based on Debian||Ubuntu Xenial 16.04. LTS|
We can find the following definition in its official website (www.terraform.io): “Terraform is a tool for building, changing and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers, as well as custom in-house solutions”.
Providers: APIs with which Terraform can communicate for performing the tasks you define. AWS, GCP, Microsoft Azure and OpenStack are examples of providers. You can find the full list here.
Infrastructure as code: you can (and I strongly recommend) have your source code in Gitlab, Bitbucket, Github, SVN or any other repository hosting service to control changes, implement a FEATURE or fix a BUG. Moreover, it is really interesting, because it brings you the opportunity to use CI/CD. Some tools, such as Gitlab, allow you to use CI/CD. Infrastructure as a code is helpful when you want to deploy the same infrastructure in many different provider accounts.
Modules: Terraform modules help you define your infrastructure. In Github, you can find community plugins to help you with your deployment. For example, you can use a Terraform module to create RDS in AWS.
Infrastructure graphics: Graphviz allows you to create graphics with the information of the infrastructure that you have already assembled before. Adding Graphviz graphics to your README really helps people understand your infrastructure code.
> terraform init
It is used to load the backend and associated provider plugin. Once it has been loaded, it is saved in the so-called ‘state file’. It is crucial for Terraform to ensure that no file information is lost. We usually save it in an S3 Bucket.
> terraform plan
This is recommended before applying Terraform. It is very useful because it shows the changes Terraform is going to apply to your infrastructure, according to its actual state.
> terraform apply
Applies changes to your chosen provider.
How To Install Terraform?
Certbot gives you an SSL/TLS certificate with a three-month validity, which is the issuing entity and is automatically renewed.
Certbot was developed by the EFF (Electronic Frontier Foundation) as the ‘official client’ of the Let’s Encrypt certified authority, but it also works with any CA supporting ACME protocol (Automated Certificate Management Environment).
How does it work? A cron is executed, requesting Let’s Encrypt services if the certificate is close to expire, so the certificate is renewed when it expires. The tool allows you to configure Apache, Nginx, Haproxy or Plesk servers automatically with custom certificates.
In my experience, if you want greater control over it, I recommend you to first generate the certificates and then configure the path on the machine.
Let’s deploy Pacman!
5.1. Before deployment
- Configure your base variables, change your domain name in the templates file & DNS
Set email and domains
- Change DNS to your domain in AWS Route 53 (you must have a domain from any provider (GoDaddy, Gandi, Ovh, etc.)).
User with the privileges required to create and destroy resources defined in the Terraform files. You must use environment variables to access AWS later on. In your terminal:
If you have configured everything… You are ready to deploy!
|> terraform init
> terraform plan
> terraform apply
You’ll see an output similar to the one shown below:
To test it, wait until the DNS entries propagate, enter your domain and… Ta-da! You now have your SSL configured with the Pacman application running.
|root@ip-10-0-1-179:~# run-parts –verbose /etc/cron.daily
run-parts: executing /etc/cron.daily/apache2
run-parts: executing /etc/cron.daily/apport
run-parts: executing /etc/cron.daily/apt-compat
run-parts: executing /etc/cron.daily/bsdmainutils
run-parts: executing /etc/cron.daily/certbot-renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal
Keeping the existing certificate
Certificate not yet due for renewal; no action taken.
run-parts: executing /etc/cron.daily/dpkg
run-parts: executing /etc/cron.daily/logrotate
More details →
Terraform and Amazon Web Services are two amazing tools. The key thing is the User Data that Amazon provides you in EC2 machines. In addition, using Certbot for the automatic renewal puts an end to expired certificates.