Let's Encrypt TLS Certificates using Route53 DNS verification

Mar 26, 2016 using tags letsencrypt, dns, route53

Take control of how people reach you. Sign up for our free beta today.

In January of this year, Let’s Encrypt enabled the dns-01 challenge in production which was pretty huge!

Turned on support for the ACME DNS challenge in production today. Enjoy!
— Let's Encrypt (@letsencrypt) January 20, 2016

Unfortunately, the official client does not yet support this. There is, however, another client that supports this beautifully! Enter . I’m going to show you how to obtain a TLS certificate for www.example.com using lego and DNS verification.

What you’ll need:

The lego binary somewhere in your PATH (grab the latest from the GitHub releases page)
DNS for your domain managed in Route53 (we’re using example.com in this case)
AWS credentials capable of modifying route53 records

Set the following environment variables. Note that LE_EMAIL here is the email you would like to use to register with Let’s Encrypt.

export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_REGION=us-east-1
export LE_EMAIL=bob@example.com

Enter the directory where you’d like to store your certificates and:

cd /your/certificate/directory
lego --path="`pwd`" --email="${LE_EMAIL}" --domains="www.example.com" --dns="route53" run

You should see output that looks something like:

2016/03/26 11:45:29 [INFO][www.example.com] acme: Obtaining bundled SAN certificate
2016/03/26 11:45:29 [INFO][www.example.com] acme: Could not find solver for: http-01
2016/03/26 11:45:29 [INFO][www.example.com] acme: Trying to solve DNS-01
2016/03/26 11:45:56 [INFO][www.example.com] Checking DNS record propagation...
2016/03/26 11:45:59 [INFO][www.example.com] The server validated our request
2016/03/26 11:46:25 [INFO][www.example.com] acme: Validations succeeded; requesting certificates
2016/03/26 11:46:26 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
2016/03/26 11:46:26 [INFO][www.example.com] Server responded with a certificate.

If this is your first time running the lego client, it will create the accounts and certificates sub-directories. One thing to keep in mind here is that the lego generated certificate already contains the intermediate certificate (chain.pem), so if this is something you need to separate out, you will either need to do this manually or through a script.

Using the example above, the certificates/www.example.com.crt file will look something like:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

The second certificate there is the intermediate certificate (chain.pem) you’re looking for.

Neat, huh!