Route 53 Let’s Encrypt wildcard certificate with acme.sh

Amazon Route 53 is a DNS service offered by Amazon Web Services (AWS) and acme.sh is a command-line utility for automating the process of obtaining and renewing Let’s Encrypt SSL/TLS certificates. Here’s how you can use acme.sh to obtain a wildcard certificate for a domain hosted on Route 53:

  1. First, install acme.sh on your server by running the command:
curl https://get.acme.sh | sh
  1. Next, issue a wildcard certificate for your domain using the following command, replacing “example.com” with your own domain name:
~/.acme.sh/acme.sh --issue --dns dns_aws -d '*.example.com' -d 'example.com'
  1. The above command will create a new DNS record on Route 53 for each domain name, allowing acme.sh to verify the ownership of the domain.
  2. Once the verification is done, acme.sh will generate the wildcard certificate in the format of PEM and also generate the private key.
  3. Now you can install the generated certificate on your web server, configure it to use the certificate and private key.
  4. You can also use the command “~/.acme.sh/acme.sh –install-cert -d example.com –key-file /path/to/private_key.pem –fullchain-file /path/to/fullchain.pem” to install the certificate and private key on your web server.
  5. And you can use the command “~/.acme.sh/acme.sh –renew -d example.com” to renew the certificate before it expires.

It’s important to note that the certbot, the official Let’s Encrypt client, does not support wildcard certificate yet, so you will have to use acme.sh to get wildcard certificate.

Additionally, you can use the option –force to renew the certificate before its expiration date, which is useful if you want to renew the certificate before the 90 days expiration date.

Leave a Comment