Generating Letsencrypt Personal Certs on Route53

Using AMI roles to restrict certificate generation

We have a bunch of machines behind haproxy load balancers. The haproxy is publicly accessible and can use the ACME HTTP method for certificate renewal. The machines behind it are using self-signed certs from our own CA, but there are cases where we might like to have certs on both systems that are “legit”. For example, a gitlab instance that is accessible internally and externally, or our web servers for internal or testing access.

For the internal machines, I came up with the idea of using DNS to verify the registration, while the haproxy continues to do HTTP.

I wanted to restrict the AWS access keys so the compromise of one machine didn’t expose our entire DNS, so I created a recipe that allows for the access key to be limited to a specific name.

[Read More]