Using Let's Encrypt DNS-01 Validation with AWS Route 53

Step 1: Install Certbot and the AWS DNS Plugin

Certbot is the official Let's Encrypt client, and the python3-certbot-dns-route53 plugin automates DNS-01 validation for Route 53.

• Update the system and install Certbot:

sudo apt update
sudo apt install -y certbot python3-certbot-dns-route53

Step 2: Configure IAM Permissions for Route 53

Certbot needs access to AWS Route 53 to add TXT records for validation.

• Create an IAM user:
• Go to the AWS Management Console.
• Open the IAM service.
• Create a new IAM user with programmatic access (access key and secret key).
• Attach the following policy to the user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange",
                "route53:ChangeResourceRecordSets",
                "route53:ListResourceRecordSets"
            ],
            "Resource": "*"
        }
    ]
}

• Create a credentials file:

sudo nano /etc/letsencrypt/route53.ini

• Add the following:

[default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY

• Secure the credentials file:

sudo chmod 600 /etc/letsencrypt/route53.ini

Step 3: Obtain a Certificate Using DNS-01 Challenge

• Run the Certbot command:

sudo certbot certonly \
    --dns-route53 \
    --dns-route53-credentials /etc/letsencrypt/route53.ini \
    -d private-server-1.pri.smortler.com

• After successful issuance, Certbot will store the certificate:

Full certificate: /etc/letsencrypt/live/private-server-1.pri.smortler.com/fullchain.pem
Private key: /etc/letsencrypt/live/private-server-1.pri.smortler.com/privkey.pem

Step 4: Configure Apache for HTTPS

• Edit the Apache SSL configuration:

sudo nano /etc/apache2/sites-available/default-ssl.conf

• Update the configuration:

<VirtualHost *:443>
    ServerName private-server-1.pri.smortler.com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/private-server-1.pri.smortler.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/private-server-1.pri.smortler.com/privkey.pem

    <Directory /var/www/html>
        AllowOverride All
    </Directory>
</VirtualHost>

• Enable the SSL module and configuration:

sudo a2enmod ssl
sudo a2ensite default-ssl
sudo systemctl reload apache2

Step 5: Automate Certificate Renewal

• Test manual renewal:

sudo certbot renew --dry-run

• Add a cron job for automatic renewal:

sudo crontab -e

• Add the following:

0 2 * * * certbot renew --quiet && systemctl reload apache2

Step 6: Verify HTTPS

• Open a browser and navigate to https://private-server-1.pri.smortler.com. You should see a valid SSL certificate issued by Let's Encrypt.