Use AWS Lambda to manage SSL certificates for ACME providers like Let's Encrypt.
Use AWS Lambda to manage SSL certificates for ACME providers.
This project utilizes AWS Lambda to periodically (once per day) check a set of certificates for expiration, and then if they're about to expire or invalid/missing, it will request a new certificate from the ACME infrastructure.
Certificates are stored in S3, which can easily be configured to send an SNS notification based upon a PUT event into the configured bucket.
Please see the roadmap for a sorted list of upcoming features by priority.
This project requires a little configuration to be used in AWS.
Modify the configuration file with the values needed for your environment:
Variable | Description |
---|---|
acme-directory-url |
Change to production url - https://acme-v01.api.letsencrypt.org if ready for real certificate. |
acme-account-email |
Email of user requesting certificate. |
s3-account-bucket |
An S3 bucket to place account keys/config data into. You will need to create this bucket and assign the IAM role to read/write. |
s3-cert-bucket |
An S3 bucket to place domain certificate data into. You will need to create this bucket and assign the IAM role to read/write. |
s3-folder |
A folder within the above buckets to place the files under, in case there are other contents of these buckets. |
certificate-info |
Object containing certificate information mapping certificate names to domains. |
Change the acme-directory-url
to one of the v2 urls:
and you will be able to request wildcarded certificates.
Follow these steps to get started:
Git-clone this repository.
$ git clone [email protected]:ocelotconsulting/node-acme-lambda.git
Modify configuration (as above).
Create S3 buckets, IAM role, then test locally:
$ npm run local-cert
Package lambda zip:
$ npm run dist
Create lambda by uploading zip, set the handler to "app.handler", and establish your desired trigger (i.e. periodic).
Optional: You can write your certificates to a PEM file by executing:
$ npm run pems
certificate-info
field of configuration filename
and zoneLevels
defined, allowing hosted zones at levels greater than 2 (i.e. host.at.longer.domain.com
could specify 4 zone levels, which would require proper NS records in parent Route53 hosted zone or other DNS).