Did you know that you can navigate the posts by swiping left and right?

Issuing free certificates on ECS

11 Dec 2017 . category: tech . Comments
#aws #ecs #https

I recently had to issue certificates for EC2 machines that were created by ECS. ECS is the elastic container service by AWS and EC2 is the VM infrastructure of AWS. The go-to option of the Certificate Authority was Let’s Encrypt since it’s supported by the EFF organization and offers free certificates. The process is automated by certbot and as you can imagine there are plenty of resources on the web on how to use certbot on an EC2 instance. What I struggled to find was how to use certbot on the EC2 instances that are created for ECS purposes. The challenge with these instances is that they are not officially supported by the certbot and that they are by definition distributions with the bare minimum of dependencies running on them. As a result you need to do some manual work for setting them up. More specifically you need to clone the certbot since it’s not available via yum and then you need to setup the web server by yourself, since the web server is running on the container and not the host instance.

First, you can use this script to install certbot and start the process of issuing the certificates:


bash <(curl -s https://gist.githubusercontent.com/le4ker/30323d994f3ef203949224e60a6bde57/raw/f2ac890960b08898369458e3652a29be665d7949/ecs-certbot.sh)

Then you will follow the instructions of certbot and after you finish your certificates will be placed under:


/etc/letsencrypt/live/YOUR_DOMAIN/

Now that you have the certificates, you have to set up the web server to use them. Normally this is done by certbot, but using ECS means that you have an infrastructure that uses Docker containers, so your web server doesn’t actually exist on the host instance.

Here is the configuration for nginx that you need:

This configuration scores an A on ssllabs. I’ll update the gist to score an A+ once I get the time to do it.

Last, don’t forget to create the docker volumes in order to make available the certificates from your host to the containers that need them.

Keep encrypting!


Me

Panos is a Computer Scientist with scientific publications in top conferences and journals, three patent applications, open-source contributions on privacy preserving products and a proven track record of delivering secure, reliable and fast cloud services. In the past, he worked as a Linux kernel developer at the CERN CERT team, did Data Mining research at the University of Athens and innovated on Microsoft’s Office 365 cloud services. Currently he is on a mission to accelerate Distributed Ledger Technologies.