Overview
The following solution can be implemented on AWS to schedule a renewal for SSL Certificates generated with Certbot and the Certbot certbot-dns-route53 plugin.
What is Certbot ?
As per the official Cerbot website,
Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.
Certbot is made by the Electronic Frontier Foundation (EFF), a 501(c)3 nonprofit based in San Francisco, CA, that defends digital privacy, free speech, and innovation.
The solution works as follows.
- A AWS Systems Manager Maintenance Window with a cron to run the associated Maintenance Window Tasks every 3 months.
- The Maintenance Window Tasks run in the order of their priority, 1, 2 and 3. The lowest priority number will run first.
- The StartEC2Instance task will start the Certbot EC2 Instance if it is not in a running state
- The RunRenewSSLCertificateTask will run the bash commands on the Certbot EC2 Instance to renew the SSL Certificate. The Route53 domain is used by Certbot to validate if the domain exists. The SSL Certificate value is saved to an existing AWS SecretsManager secret.
- The StopEC2Instance will stop the Certbot EC2 Instance once the certificate renewal process has completed.