Business

How to Issue SSL Certificates on AWS with Certbot

SSL/TLS certificates are essential for any web application’s security, credibility, and functionality in today’s digital landscape.

Security is the primary reason certificates matter. They encrypt all data transmitted between users’ browsers and your server, protecting sensitive information like passwords, personal data, and payment details from interception by malicious actors. Without encryption, this data travels in plain text, making it vulnerable to man-in-the-middle attacks and eavesdropping.

Trust and credibility are immediately visible to users. Browsers display clear security indicators for HTTPS sites—a padlock icon and “Secure” label—while flagging HTTP sites as “Not Secure.” This visual cue significantly impacts user confidence and can directly affect conversion rates and user engagement.

Search engine optimization benefits are substantial. Google explicitly uses HTTPS as a ranking factor, meaning certificated sites receive preferential treatment in search results. This can significantly impact your site’s visibility and organic traffic.

Browser compatibility increasingly requires certificates. Modern browsers are progressively restricting features for non-HTTPS sites, including geolocation, camera access, and push notifications. Some browsers even block mixed content or display prominent warnings for HTTP sites.

Compliance requirements often mandate encryption. Many industry standards (PCI DSS, HIPAA, GDPR) require encrypted connections when handling sensitive data. Professional applications simply cannot operate legally without proper certificates in many regulated industries.

Ok, so we got the point that’s important (=critical) – If you’re a DevOps engineer working on an AWS-based setup and need to issue SSL certificates for a domain and its subdomains — like espressolabs.com and *.espressolabs.com — this guide is for you.

In this tutorial, we’ll use:

  • Let’s Encrypt for free SSL certificates
  • Certbot to automate the issuance
  • Route 53 for DNS-01 validation
  • Ubuntu EC2 instance
  • AWS Console

📦 Step 1: Launch a Ubuntu EC2 Instance

  1. Go to https://console.aws.amazon.com/ec2
  2. Launch an instance:
    • AMI: Ubuntu Server 22.04 LTS
    • Instance type: t3.micro (free tier eligible)
    • Key pair: Create or use an existing one
    • Security group: Allow inbound SSH (port 22) and HTTP/HTTPS (ports 80 and 443)
  3. Launch the instance

🔐 Step 2: Create an IAM Role for Certbot DNS Access

Create a Custom Policy

  1. Go to IAM > Policies > Create policy
  2. Select the JSON tab
  3. Paste this policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "route53:ListHostedZones",
        "route53:GetChange",
        "route53:ChangeResourceRecordSets"
      ],
      "Resource": "*"
    }
  ]
}
  1. Click Next → Name it: CertbotRoute53DNSChallenge → Create policy

🧾 Create a New IAM Role for EC2

  1. Go to IAM > Roles > Create role
  2. Trusted entity: Select AWS service
  3. Use case: Choose EC2
  4. Click Next
  5. Attach the policy: CertbotRoute53DNSChallenge
  6. Name the role: CertbotEC2Role
  7. Click Create role

🔁 Attach the Role to Your EC2 Instance

  1. Go to EC2 > Instances
  2. Select your Ubuntu instance
  3. Click Actions → Security → Modify IAM Role
  4. Attach the role: CertbotEC2Role
  5. Click Update IAM Role

🧰 Step 3: Install Certbot with Route 53 Plugin

SSH into the EC2 instance:

ssh -i ~/.ssh/your-key.pem ubuntu@your-ec2-public-ip

Install Certbot and plugins:

sudo apt update
sudo apt install -y software-properties-common
sudo add-apt-repository ppa:certbot/certbot -y
sudo apt update
sudo apt install -y certbot python3-certbot-dns-route53

🧪 Step 4: Test IAM Role and Permissions

Run the following to verify AWS credentials work:

sudo apt install -y awscli
aws sts get-caller-identity
aws route53 list-hosted-zones

✅ If this works — you’re ready to issue a wildcard certificate.

🔑 Step 5: Issue the Certificate

Use this command to issue a certificate for both the apex domain and wildcard:

sudo certbot certonly \
  --dns-route53 \
  -d "*.espressolabs.xyz" -d espressolabs.xyz \
  --agree-tos \
  --non-interactive \
  --email devops@espressolabs.com

Certbot will:

  • Query Route 53
  • Create the necessary DNS TXT records
  • Validate ownership
  • Generate certificates and store them in /etc/letsencrypt/live/espressolabs.com/

🔁 Automate Renewal

Let’s Encrypt certs expire every 90 days. To renew automatically:

Create a cron job:

sudo crontab -e

Add:

0 2 * * * certbot renew --quiet --dns-route53

📂 Where to Find Your Certs

After issuance, your certificates are located in:

/etc/letsencrypt/live/espressolabs.com/
  • fullchain.pem — certificate + intermediate chain
  • privkey.pem — your private key

You can now use them in Nginx, Apache, Docker, or your app!

Summary

  • Certbot can automatically manage DNS challenges using Route 53
  • You need:
    • A proper IAM role on EC2
    • Correct permissions to change Route 53 DNS records
  • Certificates are stored under /etc/letsencrypt
  • You can issue wildcard certs (*.yourdomain.com) without touching DNS manually

Good luck 🥂

Discover more from Ido Green

Subscribe to get the latest posts sent to your email.

Standard