I've written a script that creates an AWS EC2 instance via API and I need to automate the install of the wildcard certificates to be used by this new instance for HTTPS via Apache.
Previously, I had this solved by running LetsEncrypt/CertBot on the user-data script being passed via API, but because of the TLS-SNI-01 vulnerability issues, I decided to get a proper wildcard certificate to my domain and I'm updating the script accordingly.
As such, I'm wondering which strategy would best fit my purpose. Ultimately, I would just need to copy the cert files to a certain folder on the newly created instance, but I'm afraid I might be just reinventing the wheel – does Amazon have any tool to facilitate this?
On the other hand, should I have to resort to simply copying files, what would be a good place to store them so that they could be obtained via the user-data script? AWS S3?
I'm fairly new to server deployment/configuration, especially on AWS, so any help would be very welcome.
Best Answer
While I agree with ceejayoz that the best option is to use an ALB or ELB for SSL offloading, if you must terminate at the EC2 level, you can do a one time import of the certificate via the cli command 'aws acm import-certificate' documented at https://docs.aws.amazon.com/cli/latest/reference/acm/import-certificate.html then during the startup of EC2 instances download the cert via 'aws acm get-certificate' documented at https://docs.aws.amazon.com/cli/latest/reference/acm/get-certificate.html