Streamlining SSL Certificate Management with AWS CodePipeline, CodeBuild, and Let's Encrypt

As increasing applications require secure connections, managing SSL certificates has become vital for developers and operations teams. This blog post will discuss how to automate obtaining public SSL certificates from Let's Encrypt, uploading them to AWS Certificate Manager (ACM), and storing them in a private S3 bucket using AWS CodePipeline and CodeBuild. We will explore various use cases, benefits, and the importance of complete automation in this process.

Use Cases

Web Applications and APIs

Securing web applications and APIs is essential to protect sensitive user data and maintain trust. Utilizing Let's Encrypt, AWS CodePipeline, and CodeBuild to manage SSL certificates ensures your applications and APIs are always secure with up-to-date certificates.

Internal Tools and Services

Secure connections are vital for internal tools and services, especially when handling sensitive data. By automating the SSL certificate management process, you can minimize the risk of security breaches within your organization.

Multi-Tenant SaaS Applications

Each tenant may require a unique SSL certificate in a multi-tenant SaaS environment. Automating the certificate management process using AWS CodePipeline and CodeBuild makes maintaining and scaling your application easier.

Benefits

Cost Savings

Let's Encrypt provides free SSL certificates, allowing you to reduce costs associated with purchasing and renewing certificates from commercial Certificate Authorities (CAs).

Time Savings

Automation through AWS CodePipeline and CodeBuild eliminates the need for manual certificate management, saving time and reducing the risk of human error.

Improved Security

Automating the certificate renewal process ensures that your SSL certificates are always up-to-date, reducing the risk of expired certificates and potential security vulnerabilities.

Scalability

The automated pipeline can scale to handle multiple certificates across different environments, domains, and applications without requiring additional manual intervention.

Complete Automation with AWS CodePipeline and CodeBuild

AWS CodePipeline

AWS CodePipeline is a continuous delivery service that allows you to automate your release pipelines for fast and reliable application updates. In this use case, it will manage obtaining SSL certificates and uploading them to the appropriate services.

AWS CodeBuild

AWS CodeBuild is a fully managed build service that compiles your source code, runs tests, and produces software packages ready for deployment. This scenario will execute the necessary scripts and commands to interact with Let's Encrypt, ACM, and S3.

Check out the sample buildspec.yml

version: 0.2



phases:

install:

runtime-versions:

python: 3.9

commands:

- echo 'Installing certbot'

- sudo yum install python3-certbot certbot-dns-route53 -y



build:

commands:

- echo 'Creating DOMAIN variable'

- echo $CODEBUILD_SOURCE_VERSION

- if [[ $CODEBUILD_SOURCE_VERSION = refs* ]]; then export BRANCH="$(echo "$CODEBUILD_SOURCE_VERSION" | awk -F/ '{print $3}')"; elif [[ $CODEBUILD_SOURCE_VERSION = arn* ]]; then export BRANCH="$(echo "$CODEBUILD_SOURCE_VERSION" | awk -F/ '{print $2}' | sed 's/.*_//')"; else echo "Error"; fi

- echo $BRANCH

- if [[ $BRANCH == dev ]] ; then export DOMAIN="app.bmdhealthapp-dev.com" ; elif [[ $BRANCH == master ]] ; then export DOMAIN="app.bmdhealth.app"; else echo "Error"; fi

- echo $DOMAIN

- echo 'Running certbot'

- certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d $DOMAIN --non-interactive --agree-tos -m admin@bmdhealth.app

- echo 'Importing certificate to ACM'

- ACM_ARN=$(aws --region $AWS_REGION acm list-certificates --output text --query "CertificateSummaryList[?DomainName=='$DOMAIN'].CertificateArn")

- echo $ACM_ARN

- aws --region $AWS_REGION acm import-certificate --certificate-arn $ACM_ARN --certificate file:///etc/letsencrypt/live/$DOMAIN/cert.pem --certificate-chain file:///etc/letsencrypt/live/$DOMAIN/chain.pem --private-key file:///etc/letsencrypt/live/$DOMAIN/privkey.pem

- if [[ $BRANCH == dev ]] ; then export ENVIRON=dev ; elif [[ $BRANCH == master ]] ; then export ENVIRON=prod; else echo "Error"; fi

- aws s3 cp /etc/letsencrypt/live/$DOMAIN/privkey.pem s3://bmdhealth-"$ENVIRON"-certificates

- aws s3 cp /etc/letsencrypt/live/$DOMAIN/cert.pem s3://bmdhealth-"$ENVIRON"-certificates



post_build:

commands:

- test "$CODEBUILD_BUILD_SUCCEEDING" = "1"        

Integrating with Let's Encrypt

You can request and renew SSL certificates from Let's Encrypt using the ACME protocol. You can automate the entire certificate management process by integrating this process into your pipeline.

Uploading to AWS Certificate Manager

Once the SSL certificate is obtained from Let's Encrypt, CodeBuild will upload it to AWS Certificate Manager, making it available for use with AWS services such as CloudFront, Elastic Load Balancing, and API Gateway.

Storing Certificates in a Private S3 Bucket

After uploading the certificate to ACM, the pipeline will store it in a private S3 bucket. This makes it accessible within your applications while ensuring it remains secure.

Automating SSL certificate management using AWS CodePipeline, CodeBuild, and Let's Encrypt efficiently ensures that your applications and services remain secure and compliant. By leveraging these services, you can reduce costs, save time, and improve overall security while maintaining the ability to scale as needed.