Create Server Certificate (LetsEncrypt)

Check your selected region

Make sure you have selected the desired region, ex: US East (N. Virginia) us-east-1.

Follow the Launch EC2 Instance guide to launch an Amazon 2 Linux instance in a VPC with attached Internet Gateway.

After logging into the launched EC2 instance via SSH, install certbot to interact with LetsEncrypt.

sudo amazon-linux-extras install -y epel

sudo yum install -y certbot

Then issue the wildcard certificate such as *.example.aklivity.io.

sudo certbot -d *.example.aklivity.io --manual --preferred-challenges dns --key-type rsa certonly

This will require you to respond to the challenge by adding a custom DNS record proving ownership of the wildcard domain, such as *.example.aklivity.io.

When certbot completes, the relevant files for the certificate chain and private key have been generated, called fullchain.pem and privkey.pem.

 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.aklivity.io/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.aklivity.io/privkey.pem

Now we need to prepare the secret value by combining these together:

touch wildcard.example.aklivity.io.pem
sudo cat /etc/letsencrypt/live/example.aklivity.io/privkey.pem >> wildcard.example.aklivity.io.pem
sudo cat /etc/letsencrypt/live/example.aklivity.io/fullchain.pem >> wildcard.example.aklivity.io.pem

Then we can create the secret, for example:

aws secretsmanager create-secret \
--region us-east-1 \
--name wildcard.example.aklivity.io \
--secret-string file://wildcard.example.aklivity.io.pem

Info

Note the returned secret ARN as it will be needed later.

Warning

LetsEncrypt certificates are valid for 90 days, so you will need to renew the certificate and the secret-string value accordingly before expiration. The latest secret value is obtained automatically upon restarting the Zilla proxy instance.