-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathlets_encrypt_route53.rb
305 lines (261 loc) · 7.87 KB
/
lets_encrypt_route53.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
require "acme/client"
require "aws-sdk"
require "openssl"
class LetsEncryptRoute53
STAGING = "https://acme-staging.api.letsencrypt.org/"
PRODUCTION = "https://acme-v01.api.letsencrypt.org/"
attr_accessor :endpoint, # STAGING or PRODUCTION
:domain, # Domain we're obtaining a certificate for
:s3_bucket, :s3_key, # Where should we store the LE private key
:kms_key_id, # Which KMS key to encrypt the LE pkey?
:contact_email, # LE Registration email
:hosted_zone_id, # Route53 Zone for domain, eg "Z34Y2JMNKJ3H4S"
:load_balancer_name # ELB to attach the cert
def initialize(endpoint: STAGING)
@endpoint = endpoint
end
# Do everything
def refresh_certificate!
register_key if key_needs_registered?
auth, challenge = obtain_authorization
set_dns_record(challenge)
request_dns_verification(challenge)
csr = generate_certificate_signing_request
certificate = request_certificate(csr)
iam_cert = upload_server_cert(certificate)
update_elb(iam_cert)
cleanup_old_certs(certificate)
remove_dns_verification_record(challenge)
end
def private_key
@private_key ||=
say "preparing the private key" do
key = fetch_and_decrypt_key
if key
mark_key_as_registered
key
else
puts "Doesn't seem to exist in S3, creating a new one."
key = generate_and_upload_key
end
end
end
def register_key
require_attrs! :contact_email
say "registering key with LetEncrypt" do
registration = acme.register(contact: "mailto:#{contact_email}")
registration.agree_terms
end
end
def obtain_authorization
require_attrs! :domain
say "obtaining authorization for #{domain}" do
authorization = acme.authorize(domain: domain)
challenge = authorization.dns01
[authorization, challenge]
end
end
def set_dns_record(challenge)
require_attrs! :domain, :hosted_zone_id
change = {
hosted_zone_id: hosted_zone_id,
change_batch: {
comment: "Add LetsEncrypt DNS01 challenge",
changes: [
{
action: "UPSERT",
resource_record_set: {
name: [challenge.record_name, domain].join("."),
type: challenge.record_type,
ttl: 1,
resource_records: [ { value: challenge.record_content.inspect } ]
}
}
]
}
}
say "applying Route53 Record change" do
resp = route53.change_resource_record_sets(change)
# It can take 10-20 seconds to apply, so wait for it
loop do
print "."
change = route53.get_change(id: resp.change_info.id)
break if change.change_info.status == "INSYNC"
sleep 2
end
resp
end
end
def request_dns_verification(challenge)
say "requesting verification" do
challenge.request_verification
loop do
print "."
status = challenge.verify_status
break if status == "valid"
sleep 1
end
end
end
def generate_certificate_signing_request
require_attrs! :domain
Acme::Client::CertificateRequest.new(names: [domain])
end
def request_certificate(csr)
say "requesting certificate" do
acme.new_certificate(csr)
end
end
def upload_server_cert(certificate)
require_attrs! :domain
cert_name = iam_cert_name(certificate)
say "Uploading Server Certificate to IAM" do
iam.upload_server_certificate({
server_certificate_name: cert_name,
certificate_body: certificate.to_pem,
private_key: certificate.request.private_key.to_pem,
certificate_chain: certificate.chain_to_pem
})
end
end
def update_elb(iam_cert)
require_attrs! :load_balancer_name
say "Updating ELB to use cert" do
tries = 0
begin
print "."
resp = elb.set_load_balancer_listener_ssl_certificate({
load_balancer_name: load_balancer_name,
load_balancer_port: 443,
ssl_certificate_id: iam_cert.server_certificate_metadata.arn
})
rescue Aws::ElasticLoadBalancing::Errors::CertificateNotFound => ex
tries += 1
if tries <= 5
sleep 10
retry
else
raise ex
end
end
end
end
def cleanup_old_certs(current_cert)
current_cert_name = iam_cert_name(current_cert)
say "Cleaning up previous certs" do
resp = iam.list_server_certificates
resp.server_certificate_metadata_list.each do |server_cert|
name = server_cert.server_certificate_name
next if name == current_cert_name
suffix = "-#{domain.gsub(".", "_")}"
if name.ends_with? suffix
begin
iam.delete_server_certificate(server_certificate_name: name)
rescue Aws::IAM::Errors::DeleteConflict => ex
# Key in use, we'll delete it next time
end
end
end
end
end
def remove_dns_verification_record(challenge)
require_attrs! :hosted_zone_id, :domain
change = {
hosted_zone_id: hosted_zone_id,
change_batch: {
comment: "Remove LetsEncrypt DNS01 challenge",
changes: [
{
action: "DELETE",
resource_record_set: {
name: [challenge.record_name, domain].join("."),
type: challenge.record_type,
ttl: 1,
resource_records: [ { value: challenge.record_content.inspect } ]
}
}
]
}
}
say "removing Route53 txt Record" do
resp = route53.change_resource_record_sets(change)
# It can take 10-20 seconds to apply, so wait for it
loop do
print "."
change = route53.get_change(id: resp.change_info.id)
break if change.change_info.status == "INSYNC"
sleep 2
end
resp
end
end
private
def key_needs_registered?
private_key && !@key_already_registered
end
def mark_key_as_registered
@key_already_registered = true
end
def fetch_and_decrypt_key
require_attrs! :s3_bucket, :s3_key
say "fetching key from S3" do
ciphertext_key = s3.get_object(bucket: s3_bucket, key: s3_key).body.read
plaintext_key = kms.decrypt(ciphertext_blob: ciphertext_key).plaintext
private_key = OpenSSL::PKey::RSA.new(plaintext_key)
end
rescue Aws::S3::Errors::NoSuchKey => ex
nil
end
def generate_and_upload_key
require_attrs! :s3_bucket, :s3_key, :kms_key_id
say "generating a new key and uploading to S3" do
private_key = OpenSSL::PKey::RSA.new(4096)
ciphertext_key = kms.encrypt(plaintext: private_key.to_pem, key_id: kms_key_id).ciphertext_blob
s3.put_object(bucket: s3_bucket, key: s3_key, body: ciphertext_key)
private_key
end
end
def acme
@acme = Acme::Client.new(private_key: private_key, endpoint: endpoint)
end
def iam_cert_name(certificate)
[
certificate.x509.serial.to_s,
certificate.x509.not_after.strftime("%Y%m%d%H%M%S"),
domain
].join('-').gsub(".", "_")
end
def elb
@elb = Aws::ElasticLoadBalancing::Client.new
end
def iam
@iam = Aws::IAM::Client.new
end
def kms
@kms = Aws::KMS::Client.new
end
def route53
@route53 = Aws::Route53::Client.new
end
def s3
@s3 = Aws::S3::Client.new
end
def require_attrs!(*attrs)
fail "#{attrs.inspect} are required" unless attrs.all? { |a| send(a).present? }
end
# Pretty-print whats happening. Also prints the timing if given a block
def say(*msgs)
@indent_level ||= -2
@indent_level += 2
print " " * @indent_level
puts msgs.join(" ")
if block_given?
print " " * @indent_level
start = Time.now
result = yield
puts "=> %0.2fs" % (Time.now - start).to_f
end
@indent_level -= 2
result
end
end