acmesh-official
Support for deploying certificates to AWS Certificate Manager And S3
This succeeds https://github.com/Neilpang/acme.sh/pull/1313 because it's easier for me to keep rebased 🙂
Support deploying certificates to Amazon Certificate Manager And S3
- Rewrite AWS request signing code to support custom headers (required for ACM API)
- Move AWS credential detection into an AWS library and have it automatically populate on an AWS service call
- Library currently supports
acm,r53ands3- is designed to be easily extensible to other AWS service api as required
- Support deploying a certificate to multiple regions (
AWS_ACM_REGIONS=us-east-1,us-west-2) - Tweaks the
dns_awsplugin to use the new AWS library - Support up to 9 headers in
_getand_post(AWS ACM needs 6 when using roles) - Updated READMEs to fully document new features
- Tested:
- using AWS environment variables
- using AWS instance roles
- creating a cert (ACMEv1) using
dns_awsand deploying it usingaws_acm - creating a wildcard cert (ACMEv2) using
dns_aws - deploying a cert using
aws_acm - deploying a cert using
aws_s3
This is a large changeset, and so to help offset this the commits have been logically separated and ordered to make review easier. It's highly recommended to view them one at a time as understanding the earlier ones will make understanding later commits much easier.
Note on Stability We have been using these changes (rebased on stable releases) in our production environment since April 2018, and haven't encountered any issues with issuance using R53 or deployment to ACM or S3. Please let me know if I can offer any assistance to aid with understanding and/or getting this merged. Thanks for a great project!
Basic IAM permissions required to deploy to ACM
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
}
]
}
Basic IAM permissions required to deploy to S3
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3::*:<bucket>/*"
}
]
}
Replace <bucket> with the name of the S3 bucket destination.
@Neilpang on the original PR for this work you mentioned that you needed to think about it a bit, as the year comes to a close it'd be good to know if you're still potentially interested in merging it. If the answer yes, great! Let me know what if anything needs to change, but if not, no worries, but I'll probably move it to an easier to maintain environment since it now forms the core part of our certificate infrastructure.
As always thanks for building and maintaining acme.sh, it really is an excellent project and very much appreciated!
Sorry, it's a long time. please rebase and review the changes. Make sure all the changes are intended and working.
I will review soon. Thanks.
I just wanted to ask when the PR will be merged? I am waiting and waiting (already for #1313), but nothing happens :-)
The readme is going to keep changing, and this is going to keep creating conflicts. @Neilpang let me know when you're ready to merge and I'll rebase it a final time.
Rebased a (hopefully) final time now that it won't conflict with the deploy readme. /cc @Neilpang 🙂
Deploy hook doc additions
https://github.com/Neilpang/acme.sh/wiki/deployhooks
## <?>. Deploy the cert to AWS ACM
Ensure your access key owner or role has a polcy attached that allows the
actions `acm:ListCertificates` and `acm:ImportCertificate`. Role credentials
will be picked up automatically from EC2 instances and ECS containers, in other
cases you must set `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` in your
environment.
```sh
export AWS_ACM_REGIONS="us-east-1,us-west-2"
acme.sh --deploy -d ftp.example.com --deploy-hook aws_acm
```
## <?>. Deploy the cert to AWS S3
Ensure your access key owner or role has a polcy attached that allows the
actions `s3:PutObject` on your chosen bucket. Role credentials will be picked
up automatically from EC2 instances and ECS containers, in other cases you must
set `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` in your environment.
The special variable `%cn` in `AWS_S3_PREFIX` can be used to reference the
domain/common name of the certificate. If no prefix is supplied, files will be
placed in the root of the bucket.
```sh
export AWS_S3_BUCKET="acme.example.com"
export AWS_S3_PREFIX="%cn/www"
export AWS_S3_REGION="us-east-1"
acme.sh --deploy -d sub.example.com --deploy-hook aws_s3
# Deploys key, cert, ca and fullchain files to:
# s3://acme.example.com/sub.example.com/www/ca.cer
# s3://acme.example.com/sub.example.com/www/fullchain.cer
# s3://acme.example.com/sub.example.com/www/sub.example.com.cer
# s3://acme.example.com/sub.example.com/www/sub.example.com.key
```
While S3 can be a convenient place from which to distribute certificates to
other servers, it is strongly recommended that _default encryption_ be enabled
for the bucket being used.
/cc @Neilpang
I'm guessing at this point that this is probably a write off ... 😛 Never the less, I've rebased one last time just in case. 🤞
@mal Sorry for the delay. But I was too busy. As you know this is not a small change, I will be reviewing carefully.
Anyway, I will review it as soon as I can.
Thanks.
Hi 👋 Can we have an update on this PR ? I would like to be able to deploy certs to an S3 Bucket. Thanks
It's been five years and multiple rebases to keep it fresh and ready for review, but it's not seen any progress. I've since moved on from when this would have been useful to me personally, and so I don't foresee investing any more time into maintaining or rebasing this branch unless that situation changes.
tl;dr: The fork including these changes that was current as of Oct 2021 will remain available but is unlikely to be updated.