acme-dns-route53 icon indicating copy to clipboard operation
acme-dns-route53 copied to clipboard

Published 20 hours ago verified publisher icon begmaroman

feature addition: store cert/key in s3

Open tkellen opened this issue 4 years ago • 9 comments

Hello! Thank you so much for making this tool, it does almost exactly what I need it to :)

I have a few use-cases in which I need access to the private key of a generated certificate. As this is not accessible once stored in ACM, would you accept a PR that introduces support for storing certs/private keys in s3 as an alternative destination?

tkellen avatar Dec 17 '19 03:12 tkellen

@tkellen Hello! I like your idea, but I propose to do a little different. Since a private key is secret data, I propose to store a private key in the secrets manager. What do you think about this idea?

begmaroman avatar Dec 17 '19 03:12 begmaroman

Ah yes, that makes more sense, I have no idea why I didn't suggest that from the outset!

Would you feel equally supportive of my implementing this to store the private key as an encrypted string parameter in SSM (and the cert as an unencrypted one) instead? I am in the process of migrating away from secrets manager because I don't use the secret rotation functionality.

tkellen avatar Dec 17 '19 03:12 tkellen

@tkellen I think we can do the script more flexible and support multiple storages for private keys by passing an argument like --private-store s3

begmaroman avatar Dec 17 '19 03:12 begmaroman

Sounds good to me! I can cover the secretsmanager and parameter store one as well. I'll try to take a look in the next week or so and open a simple WIP PR for your feedback on the implementation before I go too far.

tkellen avatar Dec 17 '19 04:12 tkellen

@tkellen will glad to look at a PR, thanks :)

begmaroman avatar Dec 17 '19 04:12 begmaroman

Did anything come of this? I'm looking for the same thing. I will create a PR, unless you have one that just hasn't been published yet and would be willing to publish it?

RichardBradley avatar Aug 27 '20 10:08 RichardBradley

Actually, I think it's going to be more work for me to adapt this tool to do what I want than to write my own script, so I won't make a PR. Thanks anyway.

It seems strange to me to store the certs in ACM, which doesn't allow exporting. If you need a cert in ACM for something like ALB where you don't need the private key, why not use the ACM provided certs directly?

RichardBradley avatar Aug 27 '20 15:08 RichardBradley

@tkellen Thoughts on this one? Decided to move to another solution? Any recommendations?

mkozjak avatar May 04 '21 09:05 mkozjak

Wound up minting certs with terraform/letsencrypt thusly

provider "acme" {
  server_url = "https://acme-v02.api.letsencrypt.org/directory"
  # for testing server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

resource "tls_private_key" "account" {
  algorithm = "RSA"
}

resource "acme_registration" "main" {
  account_key_pem = tls_private_key.account.private_key_pem
  email_address   = local.config.admin_email
}

resource "acme_certificate" "certificate" {
  account_key_pem           = acme_registration.main.account_key_pem
  common_name               = "${local.config.env}.${local.config.domain}"
  subject_alternative_names = [
    "*.${local.config.env}.${local.config.domain}"
  ]
  dns_challenge {
    provider = "route53"
    config = {
      AWS_PROFILE = "training"
      AWS_DEFAULT_REGION = "us-east-1"
    }
  }
}

tkellen avatar May 04 '21 23:05 tkellen