Creating and Renewing Let’s Encrypt certificates with AWS Lambda – part 1

Nowadays, it is standard procedure to make use of HTTPS to ensure secure communication with websites. Sometimes, this protocol could be applied in environments that comprise many machines that serve tens of thousands of internet sites or web applications. The most simple and economical way to do that would be to use SSL certificates from ‘Let’s Encrypt’.

To manage network traffic going towards hundreds of internet sites, it is recommended not to use a single machine (physical or not), but in favor of a cluster of them grouped within an autoscaling and a ‘Load Balancer’ to manage and allocate the traffic in the most balanced way possible. With autoscaling in front of your application and a fleet of EC2 instances, the use of the “HTTP-01 challenge” would be challenging or maybe you simply don’t want to install Certbot directly on your servers. In our case, we decided to avoid the installation of Certbot CLI on the servers and differentiate infrastructure-as-code between web applications and certificate flow.

I’m going to divide this argument into a series of three articles:

  • How to generate certificates from ‘Let’s Encrypt’ using the ‘Certbot’ Python library and AWS Lambda.
  • How to renew a certificate using Certbot and certificate files saved in the first step.
  • Infrastructure as code using AWS CDK to deploy a Step-Function to automatically renew certificates.

Certbot utilization in AWS Lambda

Understanding the structure of the working directory is important because we must know how to reconstruct it when we need to renew the certificate. The following is an example of the Certbot’s working directory structure. You can find more information about directory structure in the Let’s Encrypt forum.

After the creation of a domain certificate, we need to save the resulting 4 files, with the .pem extension, that constitutes it. These files are found within the path <certbot-work-dir>/archive/<domain>/. The name of these files ends with an incremental number starting from 1, which identifies how many times a certificate was created or renewed for the same domain.
During multiple tests for the same domain on the development environment with AWS Lambda, we should come across a “warm start” of the function where the storage is the same as the previous execution. In the storage path <certbot-work-dir>/archive/<domain>/, Certbot will save another four files with the numeric suffix incremented by 1 compared to the previous one. A solution can be to copy the latest version of the certificate following the symbolic links we can find in <certbot-work-dir>/live/<domain>/<file>.pem and that is what I have done.

In addition to the previously mentioned files, we need even to save the following files to allow the next renewal of the certificate:

  • <certbot-work-dir>/renewal/<domain>.confCertbot information for the renewal of the certificate
  • <certbot-work-dir>/accounts/<apihost>/directory/<account>/* →Account representation files on an ACME server. <apihost> parameter has to be extrapolated from the previous file <domain>.conf.

Create certificate

The AWS Lambda responsible for creating the certificate will have a straightforward input and output. Our goal is to receive a domain name as input for which to create a certificate and store the resulting files in an S3 bucket. I decided to categorize the certificate files on S3 by date and domain name: <bucket-name>/ssl/<year>/<month>/<day>/<domain>/. This structure will be useful in the next step to find the certificates that need to be renewed.

The Python code presented below enables you to perform all the operations we have discussed so far. Remember to create the Lambda function with the correct permissions to write to the S3 bucket. Add the environment variable called CERTS_S3_BUCKET to the Lambda to specify the name of the created S3 bucket.

After creating the Lambda function, it could be executed by providing a JSON as input with a single parameter   domainName :

After the successful execution of our function, we can check the S3 bucket to confirm the presence of certificate files.

It is now possible to establish HTTPS connections by downloading .pem files from the S3 bucket onto the web server.


The one presented here is just one of the methods to generate certificates through AWS serverless services. We could use a CloudFront + ACM solution or one similar to the one presented using ACM itself as the certificate store (that’s the link to the GitHub Gist).

The generated certificate will expire in 90 days… so be sure not to miss the next article in the series before that date to learn how to renew it. Cheerio!

Andrea Salvatori
Andrea Salvatori
Articoli: 5

Lascia una risposta

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.