Zero-touch deployment of EC2 + TLS
Lettuce Encrypt is a pattern for deploying EC2 web servers that can obtain their own TLS certificates from Let's Encrypt. You'll need an AWS account and at least one domain already registered in Route53.
Simply make provision PARENT_ZONE=x
where x is a domain that you already have
registered in Route53. Assuming you have valid AWS credentials, Lettuce Encrypt
will do the following:
- Reserve a static IP address and assign it to a new subdomain (dns/)
- Create a new AMI (image/)
- Create a small storage volume to hold your Let's Encrypt certs (storage/)
- Deploy an EC2 instance which mounts this volume and uses the reserved IP
- Provision this instance, obtaining or renewing Let's Encrypt certs as needed
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Provisioning β
β β
β ββββββββββββββββββββ β
β β Let's Encrypt β β
β ββββββββββββββββΆβ Certificates ββββββββββββββββ β
β β ββββββββββββββββββββ β β
β β β β
β βββββββββββββββββββββ βββββββββ β
β βprovisions/MakefileββββββββββββββββββββββββββββββββββββΆβ Zpool β β
β βββββββββββββββββββββ βββββββββ β
β β² β² β
βββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββΌββββββββββββββββββ
βββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββΌββββββββββββββββββ
β β Webserver β β
β β ββββββββββββββββ β
β β β Volume β β
β ββββββββββββββββββββββββββββββββββββββββββΆβ Attachment β β
β β ββββββββββββββββ ββββββββββββββββ β
β βββββββββββββββΆβEIP Attachmentβ β² β
β β ββββββββββββββββ β β
β ββββββββββββββ β² β β
β βEC2 Instanceβ β β β
β ββββββββββββββ β β β
β β² β β β
βββββββββββββΌβββββββββββββββββββββββΌβββββββββββββββββββββββββββΌββββββββββββββββββ
β β β
βββββββββββββΌβββββββββββββββββββ β β
β βImage β β β
β βββββββββββββββββββββ β β β
β β Lettuce AMI β β β β
β βββββββββββββββββββββ β β β
β β² β β β
β β β β β
β ββββββββββββ β β ββββββββββββββββββββββββ β
β β β β β β DNS β β
β β β β β β ββββββββββββββββββββ β β
β β ββββββββββββββ β β β β Subdomain Record β β β
β β βprovision.shβ β β β β (Route 53) β β β
β β ββββββββββββββ β β β ββββββββββββββββββββ β β
β β΄ β β β β² β βββββββββββββββββββ
β βββββββββββββββββββββ β β β β β ββ Storage β
β β OmniOS β β β β ββββββββββββββ β ββ ββββββββββββββ β
β β Community Edition β β βββΌβββββ Elastic IP β β ββΌββ EBS Volume β β
β βββββββββββββββββββββ β β ββββββββββββββ β β ββββββββββββββ β
ββββββββββββββββββββββββββββββββ ββββββββββββββββββββββββ ββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Prerequisites β
β ββββββββββββββββββββββββββ ββββββββββββββββββββββ β
β βExisting Route53 Domain β βAWS Credentials for β β
β β (PARENT_ZONE) ββββββββββΆβ us-east-1 β β
β ββββββββββββββββββββββββββ ββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
This pattern assumes that the instance is not part of a cluster (i.e. that you will be obtaining a certificate for a domain that points to a single EC2 instance) and thus is better suited for deploying infrastructure appliances than for large-scale websites.
Because this pattern automates the creation of a Let's Encrypt account, you are obligated to agree to the Let's Encrypt Subscriber Agreement.