How to automate Let’s Encrypt certificate authority in AWS using PowerShell

You can still automate Let's Encrypt even if your system requires a DNS challenge. Using these PowerShell scripts and Amazon Web Services' DNS service Route 53 will do the trick.

If you have been in IT for the last few years, no doubt you will have heard of Let's Encrypt, an open certificate authority. Its goal is simple: Ensure the internet is no longer transmitted in plaintext. To that end it issues digital certificates for free. The service is completely automated in the right circumstances, and you can be quite creative about what other automation technologies you can link it with.

In fact, Let’s Encrypt is fully automated in most instances. This is certainly so on Linux; when paired with Apache or NGINX it will take care of the whole process of requesting, validating and installing a certificate for you. Even on Windows, with some Let's Encrypt tools it will take care of the whole process for you.

However, if you are not running a web server and cannot use an HTML validation method (a file stored on your web server that the Let's Encrypt service looks for), you have to use a DNS challenge. If you have requested any certificate in the past, chances are you had to set up a DNS challenge response where your certificate authority says, “Create this DNS record with this value to prove you own the domain.” As you'll see, this can create a challenge for automation.

On Windows, of course, PowerShell is the automation tool of choice. There is a Let’s Encrypt module, Posh-ACME, you can install from the PowerShell gallery and request certificates using PowerShell commands.

You'll see that to validate domain ownership you need to complete a DNS challenge as mentioned earlier.

pearman letsencaws 1 Robert Pearman

DNS challenge request

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!