Obtaining a Multi-Level Wildcard Let's Encrypt Certificate and Storing it in AWS Secrets Manager

In this tutorial, we will walk you through the process of obtaining a multi-level wildcard Let's Encrypt certificate and storing it in AWS Secrets Manager.

We'll also use Ansible to deploy an Nginx web server and retrieve the SSL/TLS keys from Secrets Manager to secure the web server.

Step 1: Obtain a Multi-Level Wildcard Let's Encrypt Certificate

We'll use Certbot to obtain a multi-level wildcard certificate for your domain. Certbot's DNS challenge method is suitable for wildcard certificates.

sudo certbot certonly --manual --preferred-challenges dns -d "*.yourdomain.com" -d "yourdomain.com"

Follow the prompts to complete the DNS challenge verification. Certbot will provide you with the certificate and key files.

Step 2: Store the Certificate and Key in AWS Secrets Manager

1. Log in to the AWS Management Console.
2. Open the AWS Secrets Manager service.
3. Click on "Store a new secret."
4. Choose "Other type of secrets."
5. For "Key/value pairs," provide the following:
   • Key: certificate
   • Value: The content of the fullchain.pem file generated by Certbot.
   • Key: private_key
   • Value: The content of the privkey.pem file generated by Certbot.
6. Click "Next" and give your secret a name and description.
7. Configure the rotation policy as per your organization's security policy or leave it disabled for manual rotation.
8. Review and store the secret.

Step 3: Deploy Nginx using Ansible

Assuming you have Ansible configured for your environment, create an Ansible playbook to deploy Nginx and retrieve the SSL/TLS keys from AWS Secrets Manager.

---
- name: Deploy Nginx with SSL/TLS
  hosts: your_webserver
  become: yes
  tasks:
    - name: Install Nginx
      apt:
        name: nginx
        state: present
      notify:
        - Start Nginx

    - name: Copy SSL/TLS certificate and private key from AWS Secrets Manager
      aws_secretsmanager_facts:
        name: your-secrets-manager-secret-name
      register: secrets_manager

    - name: Create SSL/TLS certificate file
      copy:
        content: "{{ secrets_manager['SecretString'] | from_json | json_query('certificate') }}"
        dest: /etc/ssl/certs/yourdomain.com.crt
      notify:
        - Restart Nginx

    - name: Create SSL/TLS private key file
      copy:
        content: "{{ secrets_manager['SecretString'] | from_json | json_query('private_key') }}"
        dest: /etc/ssl/private/yourdomain.com.key
      notify:
        - Restart Nginx

  handlers:
    - name: Start Nginx
      service:
        name: nginx
        state: started

    - name: Restart Nginx
      service:
        name: nginx
        state: restarted

Make sure to replace your_webserver with the hostname of your server in the Ansible inventory file and your-secrets-manager-secret-name with the actual name of the secret stored in AWS Secrets Manager.

Step 4: Run the Ansible Playbook

Run the Ansible playbook to deploy Nginx and configure it with the SSL/TLS certificate and private key:

ansible-playbook nginx_deploy.yml

Nginx will be installed and configured with the SSL/TLS certificate and private key retrieved from AWS Secrets Manager.

Congratulations! You've obtained a multi-level wildcard Let's Encrypt certificate, stored it in AWS Secrets Manager, and deployed an Nginx web server secured with the SSL/TLS certificate using Ansible.