Generating SSL/TLS Certificates via LetsEncrypt
Generating SSL certificates when your webservers are behind a load balancer
In situations where your webservers aren't behind a load balancer, LetsEncrypt is simple to use (often via certbot) to generate and automatically renew SSL certificates for a given webserver.
Behind a load balancer, this gets awkward: the challenges used to verify you are the owner of the domain or webserver, such as the ACME challenge, will often fail where your domain does not point directly to the webserver. In these cases, you can deploy the certificates manually, using the process below.
Install Go & Lego (LetsEncrypt for Go)
Install the Go programming language, which is required for Lego to work: https://go.dev/doc/install
Install the Lego client: https://github.com/go-acme/lego/releases (click "show all assets" to see the Windows releases).
Generating the certificates for an Amazon Route 53 managed domain
For a domain on Amazon Route 53, run the following command in the Windows command prompt on your local machine, substituting the necessary variables with the IAM keys for a user with Route 53 permissions, and the Hosted Zone ID for the domain (visible in the Route 53 console). Make sure you do this from a command prompt with administrator privileges or you will get "missing endpoint" errors.
set AWS_ACCESS_KEY_ID=<access key for Route 53 IAM user>
set AWS_SECRET_ACCESS_KEY=<secret key for Route 53 IAM user>
set AWS_REGION=eu-west-3
set AWS_HOSTED_ZONE_ID=<hosted zone ID>
lego.exe --domains *.yourdomain.com --domains yourdomain.com --email youremail@somewhere.com --dns route53 --accept-tos=true runWith the certificates generated, you can then upload them to your webservers via WinSCP or a similar tool.