Public | Automated Build

Last pushed: 5 months ago
Short Description
Letsencrypt client to generate and install certificates for AWS CloudFront distribution.
Full Description

S3/CloudFront plugin for Certbot client

Use the certbot client to generate and install a certificate to be used with
an AWS CloudFront distribution of an S3 bucket.

Before you start

Follow a guide like this one
to use S3 and CloudFront for static site hosting.

Once you are done you should have:

  • A domain pointing to a CloudFront distribution that will use an S3 bucket for origin.
  • Both HTTP and HTTPS traffic are enabled in the CloudFront Distrubtion. This is important for certificate validation, at least while you get your certificate.
  • An IAM policy with the permissions needed for this plugin. A sample policy has been provided.

Note: If you're setting up both an apex and a www. domain, they'll have a respective S3 bucket each. You'll need to update the IAM policy to include access to both buckets.


The easiest way to install both the certbot client and the certbot-s3front plugin is:

  pip install certbot-s3front

Mac with Homebrew certbot?

Installed certbot certbot using Homebrew on Mac (as the official way to install on a Mac)? Find the full path to its python binary using this command:

  cat $(which certbot) | head -1

Then use the full path to the pip binary found in the same folder to install certbot-s3front.
Note, you will need to re-install the plugin each time Homebrew will update certbot

Mac with pip certbot?

Alternatively, you can have a local set up for Python and we recommend a virtual environment and have both certbot and certbot-s3front installed via pip.
You might also need to install dialog: brew install dialog.


If you are in Ubuntu you will need to install pip and other libraries first:

  apt-get install python-pip python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev dialog

And then run pip install certbot-s3front.

How to use it

To generate a certificate and install it in a CloudFront distribution:

certbot --agree-tos -a certbot-s3front:auth \
--certbot-s3front:auth-s3-bucket REPLACE_WITH_YOUR_BUCKET_NAME \
[ --certbot-s3front:auth-s3-region your-bucket-region-name ] #(the default is us-east-1, unless you want to set it to something else, you can delete this line) \
[ --certbot-s3front:auth-s3-directory your-bucket-directory ] # (default is "") \
-i certbot-s3front:installer \
--certbot-s3front:installer-cf-distribution-id REPLACE_WITH_YOUR_CF_DISTRIBUTION_ID \

Follow the screen prompts and you should end up with the certificate in your
distribution. It may take a couple minutes to update.

Automate renewal

To automate the renewal process without prompts (for example, with a monthly cron), you can add the certbot parameters --renew-by-default --text

Use with docker

Move these lines to your docker-compose.yml

  image: plyo/letsencrypt-s3front
    - AWS_ACCESS_KEY_ID_0=<key for first domain>
    - AWS_SECRET_ACCESS_KEY_0=<secret for first domain>
    - BUCKET_0=<bucket name>
    - REGION_0=<region>
    - DISTRIBUTION_ID_0=<dist_id>
    - EMAIL_0=<email for notifications>
    - AWS_ACCESS_KEY_ID_1=<key for second domain>
    - AWS_SECRET_ACCESS_KEY_1=<secret for second domain>
    - BUCKET_1=<bucket name>
    - REGION_1=<region>
    - DISTRIBUTION_ID_1=<dist_id>
    - EMAIL_1=<email>
    - CRON_PERIOD=0 3 * * *  # 3 a.m. each night for trying to renew

then run with docker-compose up. You can update certificates for several domains - just list them in $DOMAINS var
and use ordinal suffix (like _0, _1, _2..) for other vars.

Docker Pull Command
Source Repository

Comments (0)