diff --git a/docs/letsencrypt.md b/docs/letsencrypt.md index 2d0fc3c..bfc390d 100644 --- a/docs/letsencrypt.md +++ b/docs/letsencrypt.md @@ -75,3 +75,91 @@ This example shows that PiKVM may not be accessible from the internet, but you c ``` 4. Next follow the basic guide. + + +## Route53 DNS + +This example shows that PiKVM may not be accessible from the internet, but you can still get a certificate if you use AWS Route53 DNS. Make sure you are running an image newer than 2022.06.20 and kvmd version 3.119-1 or greater. + +1. Switch filesystem to RW and install the Route53 DNS plugin: + ``` + # rw + # pacman -S certbot-dns-route53 + ``` + +2. Configure Your AWS User + For the certbot_dns_route53 plugin to work it needs to be able to connect to AWS using an access key with the correct permissions. + + To do this securely you’ll want to create a new AWS user that only has the necessary permissions it needs to work. + + You can find instructions for creating a user [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console). The basics of it is you’ll want a user with Programmatic access (not console), add it to a group (I created a new one just for this user and any future certbot users I might need). + + The user will need specific permissions that are required to allow the certbot plugin to create the necessary CNAME records. These can be added by manually selecting them from a very long list or you can use the json view to give it the following permissions. + + ``` + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "route53:ListHostedZones", + "route53:GetChange" + ], + "Resource": [ + "*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "route53:ChangeResourceRecordSets" + ], + "Resource" : [ + "arn:aws:route53:::hostedzone/YOURHOSTEDZONEID" + ] + } + ] + } + ``` + Make sure you replace YOURHOSTEDZONEID with the instance ID of your hosted zone. + + Once the user is created don’t forget to download and save your access key and secret access key (somewhere secure, these are as sensitive as your passwords). + +3. Setup credentials: + + We now need to put the AWS credentials on the PiKVM so the certbot can use them. + ``` + kvmd-pstrun -- mkdir /var/lib/kvmd/pst/data/certbot/ + kvmd-pstrun -- mkdir /var/lib/kvmd/pst/data/certbot/runroot + ``` + + Copy and paste your AWS credentials into the nano editor and save the file. + ``` + kvmd-pstrun -- nano /var/lib/kvmd/pst/data/certbot/runroot/.route53.auth + ``` + Here is an example .route53.auth file. Replace the placeholders with the access key and secret access key that you just saved from AWS and fill them in. + + ``` + [default] + aws_access_key_id=XXXXXX + aws_secret_access_key=XXXX/XXXXX + ``` + + Update permissions: + ``` + kvmd-pstrun -- chmod 600 /var/lib/kvmd/pst/data/certbot/runroot/.route53.auth + ``` + +4. Obtain the certificate: + ``` + export AWS_SHARED_CREDENTIALS_FILE="/var/lib/kvmd/pst/data/certbot/runroot/.route53.auth" + kvmd-certbot certonly \ + --dns-route53 \ + --agree-tos \ + -n \ + --email user@example.com \ + -d pikvm.example.com + ``` + +4. Next follow the basic guide.