Automatically deploy issued/renewed certificates in EC2 Linux

[aureq]

Since it's possible to automate the deployment of issued certificates in CloudFront and ELB, it would be nice to have the same automated capabilities so SSL certificates are automatically deployed in an EC2 instance (or anywhere else).

[aureq]

A possible way to automatically deploy new certificates would be to send notifications to a SQS queue with the certificate details (message payload). A (python) client would be in charge of checking the queue for new messages and if certificate name is present in the local configuration, then the certificate would be deployed locally. In addition, if a new certificate is deployed in a server, then it would be useful to restart/reload one or more services (post-update command execution). The private key for each certificate should be stored in-memory rather than a local file system. With Linux, best would be to use /dev/shm as a preferred location.

[aureq]

As part of the notification payload, an indicator should be included to inform the service if the private key has been renewed (reuse_key: false). This will ensure that the private key is transferred outside of the S3 bucket only when required.

It would also be good to find a way to ensure that whole chain is valid. As in, the private key and the generated certificate contain the same modulus.

[aureq]

So, SQS is not good for the job since message attributes aren't usable as a filter. The fallback solution would be to use DynamoDB and have a small service polling the database every few minutes (of via streams) to get the notification.

[aureq]

This issue is blocked by aureq#12

[aureq]

IS using SSH from Lambda be a good solution ?

[aureq]

So added an initial support for SSH (push) from Lambda to any server (EC2 or anywhere else). Multiple SSH servers can be added for the same domain, and then once the certificate has bee renewed the certificate, key and ca chain are all push onto the specified server/path.

Authentication is done via password and/or ssh private key. The private key is stored in S3 in a separate bucket if needed. However, this bucket should be in the same AWS region as the one used by Let's Lambda.