The EC2 job is now responsible for terminating TLS. It uses certbot to request Let's Encrypt certificates on startup and renews them in a daily cron job. We use haproxy's stats socket to update the certificate in the running instance without needing to restart it.
We request an elastic IP and point DNS to it. Whenever the ASG launches a new instance, we run a lambda to associate the elastic IP with the new instance (and disassociate it from any prior instance).
Note: Let's Encrypt limits you to 5 new certificate requests per week - see https://letsencrypt.org/docs/duplicate-certificate-limit/. Since we aren't saving/restoring the configuration data between instances, it's possible to hit this limit when testing deployment changes or making frequent updates that result in restarting EC2 instances. --test-cert can be added to the certbot command to point to their staging environment and avoid these limits while testing deployment changes.
This saves at least ~$16.20/month + usage charges on the NLB. The remaining costs for a minimal instance are ~$3.60 for the IP, ~$6.77 for EC2 (t3a.micro) and ~$0.50 for DNS.
This mode differs as follows:
Note: Let's Encrypt limits you to 5 new certificate requests per week - see https://letsencrypt.org/docs/duplicate-certificate-limit/. Since we aren't saving/restoring the configuration data between instances, it's possible to hit this limit when testing deployment changes or making frequent updates that result in restarting EC2 instances.
--test-cert
can be added to the certbot command to point to their staging environment and avoid these limits while testing deployment changes.This saves at least ~$16.20/month + usage charges on the NLB. The remaining costs for a minimal instance are ~$3.60 for the IP, ~$6.77 for EC2 (t3a.micro) and ~$0.50 for DNS.
See #2117