{"id":26051082,"url":"https://github.com/kiralt/certbot-lambda","last_synced_at":"2025-07-24T00:40:25.345Z","repository":{"id":50512737,"uuid":"449038020","full_name":"KiraLT/certbot-lambda","owner":"KiraLT","description":"Run Certbot on AWS Lambda/Cloud Functions and upload certs to AWS Secrets Manager.","archived":false,"fork":false,"pushed_at":"2024-06-20T13:38:55.000Z","size":213,"stargazers_count":17,"open_issues_count":1,"forks_count":10,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-24T17:11:57.123Z","etag":null,"topics":["aws","aws-lambda","aws-secret","certbot","cloud-function","google-cloud","google-functions","lambda","letsencrypt","secret-management","serverless"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/KiraLT.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-01-17T20:23:29.000Z","updated_at":"2025-02-27T15:12:12.000Z","dependencies_parsed_at":"2023-02-19T11:45:37.104Z","dependency_job_id":"81fdb2d0-cd15-45f6-ae70-18870943f775","html_url":"https://github.com/KiraLT/certbot-lambda","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KiraLT%2Fcertbot-lambda","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KiraLT%2Fcertbot-lambda/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KiraLT%2Fcertbot-lambda/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KiraLT%2Fcertbot-lambda/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/KiraLT","download_url":"https://codeload.github.com/KiraLT/certbot-lambda/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248281418,"owners_count":21077423,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-lambda","aws-secret","certbot","cloud-function","google-cloud","google-functions","lambda","letsencrypt","secret-management","serverless"],"created_at":"2025-03-08T03:37:11.226Z","updated_at":"2025-04-10T19:33:39.072Z","avatar_url":"https://github.com/KiraLT.png","language":"Python","readme":"# Certbot Lambda\n\n[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/relekang/python-semantic-release)\n[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)\n\nRunning Certbot on AWS Lambda and upload certs to AWS Secrets Manager.\n\nInspired by [kingsoftgames/certbot-lambda](https://github.com/kingsoftgames/certbot-lambda) and [Deploying EFF's Certbot in AWS Lambda](https://arkadiyt.com/2018/01/26/deploying-effs-certbot-in-aws-lambda/).\n\n\n## Features\n\n- Supports wildcard certificates (Let's Encrypt ACME v2).\n- Uploads certificates to [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/).\n- Runs on [AWS Lambda](https://aws.amazon.com/lambda/).\n- Supports automatic rotation.\n- Supports 14 [DNS providers](https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins).\n\n## Deployment\n\nDownload latest version of `certbot-lambda.zip` from [releases](https://github.com/KiraLT/certbot-lambda/releases).\n\n### AWS Lambda\n\n1. Create new lambda in Google Dashboard with `Python 3.11` runtime.\n2. Upload `certbot-lambda.zip` at `Code` \u003e `Code source` \u003e `Upload from` \u003e `.zip file`.\n3. Update handler to `main.handler` at `Code` \u003e `Runtime settings` \u003e `Handler`.\n4. Create new `Execution role` at `Configuration` \u003e `Execution role` \u003e `Edit` \u003e `Create a new role from AWS policy templates` with name `lambda-certbot`.\n5. Go to created role by clicking on the name and `Attach policies`:\n    * `SecretsManagerReadWrite`\n    * `AmazonRoute53FullAccess`\n6. Increase execution timeout in `Configuration` \u003e `General configuration` to 10 minutes and memory limit to 150Mb.\n7. Add ENV variables at `Configuration` \u003e `Environment variables` (check bellow for required ENV variables).\n8. Run lambda manually one time to create a secret by going to `Test` and executing `hello-wold` template.\n\n#### Automatic rotation\n\nAWS secret can run created lambda periodically to generate new certs, for example, every month. \n\nFor that to work, update lambda and add new `Resource-based policy` at `Configuration` \u003e `Permissions` -\u003e `Add permissions`:\n    * **AWS Service**: `Secrets Manager`\n    * **Statement ID**: `SecretsManagerAccess`\n    * **Principal**: `secretsmanager.amazonaws.com`\n    * **Action**: `lambda:InvokeFunction`\n\nThen go to AWS Secrets dashboard and create a rotation rule for created secrets - it should execute created lambda.\n\n### Google Function\n\n1. Create new function in [Google Cloud dashboard](https://console.cloud.google.com/functions).\n2. Set trigger `Cloud Pub/Sub` _(create new topic)_.\n4. Add runtime environment variables according your needs _(check configuration section and examples bellow)_.\n5. Increase timeout to `540` seconds.\n6. Select `Python 3.11` runtime.\n7. Select `Zip upload` source code type and upload `certbot-lambda.zip` _(you may need to create storage bucket where zip will be stored)_.\n8. Deploy function.\n\n## Environment variables\n\n| Name | Description | Default/required |\n|---|---|---|\n| CERTBOT_EMAILS | Email used for registration and recovery contact. Use comma to register multiple emails, eg: `u1@example.com,u2@example.com`. | **required** |\n| CERTBOT_DOMAINS | One or more domains that require certs generation. | **required** |\n| CERTBOT_DNS_PLUGIN | DNS provider plugin name for acme challenge. E.g. `dns-cloudflare`, find plugin list [here](https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins). | **required** |\n| CERTBOT_CREDENTIALS | Credentials file content depending on `CERTBOT_DNS_PLUGIN`. E. g. `{\\n\"type\": \"service_account\",\\n...}` for `dns-google` plugin. | **required** except for [route53](https://certbot-dns-route53.readthedocs.io/en/stable/#credentials) |\n| CERTBOT_SERVER | Letsencrypt API url. | `https://acme-v02.api.letsencrypt.org/directory` |\n| CERTBOT_DIR | Temporary certbot directory where logs and generated certs will be stored. | `/tmp/certbot` |\n| CERTBOT_PREFERRED_CHAIN | Force to use specified cert chain, e.g. `ISRG Root X1` | |\n| AWS_SECRET_NAME | AWS secret name template, {domain} will be replaced with domain name. | `certbot-{domain}` |\n| AWS_SECRET_DESCRIPTION | AWS secret name description text. | `Auto generated SSL certificate by lambda-certbot` |\n| CERTBOT_PROPAGATION_SECONDS | The number of seconds to wait for DNS to propagate before asking the ACME server to verify the DNS record. | Depends on dns plugin |\n| CERTBOT_EXTRA_ARGS | Additional arguments that will be passed to [certbot](https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options). | |\n\nEach DNS challenge plugin requires different configuration, check [documentation](https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins) for more information.\n\n## Letsencrypt\n\n### 2021 September 30th Root CA X3 root certificate expired\n\nDue to a bug in some versions of [OpenSSL (1.0.0 - 1.0.2)](https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816), [GnuTLS (\u003c 3.6.14)](https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html), [LibreSSL (\u003c 3.2.0)](https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.0-relnotes.txt) and perhaps other TLS/SSL libraries as well, Let's Encrypt's certificates will be seen as invalid as a result of this invalid DST Root CA X3 certificate still being included.\n\nTo solve this issue, you can disable `Root CA X3` certificate that is still included due to legacy support (mostly Android) by providing `CERTBOT_PREFERRED_CHAIN=ISRG Root X1` environment variable.\n\n_Source: [Laravel: Let's Encrypt Compatibility Changes](https://blog.laravel.com/forge-lets-encrypt-compatibility-changes)_\n\n## Examples\n\n### AWS Lambda to AWS Secrets using Route 53\n\n#### Configuration\n\n```\nCERTBOT_EMAILS=name@example.com\nCERTBOT_DOMAINS=*.example.com,example.com\nCERTBOT_DNS_PLUGIN=dns-route53\n```\n\n\u003e In the [lambda](https://aws.amazon.com/lambda/) aws credentials are provided by default. Make sure lambda role has access to AWS Secrets and Route 53. Or you can [configure them manually](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html).\n\n### AWS Lambda to AWS Secrets using Cloudflare\n\n#### Configuration\n\n```\nCERTBOT_EMAILS=name@example.com\nCERTBOT_DOMAINS=*.example.com,example.com\nCERTBOT_DNS_PLUGIN=dns-cloudflare\nCERTBOT_CREDENTIALS=\"dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567\"\n```\n\n\u003e In the [lambda](https://aws.amazon.com/lambda/) aws credentials are provided by default. Make sure lambda role has access to AWS Secrets. Or you can [configure them manually](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html).","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkiralt%2Fcertbot-lambda","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkiralt%2Fcertbot-lambda","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkiralt%2Fcertbot-lambda/lists"}