We're using a name server that cannot manipulate it's records over an open API, and we cannot use webroot on our production servers.
This is a custom Let's Encrypt challenge provider based on the webroot provider but behaves differently when challenged.
- When requested to meet the challenge, this script creates a file in a S3 bucket (which is provided as
AWS_LETSENCRYPT_S3PROVIDER_BUCKET
environment variable) withtoken
as the name andkeyAuth
as the content. - And removes the file on cleanup.
- When Let's Encrypt fetches the token (ex:
example.com/.well-known/acme-challenge/xxxxxx
), another web application handles the request (use thefunc Handler(w http.ResponseWriter, req *http.Request)
inhandler/
), fetches the file from the same S3 bucket and responds to Let's Encrypt's request.
# creates privatekey.pem and cert.pem
AWS_SECRET_KEY={SECRET_KEY} \
AWS_ACCESS_KEY_ID={ACCESS_KEY} \
AWS_LETSENCRYPT_S3PROVIDER_BUCKET={bucket name} \
go-letsencrypt-s3provider {email} {domain1,domain2,..} production privatekey.pem cert.pem
It is easy to use go-s3proxy to access the challenge files placed in s3.
import "github.com/natureglobal/go-s3proxy"
var handler http.Handler = s3proxy.Proxy(os.Getenv("AWS_LETSENCRYPT_S3PROVIDER_BUCKET")
func Handle(w http.ResponseWriter, req *http.Request) {
log.Printf("Func path: %s", req.URL.Path)
handler.ServeHTTP(w, req)
}