Skip to main content

Create Server Certificate (LetsEncrypt)

Create Server Certificate (LetsEncrypt)

Check your selected region

Make sure you have selected the desired region, ex: US East (N. Virginia) us-east-1.

Follow the Launch EC2 Instance guide to launch an Amazon 2 Linux instance in a VPC with attached Internet Gateway.

After logging into the launched EC2 instance via SSH, install certbot to interact with LetsEncryptopen in new window.

sudo amazon-linux-extras install -y epel
sudo yum install -y certbot

Then issue the wildcard certificate such as *

sudo certbot -d * --manual --preferred-challenges dns --key-type rsa certonly

This will require you to respond to the challenge by adding a custom DNS record proving ownership of the wildcard domain, such as *

When certbot completes, the relevant files for the certificate chain and private key have been generated, called fullchain.pem and privkey.pem.

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:

Now we need to prepare the secret value by combining these together:

sudo cat /etc/letsencrypt/live/ >>
sudo cat /etc/letsencrypt/live/ >>

Then we can create the secret, for example:

aws secretsmanager create-secret \
  --region us-east-1 \
  --name \
  --secret-string file://


Note the returned secret ARN as it will be needed later.


LetsEncrypt certificates are valid for 90 daysopen in new window, so you will need to renew the certificate and update the secret value accordingly before expiration. The latest secret value is obtained automatically upon restarting the Zilla proxy instance.