AWS LetsEncrypt Lambda or Why I Wrote a Custom TLS Provider for AWS Using OpenTofu and Go

These days, it’s challenging to imagine systems that have public API endpoints without TLS certificate protection. There are several ways to issue certificates:

  • Paid wildcard certificates that can be bought from any big TLS provider
  • Paid root certificates that sign all downstream certificates that are issued by corporate PKI systems
  • Free certificates issued by TLS providers like LetsEncrypt or AWS Certificate Manager
  • Self-signed certificates, issued by OpenSSL or another tool

    Let's Encrypt logo

Within the context of this post, I will mainly discuss free certificates that can be used inside of AWS, but not only by AWS services. Clearly, using anything other than AWS Certificate Manager makes no sense if you exclusively use managed AWS services and don’t have strict security requirements. AWS Certificate Manager offers a very convenient and speedy method of issuing certificates via DNS or HTTP challenges; however, you face basic AWS limitations if you need to use these certificates outside of AWS services (API Gateway, ALB, NLB, etc.), such as an EC2 instance running Nginx that needs a physical certificate file. Additionally, even if you request it, AWS Certificate Manager does not display the certificate content.

This article has been indexed from DZone Security Zone

Read the original article: