Development on this application is not yet complete, and amarillo should not be used in a production environment at this time. In particular I know there's a pernicious bug that can wipe out your existing certificate.

Amarillo is a Ruby application written to automate issuing Let's Encrypt certificates using dns-01 challenges through Amazon Route 53.

Amarillo is distributed as a RubyGem and can be installed with:

gem install amarillo
amarillo --init --zone AWS_HOSTED_ZONE --email EMAIL_ADDR

If you don't have Ruby installed, you will need to, along with the ruby-dev package.

amarillo requires the use of OpenSSL libraries and you may need to install with supplying the location of the OpenSSL headers.

macOS:

gem install amarillo -- --with-openssl-dir=/opt/homebrew/Cellar/openssl@1.1/1.1.1k

Debian/Ubuntu:

apt-get install -y ruby-dev libssl-dev
gem install amarillo

Usage: amarillo --zone ZONE --name COMMONNAME --email EMAIL

For example:

amarillo --zone iachieved.it --name zabbix.operations.iachieved.it --email noreply@iachieved.it

To use amarillo you'll want to initialize its environment with

amarillo --init --zone AWS_HOSTED_ZONE --email EMAIL_ADDR

You will need to provide AWS credentials in the aws.env file located in /usr/local/etc/amarillo/aws.env. These credentials should be that of an AWS IAM user that only has programmatic access to Route 53 with the AmazonRoute53FullAccess policy.

The format of the aws.env file is:

[default]
aws_access_key_id=
aws_secret_access_key=

Assuming aws.env and config.yml are configured appropriately:

amarillo --name COMMONNAME

amarillo --name COMMONNAME --delete

amarillo --list

Let's Encrypt certificates expire 90 days after issuance. amarillo will renew certificates that are within 30 days of expiration with:

amarillo --renew

By default amarillo wants to leave files in /usr/local/etc/ssl/amarillo and will try to create this directory. Inside this directory will be:

• aws.env
• config.yml
• certificates/
• keys/
• configs/

amarillo, unlike certbot, does not edit your webserver configuration files. You will want to reference the files directly.

On macOS, without rvm

sudo gem install bundler
bundle install

Local testing:

sudo -s ruby -Ilib ./bin/amarillo --zone iachieved.it --name test.iachieved.it --email joe@iachieved.it

Configuration file format examples:

defaults:
  region: us-east-1
  profile: default
  email: iachieved.it@example.com
  zone: example.com
  acme_url:  'https://acme-v02.api.letsencrypt.org/directory'
  nameservers:
  - 208.67.222.222
  - 9.9.9.9
  key_type:  ec,secp384r1

For the ACME staging environment change acme_url to https://acme-staging-v02.api.letsencrypt.org/directory

key_type is a tuple specifying the type of key:

• ec - Elliptic Curve
• rsa - RSA

and curve (for EC) or length (RSA). For example:

• rsa,2048 - A 2048-bit RSA key
• ec,prime256v1 - An Elliptic Curve key using the NIST P-256 curve

It's always bothered me that there is an entire industry around making money issuing SSL certificates. Sure, I understand that OV and EV certificates verify that there's an actual organization behind the certificate and that they are legitimate. But DV (domain validation) certificates still cost money, and all that's validated is you control a domain or an e-mail address. Unless you're running a bank...

Enter Let's Encrypt...

Unfortunately there a many of us who want secure communications between services and websites inside a corporate or private network. Let's Encrypt's out-of-the-box certbot assumes that the website is on the public Internet.

Amarillo is the Spanish word for yellow, and is pronounced "ah-ma-ree-show" in honor of mis amigos uruguayos. 🇺🇾🇺🇸 Yellow is also the name of one of my cats.