Let's Encrypt issues whilst integrating Packer and Trellis

I’m using Packer to generate AMIs (Amazon machine images) for an autoscaling infrastructure. Packer creates these VM images by starting up an EC2 instance, running the playbook (in this case Trells’ server.yml), then terminating the instance before snapshotting the volume to create the image.

Trellis integrates well with Packer except for the letsencrypt role, which doesn’t pass the challenge since the DNS is not setup to point to this short-lived instance. How might I edit the role or my workflow in order to get this to work? I realise I could use Cloudflare or Cloudfront for SSL but I’d like to use Let’s Encrypt if possible. Thanks.

Well Let’s Encrypt needs a way to verify the domain/certificate. It has a few options available:

  • HTTP response (what Trellis uses)
  • DNS

See https://letsencrypt.org/how-it-works/

Either way requires a DNS record though so I’m not exactly sure what the solution is. AWS has its own certificate manager now and it might offer free certificates? It might be better to use that since it’s integrated with AWS products.

Ref: https://aws.amazon.com/certificate-manager/

1 Like

Thanks. I think using the DNS challenge could well solve my issue. It’s just a shame that acme-tiny doesn’t support it, and so I’ll have to create my own role with another ACME client.

Should mention that we’d be open to switching to another LE client. The tools around LE are moving really fast so it’s hard to keep up with them. But there might be a client that will handle more functionality and let us simplify the code in Trellis itself. So if you do end up finding anything good, let us know :slight_smile: