How Do I Generate an SSL Certificate From Let's Encrypt To Use With My Object Storage Bucket?

The easiest way to generate an SSL certificate from Let's Encrypt to use on an Object Storage Bucket is to deploy a Linode to obtain the certificate, and then move it over from there. I've included the steps you can take to do so using a Linode running Ubuntu 20.04 LTS below.

1. Deploy a 1GB Linode running Ubuntu 20.04 LTS and follow the steps in our Getting Started and Securing Your Server guides. You can also use our Secure Your Server Marketplace App to automate these steps for you.

2. Create an Object Storage bucket with the Fully Qualified Domain Name(FQDN) you plan to use for your bucket. For example, to enable an SSL certificate for test.example.com you'll want to name the bucket test.example.com.

3. Create an A record for the Fully Qualified Domain Name(FQDN) you chose in the previous step and point it at your Linode's IP address and set the TTL to 5 minutes.

4. Connect to your Linode as the limited user you created via SSH.

5. Update snapd by running sudo snap install core

6. Install certbot by running sudo snap install --classic certbot

7. Add certbot to your PATH by running sudo ln -s /snap/bin/certbot /usr/bin/certbot

8. Verify the A record has propagated by running dig $FQDN @8.8.8.8 +short, replacing $FQDN with the FQDN you chose above. You should see your Linode's IP address returned if it has propagated.

9. Allow traffic on port 80 by running sudo ufw allow 80

10. Generate the SSL certificate with certbot by running sudo certbot certonly -d $FQDN --standalone, replacing $FQDN with the FQDN you chose above. You'll then be prompted to enter your email address for certificate expiration reminders and a few questions regarding the Let's Encrypt Terms of Service and joining the EFF mailing list. If successful, you should see a message like the one below in your terminal:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/$FQDN/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/$FQDN/privkey.pem
   Your certificate will expire on 2021-07-28. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

1. Now that the certificate has been generated, you'll want to navigate to the SSL/TLS tab for your bucket in Cloud Manager. From your terminal, you can print the contents of your certificate by running sudo cat /etc/letsencrypt/live/$FQDN/fullchain.pem so you can copy it, replacing $FQDN with the FQDN you chose above. Be sure to include the entire contents including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when copying, and then paste it into the Certificate field in Cloud Manager.

2. Next you'll need to do the same thing, except this time for your private key. You can view your private key by running sudo cat /etc/letsencrypt/live/$FQDN/fullchain.pem so you can copy it, replacing $FQDN with the FQDN you chose above. Be sure to include the entire contents including the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines when copying, and then paste it into the Private Key field in Cloud Manager. Then click Save.

3. The last thing we'll need to do is update your DNS records. You'll need to delete the A record created in step 3 and then create a CNAME record for your FQDN pointing to $FQDN.$region.linodeobjects.com, replacing $FQDN with the FQDN you chose above and $region with the region your bucket is in. For example, if your bucket is located in our Newark data center, this would be $FQDN.us-east-1.linodeobjects.com. Note: If you're hosting a static site on your bucket, you'll want to use $FQDN.website-$region.linodeobjects.com for your CNAME record.

Once the CNAME record has propagated, you should be able to navigate to https://$FQDN in your browser and see a valid HTTPS connection has been established. Once that's been confirmed, you can delete the Linode you created to generate the SSL certificate if no longer needed.

Thanks for the help. I made it through this and got this error (after saving the cert details) in the object storage ssl settings …

"Certificate is not valid for the bucket name. Verify the bucket name is covered by the SANs and/or CN."

I don't understand this part of the help page .. "This certificate must share a common name, SAN, or wildcard SAN which is capable of matching the FQDN of the bucket that will be created in a later step."'

I've verified that my bucket name is the same as the domain for the cert, but haven't done anything related to wildcards or SAN.

Can someone please explain this and what's required to get the FQDN or wildcards to work?

Thanks!

@rl0nergan
I think there is a typo in your point no 2. to copy the private key.
Shouldn't it be sudo cat /etc/letsencrypt/live/$FQDN/privkey.pem instead?

To make this process easier, I wrote a tool that automatically requests a Let's Encrypt certificate and configures a bucket using the Linode API: https://github.com/dcoles/acme-linode-objectstorage

Note: Let's Encrypt certificates are only valid for 90 days and you will need to renew them regularly.

@dcoles, there is no instruction how to install your tool, and what does this mean
The bucket name and DNS name must be identical.