How to update private keys for your on an S3 site using Docker & Let’s Encrypt.

First this how to is intended to be run on a Linux system as Docker will be writing the finished CERT files to directories on your Linux system.

Next make sure you have Docker installed and working properly on your Linux machine

docker run -it --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/certbot certonly --manual --agree-tos -d ""

Next create the file that Certbot wants you to upload and upload it using the AWS CLI command below.

aws s3 cp [NAME OF THE FILE CERTBOT GAVE YOU] s3://[s3bucket that stuff should gointo]/.well-known/acme-challenge/ --acl=public-read --profile=[IF YOU NEED A PROFILE USE THIS OTHERWISE DROP EVERYTHING before --proile]

Replace the placeholder text with what ever Certbot gave you and whatever the S3 bucket is your. If you need a profile make sure to include that.

Once uploaded click continue to the Certbot prompt. This will create the keys and save them in the directory /etc/letsencrypt/live/

Change to root (sudo -s) and then change to this directory and nano *

Now login to AWS and go to and find the website you’re updating and click on REIMPORT.

Next copy each of the files that you now have open in nano over to the respective boxes.

  • cert.pem -> Certificate body
  • chain.pem -> Certificate chain
  • privkey.pem -> Certificate private key

fullchain.pem doesn’t go into any boxes. Click NEXT.

Now go to Cloud Front find the distribution you’re working with and click the ID. In the sections setting click EDIT. Don’t change anything scroll down to the bottom and click Save Changes even though you haven’t made any.

In about 15 minutes the certificate will be deployed and renewed.