This simple bash script will check if a ssl certificate expires within a defined threshold, perform a letsencrypt certificate renewal, upload the new certificate and set loadbalancers to use the new certificate. It can optionally update a cloudfront distribution to use the same certificate and delete any old certificates. It is perfect for those who want to use Let's Encrypt with their SSL-enabled ELB and or CloudFront. It uses the aws-cli and letsencrypt.

It is recommended to be run in as a daily cron-job. If the certificate does not need to be renewed, the script will print "The certificate is up to date, no need for renewal..." and do nothing. You can force a renewal with the `--force` option.

Requirements
------------
* awscli (`pip install awscli`)
* letsencrypt (`git clone https://github.com/letsencrypt/letsencrypt`)
* bc (`apt-get install bc`)

IAM User required Permissions
------------------------------
`cloudfront:ListDistributions`  
`cloudfront:GetDistributionConfig`  
`cloudfront:UpdateDistribution`  
`elasticloadbalancing:DescribeLoadBalancers`  
`elasticloadbalancing:SetLoadBalancerListenerSSLCertificate`  
`iam:ListServerCertificates`  
`iam:UploadServerCertificate`  
`iam:DeleteServerCertificate`  

Passing the Let's Encrypt Challenge
------------------------------------
Handling of ACME challenge is not done through this script. The config file for LE should define a `webroot-path` where letsencrypt can write a hash. For example in the `/web/root/path/.well-known/acme-challenge` directory. That path should be accessible by let's encrypts servers so your cert renewal request can be authenticated. This script will need access to the acme-challenge directory to write a hash. If you are dockerizing the script, you can use the --volumes-from feature and attach this dockerized service to your nginx/apache/other webserver that hosts the acme challenge.