SSLSupportMethod
to sni-only
MinimumProtocolVersion
to TLSv12_2019
Users with limited access require permissions for the listed policies.
For AWS ALB/NLB:
For AWS CloudFront:
Log in to the sensor host.
Go to the sensor CLI directory.
cd install_dir/cli
Where install_dir is the installation directory for the sensor.
Run the addagentless
command.
./addagentless.sh -type AWS
./addagentless.sh -type AWS-CLOUDFRONT
addagentless.bat -type AWS
addagentless.bat -type AWS-CLOUDFRONT
docker exec -it <container-id/name> cli/addagentless.sh -type AWS
docker exec -it <container-id/name> cli/addagentless.sh -type AWS-CLOUDFRONT
When you enter the command, a series of prompts appears for each setting you need to enter. At each prompt, enter the specific settings for your load balancer and press Return.
Run the docker ps
command to get the container name or ID and its operating status.
There are two ways to configure the agentless on docker:
docker exec -it <container-id/name> cli/addagentless.sh -type AWS
or docker exec -it <container-id/name> cli/addagentless.sh -type AWS-CLOUDFRONT
command.docker exec -it <container-id/name> bash
command to get a bash shell in the container.cli/addagentless.sh -type AWS
or cli/addagentless.sh -type AWS-CLOUDFRONT
command.For example:
./addagentless.sh -type AWS
Sensor CLI. Copyright 2020, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.
Enter your AWS Account ID (12 digits):123456789012
Enter AWS Region (e.g., us-east-2):us-east-2
Choose your login method:
1.Use the Default AWS credential provider chain
2.Supply the credentials yourself
3.Use an AWS profile name
Your choice: 1
If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N
Successfully added or changed the agentless automation. This applies to the following HA Pair peers :
Starting agentless configuration for this host. Go to Automated IPs in CertCentral to finish configuring host details and set up automation.
Sensor CLI. Copyright 2020, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.
Enter your AWS Account ID (12 digits):123456789012
Enter AWS Region (e.g., us-east-2):us-east-2
Choose your login method:
1.Use the Default AWS credential provider chain
2.Supply the credentials yourself
3.Use an AWS profile name
Your choice: 2
If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N
Enter AWS access key Id:ABCD12E3F4GHIJ567KLM
Enter AWS secret key:
Confirm AWS secret key:
Successfully added or changed the agentless automation. This applies to the following HA Pair peers :
Starting agentless configuration for this host. Go to Automated IPs in CertCentral to finish configuring host details and set up automation.
Sensor CLI. Copyright 2020, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.
Enter your AWS Account ID (12 digits):123456789012
Enter AWS Region (e.g., us-east-2):us-east-2
Choose your login method:
1.Use the Default AWS credential provider chain
2.Supply the credentials yourself
3.Use an AWS profile name
Your choice: 3
If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N
Enter your AWS profile name (Press Enter if the profile name and AWS Account ID are same.):
Successfully added or changed the agentless automation. This applies to the following HA Pair peers:
Starting agentless configuration for this host. Go to Automated IPs in CertCentral to finish configuring host details and set up automation.
To provide login credentials for configuring agentless automation settings, you can:
The AWS provider offers a flexible means of providing authentication credentials. The following methods are supported and the credentials are sought in this sequence:
Environment variables – AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
.
Note: You are required to restart the sensor:
Credential profiles file at the default location (~/.aws/credentials
) shared by all AWS SDKs and the AWS CLI.
For successful authentication, we recommend:
AWS_CREDENTIAL_PROFILES_FILE
environment variable.For example: AWS_CREDENTIAL_PROFILES_FILE=path/to/credentials_file
Note: You must restart the sensor if an update or change is made to the environment variables when the sensor is running.
Instance profile credentials delivered through the Amazon EC2 metadata service.
For successful instance credential authentication:
For more details, refer to the AWS documentation.
Sign in to AWS Management Console and select IAM service.
In the sidebar menu, select Access management > Roles. Then, select Create role.
On the Create role page, select the AWS service trusted entity type and the EC2 use case. Then, select Next: Permissions.
Select the policies you want to assign to the role. Then, select Next: Tags.
Assign tags to the role (optional) and select Next: Review.
Enter a role name, add a description (optional), and select Create role.
On the AWS Management Console, select EC2 service.
In the sidebar menu, select Instances.
On the Instances page, select the instance. Then, select Actions > Instances Settings > Attach/Replace IAM Role.
On Attach/Replace IAM Role page, select the IAM role to attach to your instance. Then select Apply.
Supply credentials in at least one of these locations for the sensor to connect to AWS.
To use an AWS profile name for your login credentials, set the profile with key-value pairs. You can do this in the AWS credential profiles file located at the default location (~/.aws/credentials
), which is shared by all AWS SDKs and the AWS CLI.
For successful authentication, we recommend:
AWS_CREDENTIAL_PROFILES_FILE
environment variable.For example: AWS_CREDENTIAL_PROFILES_FILE=path/to/credentials_file
[default]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY
[profie1]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY
[profie2]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY
[profie3]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY
If you are working with multiple AWS accounts, you can easily switch between your accounts by creating multiple profiles (sets of credentials) in your credentials file.
Each section (for example, [default], [profile1], [profile2], etc), represents a separate credential profile. The keyword in square brackets is your profile name.
If you do not specify the AWS profile name as a login, then we will use the AWS account ID as your login credential.