This assumes you have installed Certbot.
You will need the certbot-dns-route53 plugin. Check out my article on Certbot Installing DNS Plugins.
You will need the Amazon Web Services (AWS) Access Key and Secret Key. Check out my article on Creating IAM Access Keys using the AWS CLI. Probably the most common way to access the AWS Access Key and Secret Key is to Set Profile Config using the AWS CLI on that system that certbot was installed on. This will create the ~/.aws/config and ~/.aws/credentials files. The ~/.aws/credentails file will contain the AWS Access Key and Secret Key, something like this.
[default]
aws_access_key_id = AKIAABDCL76GBNCJ1235
aws_secret_access_key = Fd0vB55rDXABCDB3wVUnkE1234vx+dgI1234HQqC
Or, you can set environment variables.
~]$ export AWS_ACCESS_KEY_ID=AKIAABDCL76GBNCJ1235
~]$ export AWS_SECRET_ACCESS_KEY=Fd0vB55rDXABCDB3wVUnkE1234vx+dgI1234HQqC
Or, you can set the path to your .aws/credentials file.
export AWS_CONFIG_FILE=/path/to/.aws/credentials
The user associated with the AWS Access Key and Secret Key will need to have certain Route 53 permissions, such as Route53FullAccess. Check out my article on Listing IAM Policies using the AWS CLI and Attaching IAM Policies to a User using the AWS CLI.
~]$ aws iam list-attached-user-policies --user-name john.doe
{
"AttachedPolicies": [
{
"PolicyName": "Route53FullAccess",
"PolicyArn": "arn:aws:iam::aws:policy/Route53FullAccess"
}
]
}
Let's say your Route 53 domain name is example.com. Check out my article on Listing Route 53 Domains using the AWS CLI.
~]$ aws route53domains list-domains
{
"Domains": [
{
"DomainName": "example.com",
"AutoRenew": false,
"TransferLock": false,
"Expiry": "2024-03-15T20:48:06.797000-05:00"
}
]
}
You should be able to use the certbot certonly command with --dns-route53 to request a new certificate where --domain matches your Route 53 Domain Name.
AVOID TROUBLE
Do not use sudo as this will tell Certbot to use /root/.aws/config and /root/.aws/credentials or to ignore AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY that were set as your local user
~]# certbot certonly --dns-route53 --domains "example.com" --domains "*.example.com" --non-interactive --agree-tos -m john.doe@example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for example.com and *.example.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2023-10-26.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Did you find this article helpful?
If so, consider buying me a coffee over at 