Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Certbot with DNS verification and AWS route53 plugin
#!/bin/bash
# run these first to install certbot globally with the route53 plugin
# $ sudo apt install python-setuptools
# $ sudo easy_install pip
# $ sudo -H pip install certbot-dns-route53
# verify the route53 plugin is present
# $ certbot plugins
# now create some credentials from AWS and copy here
# - https://github.com/certbot/certbot/tree/master/certbot-dns-route53
# - https://github.com/certbot/certbot/blob/master/certbot-dns-route53/examples/sample-aws-policy.json
export AWS_ACCESS_KEY_ID="accesskeyhere"
export AWS_SECRET_ACCESS_KEY="secretkeyhere"
certbot certonly -n --agree-tos --email you@example.com --dns-route53 -d whatever.example.com -d whatever2.example.co.uk
# if you have used root keys, delete script from server and keys from AWS now
@willpower232

This comment has been minimized.

Copy link
Owner Author

@willpower232 willpower232 commented Jan 22, 2018

You probably have to run this script as root and don't forget to make a renew cronjob too

@willpower232

This comment has been minimized.

Copy link
Owner Author

@willpower232 willpower232 commented Mar 14, 2018

If you are using this to create a wildcard certificate then you will need to append the following to the certbot command --server https://acme-v02.api.letsencrypt.org/directory

https://community.letsencrypt.org/t/certbot-the-currently-selected-acme-ca-endpoint-does-not-support-issuing-wildcard-certificates/55667

@willpower232

This comment has been minimized.

Copy link
Owner Author

@willpower232 willpower232 commented Mar 14, 2018

Please note that the renew will expect the AWS credentials to be available so it would be best to create a ~/.aws/credentials file with the permissions as follows

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:GetChange",
                "route53:ListHostedZones"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/HOSTEDZONEID"
            ]
        }
    ]
}
@willpower232

This comment has been minimized.

Copy link
Owner Author

@willpower232 willpower232 commented Nov 5, 2019

its been a while so after installing, you can go for certbot certonly --dns-route53 -d *.example.com and follow the prompts if there are any, don't need the mumbo jumbo to get the wildcard

@willpower232

This comment has been minimized.

Copy link
Owner Author

@willpower232 willpower232 commented Jan 9, 2021

Don't forget that webroot is still a valid way of doing things

certbot certonly --webroot --webroot-path /org/websites/user/example.com/www/public_html/ -d example.com -d www.example.com

and that the order of the certificates will be used for the directory so leave www. to the end 😉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment