Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Certbot with DNS verification and AWS route53 plugin
#!/bin/bash
# run these first to install certbot globally with the route53 plugin
# $ sudo apt install python-setuptools
# $ sudo easy_install pip
# $ sudo -H pip install certbot-dns-route53
# verify the route53 plugin is present
# $ certbot plugins
# now create some credentials from AWS and copy here
# - https://github.com/certbot/certbot/tree/master/certbot-dns-route53
# - https://github.com/certbot/certbot/blob/master/certbot-dns-route53/examples/sample-aws-policy.json
export AWS_ACCESS_KEY_ID="accesskeyhere"
export AWS_SECRET_ACCESS_KEY="secretkeyhere"
certbot certonly -n --agree-tos --email you@example.com --dns-route53 -d whatever.example.com -d whatever2.example.co.uk
# if you have used root keys, delete script from server and keys from AWS now
@willpower232

This comment has been minimized.

Copy link
Owner Author

commented Jan 22, 2018

You probably have to run this script as root and don't forget to make a renew cronjob too

@willpower232

This comment has been minimized.

Copy link
Owner Author

commented Mar 14, 2018

If you are using this to create a wildcard certificate then you will need to append the following to the certbot command --server https://acme-v02.api.letsencrypt.org/directory

https://community.letsencrypt.org/t/certbot-the-currently-selected-acme-ca-endpoint-does-not-support-issuing-wildcard-certificates/55667

@willpower232

This comment has been minimized.

Copy link
Owner Author

commented Mar 14, 2018

Please note that the renew will expect the AWS credentials to be available so it would be best to create a ~/.aws/credentials file with the permissions as follows

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:GetChange",
                "route53:ListHostedZones"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/HOSTEDZONEID"
            ]
        }
    ]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.