Certbot with DNS verification and AWS route53 plugin

gogocertbot.sh

#!/bin/bash

# run these first to install certbot globally with the route53 plugin
# $ sudo apt install python-setuptools
# $ sudo easy_install pip
# $ sudo -H pip install certbot-dns-route53

# verify the route53 plugin is present
# $ certbot plugins

# now create some credentials from AWS and copy here
# - https://github.com/certbot/certbot/tree/master/certbot-dns-route53
# - https://github.com/certbot/certbot/blob/master/certbot-dns-route53/examples/sample-aws-policy.json

export AWS_ACCESS_KEY_ID="accesskeyhere"

export AWS_SECRET_ACCESS_KEY="secretkeyhere"

certbot certonly -n --agree-tos --email you@example.com --dns-route53 -d whatever.example.com -d whatever2.example.co.uk

# if you have used root keys, delete script from server and keys from AWS now

You probably have to run this script as root and don't forget to make a renew cronjob too

If you are using this to create a wildcard certificate then you will need to append the following to the certbot command --server https://acme-v02.api.letsencrypt.org/directory

https://community.letsencrypt.org/t/certbot-the-currently-selected-acme-ca-endpoint-does-not-support-issuing-wildcard-certificates/55667

Please note that the renew will expect the AWS credentials to be available so it would be best to create a ~/.aws/credentials file with the permissions as follows

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:GetChange",
                "route53:ListHostedZones"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/HOSTEDZONEID"
            ]
        }
    ]
}

its been a while so after installing, you can go for certbot certonly --dns-route53 -d *.example.com and follow the prompts if there are any, don't need the mumbo jumbo to get the wildcard

Don't forget that webroot is still a valid way of doing things

certbot certonly --webroot --webroot-path /org/websites/user/example.com/www/public_html/ -d example.com -d www.example.com

and that the order of the certificates will be used for the directory so leave www. to the end 😉

Some commands for upgrades

sudo pip install --upgrade pip

pip list

sudo -H pip install certbot certbot-dns-route53 --upgrade

don't forget to use pip3 and if you're updating, you should also pip3 install requests --upgrade apparently