Automate renewing SSL Certificate with AWS

Hi guys,

My domain is
The instance is: amazon linux
So every 3 months i need to renew my ssl certificate and i am doing it manually.
So in AWS I have hosted zones ->
The steps i am doing is ->
When i am in the instance logged i enter this command: sudo certbot --manual --preferred-challenges dns certonly. Then I manually enter all the domains that i need to be renewed like,, and etc. (* ). Then the output provide me TXT Records for every domain which i need to change txt record in the AWS. Then after i change all txt record in the AWS, i restart the httpd service on the instance.
!!! is example !!!

Best Regards,

AWS is Route53, right? Certbot has a DNS plugin for Route53, so you might be able to automate things. See Welcome to certbot-dns-route53’s documentation! — certbot-dns-route53 0 documentation for more information.

Note that when/if you've got the DNS plugin working, it should be enough to run sudo certbot renew to renew your certificate(s). This is usually done with a cronjob or systemd timer, which may or may not be already installed, depending on how you've installed Certbot to begin with.


Automating DNS-challenge based LetsEncrypt certificates with AWS Route 53 | by John Rix | Medium , do you think that this state will do the job ? Only to modify the cron job for long time and add a script for the httpd service to restart. Do you think 1 or 2 minutes are okay for the httpd service to restart after the cron job for the renewing?

I think you are overcomplicating the process.
A cron job that runs immediately after renewal attempts would reload/restart the httpd service way too often.
Certs last 90 days.
They only need to be renewed after 60 days [default].
The renewal process runs and first checks to see if any certs need to be renewed.
Most of the times, there is nothing to renew.


  • use a deploy-hook to reload/restart the httpd service [which is only triggered when a cert is actually renewed]
  • schedule the reload/restart without any regard to the cert state [like once a week (every week) during off hours]
    The cert should renew 30 days ahead of expiry - that should cover four reloads/restarts.

Thanks for the answer :slight_smile: So I entered the command sudo certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d -d and all went great and successfully :slight_smile: So what i understand from your message is that , every 60 days the certbot will automatically update the certificates without nothing additional to do after the command that I entered before ? No need anything else to do ? Only adding the deploy-hook or schedule reload

That command will only renew the cert ["certonly"].
So, at some point you must update whatever is using the old cert to use the updated cert.
Using a deploy-hook is ideal - but there plenty of ways to get [essentially] the same result.


Okay, thanks a lot :slight_smile: You helped me a lot with the other person. Have a nice day.


You too!
Cheers from Miami :beers:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.