CentOS7, certbot-dns-route53 doesn't work?

Ariza · March 21, 2018, 4:19pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:mambas.cn

I ran this command:certbot -a certbot-dns-route53 -i apache -d “*.mambas.cn” -d mambas.cn --server https://acme-v02.api.letsencrypt.org/directory

It produced this output:The requested certbot-dns-route53 plugin does not appear to be installed

My web server is (include version):Apache2.4.29

The operating system my web server runs on is (include version):Windows Server 2016 Datacenter(Version 1607; OS Build 14393.2125)

My hosting provider, if applicable, is:Amazon

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

I install CentOS7 in the VMware, and follow this step, I got an error “The requested certbot-dns-route53 plugin does not appear to be installed”, but it is indeed installed.

jmorahan · March 21, 2018, 4:37pm

I believe it’s internally named just dns-route53 (though I haven’t used it myself)

You can use certbot plugins to get a list of installed plugins and their names.

stevenzhu · March 21, 2018, 4:53pm

You’l need to install the plugin from this link:

Thank you

mnordhoff · March 21, 2018, 4:55pm

@stevenzhu That’s a different hook. The dns-route53 plugin is part of Certbot (but usually divided into a separate package).

Ariza · March 21, 2018, 4:57pm

Yeah, you are right!
Thanks!

And I got a new error.

I wrote the AWSAccessKeyId and AWSSecretKey in the ~/.aws/config
TIM20180322005426

than, I got this error
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mambas.cn
dns-01 challenge for mambas.cn
Cleaning up challenges
Unable to locate credentials
To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

jmorahan · March 21, 2018, 4:59pm

I think you may need to add [default] at the top of the file.

Also I think it should be formatted like aws_access_key_id rather than AWSAccessKeyId but I don’t know if that matters.

Ariza · March 21, 2018, 5:04pm

I’m tring.

And Is it case-sensitive?(aws_access_key_id、AWS_ACCESS_KEY_ID)

jmorahan · March 21, 2018, 5:06pm

I’ve always used lowercase which seems to work (with other things that read that file, as I said I haven’t used certbot-dns-route53 specifically).

Oh and aws_secret_access_key, not aws_secret_key.

Ariza · March 21, 2018, 5:11pm

I still failed T_T

stevenzhu · March 21, 2018, 5:14pm

Do you configure the right permission for API?

mnordhoff · March 21, 2018, 5:18pm

THAT SCREENSHOT CONTAINED YOUR SECRET KEY! (Edit: The first screenshot.)

Someone got me to edit your post to remove it, but people saw it, and it may be archived somewhere.

AWS makes it super easy to create a new key and revoke the old one. You should do that.

Ariza · March 21, 2018, 5:22pm

Thank you!

I will revoke the old one!

jmorahan · March 21, 2018, 5:29pm

Did you put the file in root’s home, or your normal user’s? I seem to remember that being a point of confusion. Whichever one you did maybe try the other?

stevenzhu · March 21, 2018, 5:31pm

The path of the file should be
~/.aws/credentials instead of ~/.aws/config

Thank you

@Ariza 文件位置放错了。

Ariza · March 21, 2018, 5:39pm

I put it in Ariza(Admin)'s home

I will try root's home

Ariza · March 21, 2018, 5:40pm

Thank you!

I will try.

Ariza · March 21, 2018, 6:13pm

I put config to root’s home, It works!

But it say:
[root@centos7 ~]# certbot -a dns-route53 -i apache -d “*.mambas.cn” -d mambas.cn --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Credentials found in config file: ~/.aws/config
Plugins selected: Authenticator dns-route53, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mambas.cn
dns-01 challenge for mambas.cn
Starting new HTTPS connection (1): route53.amazonaws.com
Cleaning up challenges
An error occurred (OptInRequired) when calling the ListHostedZones operation: The AWS Access Key Id needs a subscription for the service
To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.

At first I gave it three permissions according to the tutorial
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“route53:GetChange”,
“route53:ListHostedZones”,
“route53:ChangeResourceRecordSets”
],
“Resource”: “*”
}
]
}

The second time I gave it full rights

Ariza · March 21, 2018, 6:44pm

It still shows errors even though I gave it admin rights

jmorahan · March 21, 2018, 7:12pm

I’m not familiar with that error, but it looks like an AWS issue rather than a Certbot or Let’s Encrypt issue.

Does this help?

Can you access Route 53 as that user in the AWS console?

Ariza · March 21, 2018, 7:26pm

How to use the aws_access_key_id access Route 53 as that user in the AWS console?