Certbot plugin for AWS Route53

I wrote an experimental Certbot plugin to integrate with AWS Route53 for DNS challenges. If you’d like to try it, check out the branch for this pull request and follow the development install instructions. Enjoy!

[Update 2017-11-16: This functionality, and support for a lot of other DNS service providers, is now built in to Certbot]


Not to rain obscure race conditions on area parades, but Route 53 isn’t a perfect platform for this, IMO. It’s awkward to simultaneously issue two certificates for the same name from two different clients with two different challenges.

The UPSERT code that plugin uses now, the second client would simply overwrite the first one’s TXT record, and one of them may fail.

The only “perfect” option i can think of is to loop CREATE calls, waiting in line until any other clients have finished and deleted their records. And you either have to hope some client didn’t crash out and leave a dangling record a month ago, or eventually overwrite it.

On the plus side, it’s great that you can use GetChange to wait until new changes have propagated to all of their nameservers. :grin: That’s a yucky pitfall with a lot of DNS providers.

Edit: API-wise, S3 and HTTP-01 give the smoothest experience, IMO, but yet another way to do HTTP-01 is less useful than a DNS-01 plugin, of course.

Edit: Or, possibly, one of the clients may fail with PriorRequestNotComplete. I don’t know when Route 53 actually returns that.

Yeah, I considered the race conditions, but decided that it’s uncommon enough for two clients to try exactly at once, and if it does happen, the failed client should retry again after a reasonable retry period. But you’re definitely right that if you deploy a bunch of identical frontends to all issue for the same name at once it could be rough.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.