Certbot Route53 without ListHostedZones?

I'm trying to set up certbot to get & renew certificates for a subdomain of my organization, whose domain is managed by Route53, in a partner's server which doesn't have HTTPs exposed to the public internet (our webapp is going to be accessed from within the partner's VPN only).

I'm planning to use Let's Encrypt's DNS-based authentication method to automate the certificate's renewal. Since the server is shared with our partners, I'm planning to use an AWS' key that's policy-limited to only deal with this specific subdomain - in the event of the credentials getting leaked, I want them to only be useful for renewing this specific domain, and nothing else.

So example.com is managed in Route53, and I want a certificate for my-app.example.com - which would be stored & used in a server that doesn't accept incoming requests from the public Internet.

Currently, certbot's route53 plugin requires route53:ListHostedZones permission, which can't be restricted to a specific subdomain/hosted zone, only to identify the Hosted Zone ID.

Is there any particular reason not to support telling certbot the specific Hosted Zone ID via configuration in order to relax the route53:ListHostedZones requirement?

I may try to attempt a pull request to add that feature, but I want to first make sure that it's OK with the community/maintainers.

2 Likes

Hi @matiasgarciaisaia

I'm not firm with the Route53-plugin.

But isn't it possible that you use the CNAME?

_acme-challenge.my-app.example.com CNAME completely.different.subdomain

So you can separate the rights to that completely.different.subdomain.

Or switch to acme.sh, there are a lot of dns providers supported.

2 Likes

You may be better off discussing it on Github with the maintainers directly, but I don't see a problem with doing it that way. Your "only to identify the Hosted Zone ID" link is a 404 for me, but if it's only using it to look up the id, and you can give the id a different way, that makes sense to me.

Well, in this case you'd need to put that other subdomain on a different AWS account entirely that was willing to give the ListHostedZones permissions, so it's quite a workaround. You'd think a "ListOnlyHostedZonesIHaveAccessTo" would be an API permission you could grant, but it isn't. You can only grant access to list all zones, or none.

1 Like

Thanks for the replies.

I've just fixed the broken link - thanks for pointing that out, @petercooperjr.

I'll try to understand how the plugin could read some configuration (my ideal use case would probably involve setting an environmental variable, but I'd rather use whatever configuration mechanisms certbot already has in place) and try sending the PR.

2 Likes

I have no insight into how the certbot Route53 plugin is implemented. But having implemented a similar plugin for my own client, it might not be as easy as you'd think to support a user-supplied-zone-id model. Specifically, you have to deal with cases where the cert being requested contains names from multiple zones that would have differing zone IDs.

2 Likes

(Just in case someone else comes by, I've created an issue in the certbot repo, and I've been told there's a major rewrite of the DNS challenge coming - so probably not worth merging a solution to this issue right now)

@rmbolger thanks for raising that concern. I effectively hadn't think about that use case. I can live without that, but it can also be that the user has to supply a list of Hosted Zone IDs, and make the plugin use those - if you want to authenticate a domain whose zone ID you didn't provide, certbot should fail and inform the missing hosted zones.

1 Like