Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I would say it does, but it depends on what you mean by support. certbot probably won't help you setup your cherrypy for secured connections like how it did with common webserver like Nginx or apache if you only use cherrypy without reverse proxy of Nginx or something else.
Based on my quick read through of the program, if you are hosting your cherrypy and ask it to listen to requests on port 80 and 443, then you'll need to either use DNS validation or to use a standalone authenticator and reload/restart your application everytime the certificate updates (unless your software can dynamically pickup certificate and keys changes)
If you are using a reverse proxy like Nginx or apache, things are much easier as you can use webroot (by creating an exception on your webserver configuration that won't forward a specific path to your application), their respective certbot plugin (by temporarily editing your webserver configuration file) or DNS validation. You also don't need to worry about restart the cherrypy application because you can terminate the secured connections at reverse proxy if it's hosted on the same machine, which means every certificate update will just need to reload the webserver.
It's great that you mentioned you are using Route53.
If you are using route53 as your dns provider, just install aws-route53 dns plugin for certbot (and certbot itself) via snap.
Just follow the instructions on this page and configure your route53 with an IAM identity, then you are able to issue certificate with DNS based authentication automatically.
However, you must find a way to let your cherrypy know (or to pickup) certificate changes (aka when you renewed one). Else it will always serve the same certificate if you didn't restart/reload.
Great! I want to further clarify this:
For the non-stop option(using --webroot) do I need to have a long-running parallel server listening to port 80? I only have one server and rather have it listen to port 443.
If you use --webroot, you need a server that at least listen to port 80.
Try it. When it's time to renew, your cherrypy server will keep using the old certificate (even when it expired). You must do something to your server and ask it to pickup the certificate either automatically or by restart.
@niujh I'm sensing that you don't fully grasp the theory behind how Let's Encrypt (and ACME in general) works. I would urge you to read the basic documentation about ACME and Let's Encrypt:
It seems you're using the standalone plugin of certbot. Which documentation did you read that made you use that specific authenticator plugin?
After you've read the above linked documentation (which is the bare minimum, there are many more interesting documents in the general "Documentation" section of the Let's Encrypt website), you should also read the certbot documentation about the available plugins: