Example of using certbot-auto with Route 53 DNS?


I’m looking for information on how to use certbot DNS validation with Amazon’s route53.

Obviously I need some kind of credentials to let the plug-in modify my DNS records, but I can’t find concrete documentation on how to do this.

Links, pointers, suggestions, would be greatly appreciated.



I don’t believe the Route 53 API is built into Certbot. It’s comparatively limited in available DNS API options compared to, say, Acme.sh. However, there appear to be third-party plugins available, from the looks of a quick Google search. I’d look into either those options, or using Acme.sh which integrates by default with a much wider variety of DNS provider APIs.

It is now! :smile: The problem is that certbot-auto and most distro packages don’t install it yet. :slightly_frowning_face:

1 Like

So the route53 plug-in is listed as available in certbot ... but it's really not there?

That's annoying.

I guess I'll have to try and roll my own.

You can try use Lexicon with certbot-auto. I wrote a guide for it here.

1 Like

Looks interesting ... I'll check it out.


Hi @fallingrock,

Just another option, if you are using certbot-auto you can install the dns-route53 plugin manually.

sudo su -
source /opt/eff.org/certbot/venv/bin/activate
pip install certbot-dns-route53

The last exit command is to exit from virtual environment.

Once done you can use certbot-auto plugins command to check whether it recognises the new plugin:

# certbot-auto plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log

* apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT

* dns-route53
Description: Obtain certificates using a DNS TXT record (if you are using AWS
Route53 for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-route53 = certbot_dns_route53.dns_route53:Authenticator

* nginx
Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator

Edit: Check below post from @_az, seems certbot-auto removes the virtual environment on every upgrade so you will need to install again the plugin in every upgrade… use lexicon instead.



In my testing, certbot-auto wipes out the venv when automatically upgrading itself.


I will admit I’m not entirely sure because I don’t have an old copy to test with, but triggering a version mismatch certainly seems to wipe out any extra plugins between runs.


@_az, I don’t use it on my own but checking that piece of code you are right, it will remove the venv and of course the installed plugin so installing it again in every certbot-auto upgrade could be a pain. Anyway, I would also prefer to use your lexicon suggestion, it is really easy to use it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.