How to handle creds for dns plugins at renewal

I'm running certbot 1.19.0 snap on ubunto focal. I issued my cert with the dns-route53 plugin and apache install. It set up a systemd timer to do auto renewals. My cert isn't old enough for a renewal yet, but I'm wondering how I can set an environment variable for my AWS_PROFILE in the systemd unit. There doesn't seem to be an option to certbot to add something in and when I manually edited the unit, certbot overwrote it the next time it ran.

How do people handle this besides making the AWS profile that has route53 permissions the default profile for the root user?

Hi @grimm26 welcome to the LE community forum :slight_smile:

I don't use the dns-route53 plugin, but I found this in the docs:
Welcome to certbot-dns-route53’s documentation! — certbot-dns-route53 0 documentation

Thanks, yeah I read that. Doesn't provide an answer to my query.

Why do you need to set the var in the systemd unit?
Which var are you trying to set?

I have the creds for my IAM user that has route53 perms set in an awscli profile - not the default profile. So, certbot needs an AWS_PROFILE environment variable to be set to the correct profile name.

It seems to use:

  • Using a credentials configuration file at the default location, ~/.aws/config .

Maybe you can place the setting in that file...?


Maybe try using
--pre-hook [to set an environment var]
--post-hook [to unset it]

Does this help? How to set environment variable in systemd service? - Server Fault


Yes, this should do it! I'm very familiar with AWS and its tools, just completely new to certbot and obviously not as familiar with systemd :slight_smile:

1 Like

I'm absolutely not familiar with systemd, OpenRC here! But my Google-fu seems to be up to par :grin:


It is definitely all about the google-fu :). Thanks for indulging me.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.