Letsencrypt in docker container with route53 (aws) "InvalidClientTokenId"

Hello, i run a small webserver in a docker container. I can visit the website with the ip address and also with the domain (let's say, sub.domain.com).
Now i want too use https with lets encrypt. I deployed a docker-compose file like this:

version: '2'
services:
  letsencrypt:
    image: linuxserver/letsencrypt
    container_name: letsencrypt
    ports:
      - 443:443
    volumes:
      - /opt/appdata/letsencrypt/config:/config
    restart:
      always
    environment:
      - PUID=1050
      - PGID=1050
      - EMAIL=mail@domain.com
      - URL=sub.domain.com
      - TZ=Europe/Berlin
      - VALIDATION=dns
      - DNSPLUGIN=route53

On a different server i already run successfully letsencrypt, but on this server it's not running in docker but native. I need the dns challenge, as the service runs behind a firewall. The DNS challenge works perfect with route53 in aws with this command: sudo certbot -d sub.domain.com --manual --preferred-challenges dns certonly
After that i registered a txt record in route 53 and everything works. Now i want to do the same with docker.
So i added

      - VALIDATION=dns
      - DNSPLUGIN=route53

in the docker-compose.yml file. But after running docker-compose up -d i'll get

...
Created donoteditthisfile.conf
No subdomains defined
E-mail address entered: mail@domain.com
dns validation via route53 plugin is selected
Generating new certificate
Use of --manual-public-ip-logging-ok is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Credentials found in config file: /config/dns-conf/route53.ini
Plugins selected: Authenticator dns-route53, Installer None
Account registered.
Requesting a certificate for sub.domain.com
Performing the following challenges:
dns-01 challenge for sub.domain.com
Cleaning up challenges
An error occurred (InvalidClientTokenId) when calling the ListHostedZones operation: The security token included in the request is invalid.
To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/route53.ini file.

So whats next?

Did you do this?

You talk of manually adding a TXT record, that's not how that plugin works. The plugin adds the record for you.

Only the manual plugin asks you to add a record.

2 Likes

So what i did: I run certbot for letsencrypt on a second server (without docker). There i run sudo certbot -d sub.domain.com --manual --preferred-challenges dns certonly. After that i had to set the TXT Record in AWS Route 53. This works perfect.

Now i want to do the same with docker.

This boto3 looks very weird. I guess, i have to run those python scripts in aws cli?

If you want to do the same, replace DNSPLUGIN=route53 with DNSPLUGIN=manual

But I advise against doing so. Do you want to renew your certificates manually every couple of months? The route53 plugin can do that for you without human intervention.

1 Like
version: '2'
services:
  letsencrypt:
    image: linuxserver/letsencrypt
    container_name: letsencrypt
    ports:
      - 443:443
    volumes:
      - /opt/appdata/letsencrypt/config:/config
    restart:
      always
    environment:
      - PUID=1050
      - PGID=1050
      - EMAIL=mail@domain.com
      - URL=sub.domain.com
      - TZ=Europe/Berlin
      - VALIDATION=dns
      - DNSPLUGIN=manual
...
Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details.

Ok, let me see that docker image documentation.

They say you should not use it and they replaced it with linuxserver/swag

I think you should either use that or image certbot/certbot (read its documentation)

But, if you don't need a wildcard, please use http-01 validation if possible.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.