Moving from certbot apache to dns-route53

Dear Experts,

I have been using Let's Encrypt with certbot on Debian using the Apache plugin for some time and it has worked well.

I would now like to have a wildcard certificate for one domain, so I need to use DNS rather than the Apache plugin. The DNS for this domain is on AWS Route53. I have made this basically work; having configured the necessary AWS permissions I can:

# AWS_PROFILE=certbot certbot --dns-route53 --installer apache -d example.com -d '*.example.com'

I have a couple of questions though:

  1. Looking in /etc/letsencrypt, I still have files related to the previous certificates issued using the Apache auth; the new files related to the Route53 auth have been given names with a -0001 suffix. I'd like certbot to now forget about the previous Apache auth for this domain and only use the Route53 auth when it renews. What do I need to do to make this happen?

  2. In the command that I pasted above, note that I set an environment variable AWS_PROFILE. This identifies a section in my ~/.aws/credentials file that defines the AWS keys to use. I don't think that certbot is going to know to set that environment variable when it renews (or to do anything else to get the correct credentials). What is the best way to configure this?

Thanks, Phil.

1 Like

Hi @endecotp

read the documentation:

You can use the delete command to delete a certificate you don't want to use.

Hi Juergen, thanks for your reply.

OK, so I think the crucial thing on that page is: "Consider using --cert-name instead of --expand , as it gives more control over which certificate is modified and it lets you remove domains as well as adding them." The issue seems to be that I've changed from example.com + www.example.com to example.com + *.example.com, and although the wildcard matches the previous www it still considers it a deletion. So what seems to work is:

AWS_PROFILE=certbot certbot --authenticator dns-route53 --installer apache --cert-name example.com -d example.com -d '*.example.com'

Right, so I have now deleted the -0001 cert that was created before.

Does anyone have any thoughts about making renewals work with the requirement to specify the AWS credentials via environment variables? I guess I can set them in the cron job that invokes certbot renew, but in principle I might want to use different credentials for different certs. It seems to me that if the AWS_PROFILE were set from a dns-route53 plugin command line argument rather than via an environment variable, it would be remembered for renewals via the renewal configuration file; is that correct?

Thanks, Phil.

1 Like

Do you actually require the use of those environment variables? The certbot-dns-route53 documentation mentions other ways of providing the credentials to certbot, including configuration file based.

The configuration file that certbot dns-route53 reads is the standard ~/.aws/config or credentials file, so it is not possible to provide a key specific to certbot there. The best you can do is to make the certbot key the default.

If certbot ran as a distinct unix user then it would have a distinct ~/.aws, but that still wouldn't help if you needed different AWS credentials for each domain.

Hm, sorry, didn't look into the details, I understand your predicament better now.

It seems certbot lets the Boto3 package handle all the configuration stuff. It could provide its own configuration parameter and present it to Boto3 through an "Object", looking at the Boto3 configuration documentation. But this feature isn't build into the certbot-dns-route53 package.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.