" The requested dns-route53 plugin does not appear to be installed."

Running the command

/usr/local/bin/certbot-auto renew --non-interactive --dns-route53 --post-hook "/sbin/service httpd restart" --dry-run

I get

` - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The requested dns-route53 plugin does not appear to be installed
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: The requested dns-route53 plugin does not appear to be installed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)

In /usr/local/lib/python2.7/site-packages, I have certbot_route53 certbot_route53-0.2.0.dist-info

This was installed via pip. CentOS6, AWS EC2.

Any idea how to resolve? It was working fine before – I’m not sure what happened

/usr/local/bin/certbot-auto plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log

• apache
  Description: Apache Web Server plugin
  Interfaces: IAuthenticator, IInstaller, IPlugin
  Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT

• nginx
  Description: Nginx Web Server plugin
  Interfaces: IAuthenticator, IInstaller, IPlugin
  Entry point: nginx = certbot_nginx.configurator:NginxConfigurator

• standalone
  Description: Spin up a temporary webserver
  Interfaces: IAuthenticator, IPlugin
  Entry point: standalone = certbot.plugins.standalone:Authenticator

• webroot
  Description: Place files in webroot directory
  Interfaces: IAuthenticator, IPlugin
  Entry point: webroot = certbot.plugins.webroot:Authenticator

If you install certbot-auto by downloading it directly from certbot.eff.org, few plug-in’s are included due to dependencies.

Thanks. I’m not sure if you mean “few” as in it’s not included or “a few” as in it is included. Regardless, I coudn’t figure it out from that URL where to find Route 53’s plugin.

It's not included.

I'm not sure what that is, but it isn't the official certbot-dns-route53 plugin.

How do I get the official one and how do I install it?

On CentOS 6? I don’t know.

If you upgrade to CentOS 7, it’s in EPEL.

Here’s how I got it before:

$ cd /opt/eff.org/certbot/venv 
$ source bin/activate 
$ sudo pip install certbot-route53 
$ deactivate

Is there some more official way to get it? Or is there a way to get certbot-auto to recognize it as a plugin?

That's some old, third-party software.

You can try installing the official plugin, certbot-dns-route53, but that is not the recommended or officially supported way to install it.

It may work, though it will get deleted whenever Certbot is upgraded.

https://certbot.eff.org/docs/install.html

The recommended ways would be to use an OS where it's available -- like CentOS 7 -- or to use Docker (if it's possible to install on CentOS 6).

One problem is that certbot-auto is going to erase plugins that you install with pip this way.

As you can see at https://certbot.eff.org/ if you select your operating system versn, on your OS we recommend using a Certbot Docker image if you need DNS plugins.

https://certbot.eff.org/docs/install.html#running-with-docker

If this isn't a good option for you, you might want to upgrade to CentOS 7, as indicated by @mnordhoff, or try acme.sh:

OK, so I’ve upgraded to Amazon Linux 2 (which is like CentOS 7) and I’ve installed

sudo yum install certbot
sudo yum install python2-certbot-dns-route53

They both install, which is good.

 /bin//certbot renew --dry-run --non-interactive --dns-route53 --post-hook "service httpd restart"
An unexpected error occurred:
ContextualVersionConflict: (botocore 1.12.92 (/usr/lib/python2.7/site-packages), Requirement.parse('botocore<1.6.0,>=1.5.0'), set(['boto3']))
Please see the logfile '/tmp/tmpvTCx9K' for more details.

If I open up the /tmp/ log file it says

2019-08-08 20:54:13,258:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/bin//certbot", line 9, in <module>
    load_entry_point('certbot==0.36.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1351, in main
    plugins = plugins_disco.PluginsRegistry.find_all()
  File "/usr/lib/python2.7/site-packages/certbot/plugins/disco.py", line 208, in find_all
    plugin_ep = PluginEntryPoint(entry_point)
  File "/usr/lib/python2.7/site-packages/certbot/plugins/disco.py", line 50, in __init__
    self.plugin_cls = entry_point.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2407, in load
    self.require(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2430, in require
    items = working_set.resolve(reqs, env, installer, extras=self.extras)
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 875, in resolve
    raise VersionConflict(dist, req).with_context(dependent_req)
ContextualVersionConflict: (botocore 1.12.92 (/usr/lib/python2.7/site-packages), Requirement.parse('botocore<1.6.0,>=1.5.0'), set(['boto3']))
2019-08-08 20:54:13,258:ERROR:certbot.log:An unexpected error occurred:

After some Googling around, I came across some advice to do this:

sudo pip uninstall botocore boto3 && sudo pip install boto3

Is this the appropriate next course of action? I don’t want to do it blindly because I don’t understand what it does or what it means.

@bmw, would you agree that this is a packaging bug in CentOS 7 on AWS? (supposing @corey2 didn’t manually install anything via pip on this system?)

Just jumping in to confirm that I didn’t install anything manually via pip. Everything was installed via yum.

Amazon Linux unfortunately is not officially supported by Certbot. (GitHub issues tracking this are https://github.com/certbot/certbot/issues/6505 and https://github.com/certbot/certbot/issues/6506). If you’re still willing to change your OS to use Certbot, I recommend sticking with CentOS and using CentOS 7. Our packages there are well tested and we have hundreds of thousands of users on the platform.

To share information about the problem here though, what’s going on is the botocore and boto3 packages in Amazon Linux differ from the packages in RHEL/CentOS. Despite the code for both of these packages being written by Amazon and the packages being hosted in Amazon’s repositories, the boto3 package’s dependency on botocore is technically unsatisfied by the version of botocore that Amazon Linux 2 offers. You can see this by running yum install python2-pip and running pip check which outputs:

boto3 1.4.4 has requirement botocore<1.6.0,>=1.5.0, but you have botocore 1.12.92.

Apparently this works well enough for Amazon, but Certbot’s plugin system verifies that all of its dependencies are satisfied before loading the plugin which in this case they are not because of the incompatible versions of botocore and boto3 offered by Amazon Linux 2.

I’ve opened a paid support ticket with AWS and they’ve escalated this on their end. Let’s see what they come back with – I’ll post an update here once i know more.

@bmw, is there a workaround I can use on AWS if they don’t come through?

I heard back from Amazon, this what what they said... It's over my head, and I've been having other issues with Amazon Linux 2, so I've upgraded to CentOS 7.

Leaving this here for anyone who might be in the same boat:

Hello Corey,

Thank you for getting back to me. I'm sorry to hear that you have been experiencing issues with Amazon Linux 2.

As I mentioned previously, we do not provide support on LetsEncrypt and in fact the Amazon Linux repositories do not have the certbot packages at all, see below from a fresh Amazon Linux 2 install:
$ sudo yum install certbot
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 2.4 kB 00:00:00
amzn2extra-docker | 1.3 kB 00:00:00
No package certbot available.

Same goes for python2-certbot-apache and python2-certbot-dns-route53. These packages are all from the EPEL[1] repo - and as per the Certbot documentation[2], you first need to enable EPEL before being able to install certbot:
2. Enable EPEL repo
You'll need to enable the EPEL (Extra Packages for Enterprise Linux) repository.

As we do not provide support for LetsEncrypt/Certbot, these packages are not in our repository. It may be that the Route 53 plugin is designed to work only on the supported operating systems, such as CentOS 6 / CentOS 7, however, I can try to reach out internally to find out which team manages that specific plugin if you would like that. Also, as mentioned on the community page by "Bmw", botocore and boto3 from amazon linux differs from packages in Red Hat Linux and CentOS - this is likely why we don't officially provide support for Certbot - but this is also something we can ask the internal services team if needed.

Apologies for my workaround not being a solution for you - I do see that the folks at LetsEncrypt advised against using pip. Reading further into your post, I do see that you have found a workaround(sudo pip uninstall botocore boto3 && sudo pip install boto3):
Below are the new steps I followed:
$ sudo amazon-linux-extras install epel
$ sudo yum install certbot
$ sudo yum install python2-certbot-dns-route53 python2-certbot-apache
$ sudo yum install python-pip
$ sudo pip uninstall botocore boto3 && sudo pip install boto3
I was then able to install my certificate with
$ sudo certbot --apache
As well as run the command you were trying to run earlier:
$ sudo certbot renew --non-interactive --dns-route53 --post-hook "/sbin/service httpd restart" --dry-run # I then got an error related to configuring my aws cli:
Attempting to renew cert ($mydomain.com) from /etc/letsencrypt/renewal/$mydomain.com.conf produced an unexpected error: Unable to locate credentials
To use certbot-dns-route53, configure credentials as described at Configuration - Boto3 1.33.2 documentation and add the necessary permissions for Route53 access.. Skipping.

I had to configure my AWS CLI with my IAM user credentials before this with aws configure and the command worked.

Please feel free to let me know if you have any further queries or concerns. I am happy to assist.

Have a nice day further!

@corey2, thanks for bringing that up with the Amazon Linux team and sharing their response. For what it’s worth, I disagree with the recommendation given there of running sudo pip .... This blogpost briefly describes some of the reasons why.

If anyone else hits this issue, I recommend running Certbot in Docker. An image containing the route53 plugin is available at https://hub.docker.com/r/certbot/dns-route53 and instructions for that plugin can be found at https://certbot-dns-route53.readthedocs.io/en/stable/.

@corey2, it would also be interesting if you could ask the AWS support people…

• is there a different Let’s Encrypt client (other than Certbot) that they would currently suggest using with Amazon Linux? (since Certbot isn’t the only choice, maybe they have something different to recommend)
• is there anyone from Amazon who might be interested in working with the Certbot developers in order to get Certbot officially supported on Amazon Linux? (we have been interested in doing that in the past, but have previously not found good contacts inside Amazon in order to make progress on this)

@bmw, thanks. I’ll look over the Docker notes and see if I’m feeling brave enough to go down that road. Using the “broken” EPEL makes me nervous, mostly because I don’t have the background to know what else will “–skip-broken” on upgrade if I do that and what its implications are. I’m not a sysadmin, just a developer, and not a Python dev so all this stuff is Greek to me. (for anyone reading this from external, I’m referring to the issues in EPEL on CentOS 7 described here: Dependencies broken in EPEL, certbot-dns-route53, CentOS 7)

@schoen, I’ve copy and pasted your questions to AWS into the support ticket. In case someone from Amazon happens upon this thread in the future, it’s Case ID 6336573661. I’ll let you know what I hear back.

The Docker image looks cool, but automating getting the certificates out of the container and onto my host platform looks like it’s going to be trouble to maintain. For $40, I can buy a wildcard SSL for a year. Hopefully EPEL on CentOS 7 gets fixed in that time and I can come back to Let’s Encrypt.

I want to sincerely thank you for all of the great support! I am immensely impressed with everything you guys are doing, and I look forward to directing the funds that I used to spend on SSL certificates to the EFF when the bugs are ironed out. Thanks again.

Here's the response from Amazon.

Hello there,

This is Mawande from AWS Support, thank you for writing back to us on this case.

I will be addressing your questions below:

1. is there a different Let’s Encrypt client (other than Certbot) that they would currently suggest using with Amazon Linux? (since Certbot isn’t the only choice, maybe they have something different to recommend)

Unfortunately, we cannot give any recommendations on third-party software or utilities to customers. You will have to choose and evaluate the one that is convenient for you.

Customers that deploy an Amazon EC2 instance are responsible for management of any application software or utilities installed by the customer on the instances. You can check the AWS Marketplace for an AMI which will be convenient for your requirements.

2. is there anyone from Amazon who might be interested in working with the Certbot developers in order to get Certbot officially supported on Amazon Linux? (we have been interested in doing that in the past, but have previously not found good contacts inside Amazon in order to make progress on this)

As AWS support, we are not in a position to address this request. However, I have forwarded the request to our internal service team and will keep you posted when there is some feedback available.

On a side note, I would appreciate any additional information you would like me to share with service team such as the use case, any specific versions required, etc.

I am looking forward to your response.

Best regards,

Mawande M.
Amazon Web Services