Introduction

AWS Certificate Manager (ACM) provides free TLS certificates for use directly by AWS services (e.g., CloudFront, Application Load Balancer). However, it cannot be used when you need to obtain key and certificate files for use directly on an EC2 instance (e.g., in nginx or apache). Using certbot with Route 53 is an alternative to ACM that can be automated and gives access to the certificate and key files, when the DNS for your server hostname/domain is managed by Route 53.

Prerequisites

• The domain for which you need certificates is configured as a Route 53 hosted zone in your AWS account.

How To

1. Install certbot and the certbot Route 53 DNS plugin. 
   • E.g. for Ubuntu 22.04 using apt


     apt-get install certbot python3-certbot-dns-route53

2. Configure AWS credentials that have permissions required by the Route 53 plugin.
   • Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables or otherwise setup a profile in your ~/.aws/config credentials configuration file.
3. Create a certificate using the certbot CLI. In the example below, the AWS profile with Route 53 privileges in the dns profile:
   

   $ AWS_PROFILE=dns certbot certonly \
       --non-interactive \
       --dns-route53 \
       --agree-tos \
       --email abc123@cornell.edu \
       --domain myserver.example.cucloud.net \
       --cert-name mycert53 \
       --verboseSaving debug log to /var/log/letsencrypt/letsencrypt.log
   Plugins selected: Authenticator dns-route53, Installer None
   Requesting a certificate for myserver.example.cucloud.net
   Performing the following challenges:
   dns-01 challenge for myserver.example.cucloud.net
   Waiting for verification...
   Cleaning up challenges
   
   Successfully received certificate.
   Certificate is saved at: /etc/letsencrypt/live/mycert53/fullchain.pem
   Key is saved at: /etc/letsencrypt/live/mycert53/privkey.pem
   This certificate expires on 2024-09-01.
   These files will be updated when the certificate renews.
   Certbot has set up a scheduled task to automatically renew this certificate in the background.

Notes

• The record that certbot creates in Route 53 seems to be automatically deleted once the certificate is validated.
• Certbot certificates validated with Route 53 have a 3-month lifespan.
• Certbot can optionally, automatically configure/install certificates for several types of web servers. The example here uses certbot just to create/renew certificates but see certbot documentation for web server integration options.

Renewal

You will need to ensure that the scheduled task that cerbot  creates on your system can run successfully to ensure the certificate is renewed automatically, or you will need to trigger renewal some other way before your certificate expires. 

You can test whether renewal would work using the following:

$ AWS_PROFILE=dns certbot renew --dns-route53 --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mycert53.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for myserver.example.cucloud.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/mycert53/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

References

• certbot
  • certbot Route 53 plugin
• AWS documentation
  • AWS Certificate Manager
  • AWS Route 53