Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Install certbot and the certbot Route 53 DNS plugin. 
    • E.g. for Ubuntu 22.04 using apt
      Code Block
      apt-get install certbot python3-certbot-dns-route53
  2. Configure AWS credentials that have permissions required by the Route 53 plugin.
    • Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables or otherwise setup a profile in your ~/.aws/config credentials configuration file.
  3. Create a certificate using the certbot CLI. In the example below, the AWS profile with Route 53 privileges in the dns profile:
    Code Block
    $ AWS_PROFILE=dns certbot certonly \
        --non-interactive \
        --dns-route53 \
        --agree-tos \
        --email \
        --domain \
        --cert-name mycert53 \
        --verboseSaving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator dns-route53, Installer None
    Requesting a certificate for
    Performing the following challenges:
    dns-01 challenge for
    Waiting for verification...
    Cleaning up challenges
    Successfully received certificate.
    Certificate is saved at: /etc/letsencrypt/live/mycert53/fullchain.pem
    Key is saved at: /etc/letsencrypt/live/mycert53/privkey.pem
    This certificate expires on 2024-09-01.
    These files will be updated when the certificate renews.
    Certbot has set up a scheduled task to automatically renew this certificate in the background.


  • The record that certbot creates in Route 53 seems to be automatically deleted once the certificate is validated.
  • Certbot certificates validated with Route 53 have a 3-month lifespan.
  • Certbot can optionally, automatically configure/install certificates for several types of web servers. The example here uses certbot just to create/renew certificates but see certbot documentation for web server integration options.