Automating Certbot Renewals with AWS Route53 Plugin (without opening ports)

Quick and dirty install and configuration of Certbot and authenticating with AWS Route53 for DNS authorization

Goals:

• Automatically Certbot renewals without opening ports
• DNS validation using Route53

References

Official Plugin Manual

1. Install components

Heads up...

Requires EPEL

dnf install certbot python3-certbot-dns-route53

First Run Only:

This is temporary

These environmental variables will clear at logout, but are needed in this workflow for initial cert generation.

export AWS_ACCESS_KEY_ID="<key id>"
export AWS_SECRET_ACCESS_KEY="<example key>"

2. Generate initial cert:

sudo certbot certonly --dns-route53 -d <fqdn>

3. Edit Systemd Unit to use creds

1. Edit the systemd unit file

   systemctl edit certbot.renew.service --full --force
   

Info

• --force:
• --full:

1. Append (insert values between quotes):

   [Service]
   Environment="AWS_ACCESS_KEY_ID=<id>
   Environment="AWS_SECRET_ACCESS_KEY=<key>"