FYI the -r option is only available in the GNU version of sed, symptoms include:

sed: illegal option -- r

On macOS this can be corrected by running brew install gnu-sed and changing the invocation of sed to gsed.

Please consider adding this to the documentation. Otherwise works like a charm!

Hi,

With the latest changes, I can't seem to request a certificate for a specific machine. I'm running the following:

# certbot-route53.sh --agree-tos --manual-public-ip-logging-ok --domains hostname.domain.com --email [email protected]

I am hosting my domain.com on Route 53 and before today, this worked just fine and requested a certificate for the machine named hostname.domain.com. Today, it no longer works because it tries to search for hostname.domain.com on Route 53 and fails immediately.

If I use --domains domain.com it works, but creates a certificate with CN=domain.com which will fail validation if used for HTTPS on hostname.domain.com.

Am I doing something wrong?

I've had problems in Ubuntu because the script begins with #!/bin/sh but uses bash-specific syntax. I would like to recommend that the first line is instead changed to #!/usr/bin/env bash as per https://stackoverflow.com/a/10383546/2482776.

Hi,
Thank you for the script.
I have been trying Certbot manually and using your script.
While it is running, Route 53 shows the TXT being created AND removed.
However, it seems that Route 53 will not allow queries for the TXT record.
The script produces this:

"Failed authorization procedure. nginx.remcam.io (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up TXT for _acme-challenge.nginx.remcam.io, remcam.io (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up TXT for _acme-challenge.remcam.io
"
Any idea what is going on?

txt record creates and disappears
but dns lookup to route53 fails
tried setting local dns server to 8.8.8.8

bash-3.2$ certbot -v certonly -d <domain> -d *.<domain> --dns-route53 --logs-dir /Users/username/letsencrypt/log/ --config-dir /Users/username/letsencrypt/config/ --work-dir /Users/username/letsencrypt/work/ -m <email> --agree-tos --non-interactive --server https://acme-v02.api.letsencrypt.org/directory --dns-route53-propagation-seconds 60

Saving debug log to /Users/username/letsencrypt/log/letsencrypt.log
Found credentials in shared credentials file: ~/.aws/credentials
Plugins selected: Authenticator dns-route53, Installer None
Requesting a certificate for <domain> and *.<domain>
Performing the following challenges:
dns-01 challenge for <domain>
dns-01 challenge for <domain>
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain <domain>
Challenge failed for domain <domain>
dns-01 challenge for <domain>
dns-01 challenge for <domain>

Certbot failed to authenticate some domains (authenticator: dns-route53). The Certificate Authority reported these problems:
  Domain:  <domain>
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.<domain> - the domain's nameservers may be malfunctioning

  Domain: <domain>
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.<domain> - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-route53. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-route53-propagation-seconds (currently 60 seconds).

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /Users/username/letsencrypt/log/letsencrypt.log or re-run Certbot with -v for more details.

Hi I try to install this package using PIP on Fedora 26 and get this:

pip install -U certbot-route53

...

Installing collected packages: setuptools, zope.interface, ConfigArgParse, six, configobj, pytz, pyrfc3339, idna, pycparser, cffi, ipaddress, cryptography, PyOpenSSL, zope.event, zope.component, urllib3, chardet, certifi, requests, funcsigs, pbr, mock, acme, future, parsedatetime, certbot, python-dateutil, jmespath, docutils, botocore, futures, s3transfer, boto3, certbot-dns-route53, certbot-route53
Found existing installation: setuptools 36.2.0
Uninstalling setuptools-36.2.0:
Successfully uninstalled setuptools-36.2.0
Rolling back uninstall of setuptools
Exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pip/basecommand.py", line 215, in main
status = self.run(options, args)
File "/usr/lib/python2.7/site-packages/pip/commands/install.py", line 365, in run
strip_file_prefix=options.strip_file_prefix,
File "/usr/lib/python2.7/site-packages/pip/req/req_set.py", line 784, in install
**kwargs
File "/usr/lib/python2.7/site-packages/pip/req/req_install.py", line 854, in install
strip_file_prefix=strip_file_prefix
File "/usr/lib/python2.7/site-packages/pip/req/req_install.py", line 1069, in move_wheel_files
strip_file_prefix=strip_file_prefix,
File "/usr/lib/python2.7/site-packages/pip/wheel.py", line 247, in move_wheel_files
prefix=prefix,
File "/usr/lib/python2.7/site-packages/pip/locations.py", line 140, in distutils_scheme
d = Distribution(dist_args)
File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 365, in init
self._finalize_requires()
File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 372, in _finalize_requires
if not self.install_requires:
AttributeError: Distribution instance has no attribute 'install_requires'

What am I doing wrong ?

Here is certbot53, a script I wrote to use this project:

#!/bin/bash

#STAGING=--staging
CERT_DIR=/etc/pound/certbot
DOMAIN=scalacourses.com
MAIL_ADDR='[email protected]'
SCRIPT_NAME=certbot-route53.sh

if [ ! -d "$CERT_DIR/letsencrypt" ]; then sudo mkdir -p $CERT_DIR/letsencrypt; fi
sudo chmod 777 "$CERT_DIR/letsencrypt"

cd $CERT_DIR

if [ ! -f "$CERT_DIR/$SCRIPT_NAME" ]; then
  sudo curl -sL https://git.io/vylLx -o $SCRIPT_NAME
  sudo chmod a+x certbot-route53.sh
fi

./$SCRIPT_NAME \
  --agree-tos \
  --manual-public-ip-logging-ok \
  --domains $DOMAIN,www.$DOMAIN \
  --renew-by-default \
  --email $MAIL_ADDR $STAGING

PRIV_KEY="$CERT_DIR/letsencrypt/live/$DOMAIN/privkey.pem"
FULL_CHAIN="$CERT_DIR/letsencrypt/live/$DOMAIN/fullchain.pem"
COMBINED="$CERT_DIR/combined-for-pound.pem"
cat "$PRIV_KEY" "$FULL_CHAIN" | sudo tee "$COMBINED" > /dev/null

I have a Route 53 public hosted zone called scalacourses.com. and it defines entries for scalacourses.com and www.scalacourses.com. Following is output from running the script. I do not understand the error messages:

• No hosted zone found that matches domain com or hostname scalacourses.com
• No hosted zone found that matches domain scalacourses.com or hostname www.scalacourses.com

./$SCRIPT_NAME \
  --agree-tos \
  --manual-public-ip-logging-ok \
  --domains $DOMAIN,www.$DOMAIN \
  --renew-by-default \
  --email $MAIL_ADDR $STAGING
+ ./certbot-route53.sh --agree-tos --manual-public-ip-logging-ok --domains scalacourses.com,www.scalacourses.com --renew-by-default --email [email protected] --staging
Saving debug log to /etc/pound/certbot/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for scalacourses.com
dns-01 challenge for www.scalacourses.com
Output from certbot-route53.sh:
No hosted zone found that matches domain com or hostname scalacourses.com

Hook command "/etc/pound/certbot/certbot-route53.sh" returned error code 1
Output from certbot-route53.sh:
No hosted zone found that matches domain scalacourses.com or hostname www.scalacourses.com

Hook command "/etc/pound/certbot/certbot-route53.sh" returned error code 1
Waiting for verification...
Cleaning up challenges
Output from certbot-route53.sh:
No hosted zone found that matches domain com or hostname scalacourses.com

Hook command "/etc/pound/certbot/certbot-route53.sh" returned error code 1
Output from certbot-route53.sh:
No hosted zone found that matches domain scalacourses.com or hostname www.scalacourses.com

Hook command "/etc/pound/certbot/certbot-route53.sh" returned error code 1
Failed authorization procedure. www.scalacourses.com (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.scalacourses.com, scalacourses.com (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.scalacourses.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.scalacourses.com
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.www.scalacourses.com

   Domain: scalacourses.com
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.scalacourses.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

I get the following error:

./certbot-route53.sh: 29: ./certbot-route53.sh: Syntax error: redirection unexpected

when trying to run:

sh certbot-route53.sh
--agree-tos
--manual-public-ip-logging-ok
--domains testing.ec-internal.com
--email [email protected]

Please help

When I execute for example this (like in the README):

./certbot-route53.sh \
  --agree-tos \
  --manual-public-ip-logging-ok \
  --domains example.de,www.example.de \
  --email [email protected]

I get this error:

++ aws route53 change-resource-record-sets --hosted-zone-id /hostedzone/XYZ --query ChangeInfo.Id --output text --change-batch '{
      "Changes": [
        "ResourceRecordSet": {
          "Name": "_acme-challenge.www.example.de.",
          "ResourceRecords": ["Value": "\"qnWBjfJe5sR0LmBzy0dAku0IVljLCTGp_jYMmBVzAy0\""}]
      ]
    }'

Error parsing parameter '--change-batch': Invalid JSON: Expecting ',' delimiter: line 3 column 28 (char 48)
JSON received: {
      "Changes": [
        "ResourceRecordSet": {
          "Name": "_acme-challenge.www.example.de.",
          "ResourceRecords": ["Value": "\"qnWBjfJe5sR0LmBzy0dAku0IVljLCTGp_jYMmBVzAy0\""}]
      ]
    }

Any ideas?

Thanks for this script, it is perfectly working ... but for creation only !
Il would be great if it can also work for renewal. I give a try replacing "certonly" verb by "renew", but it is not working well, as it only renew the first certificate of the list. Then it tries to delete an acme challenge for the second one, before even creating it.

Here is the output for the second execution :

Saving debug log to /home/kops/infra/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /home/kops/infra/letsencrypt/renewal/srv1.exemple.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /home/kops/infra/letsencrypt/renewal/srv2.exemple.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for srv2.exemple.com
Output from certbot-route53-renew.sh:
1

Waiting for verification...
Cleaning up challenges
Output from certbot-route53-renew.sh:
1


-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/home/kops/infra/letsencrypt/live/srv2.exemple.com/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /home/kops/infra/letsencrypt/renewal/srv3.exemple.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for srv3.exemple.com
Output from certbot-route53-renew.sh:
1

Error output from certbot-route53-renew.sh:

An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: Tried to delete resource record set [name='_acme-challenge.srv3.exemple.com.', type='TXT'] but it was not found
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help
aws: error: argument --id: expected one argument

Waiting for verification...
Cleaning up challenges
Output from certbot-route53-renew.sh:
1

Error output from certbot-route53-renew.sh:

An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: Tried to delete resource record set [name='_acme-challenge.srv3.exemple.com.', type='TXT'] but it was not found
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help
aws: error: argument --id: expected one argument

Attempting to renew cert (srv3.exemple.com) from /home/kops/infra/letsencrypt/renewal/srv3.exemple.com.conf produced an unexpected error: Failed authorization procedure. srv3.exemple.com (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.srv3.exemple.com. Skipping.
The following certs could not be renewed:
  /home/kops/infra/letsencrypt/live/srv3.exemple.com/fullchain.pem (failure)

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /home/kops/infra/letsencrypt/live/srv1.exemple.com/fullchain.pem (skipped)
The following certs were successfully renewed:
  /home/kops/infra/letsencrypt/live/srv2.exemple.com/fullchain.pem (success)

The following certs could not be renewed:
  /home/kops/infra/letsencrypt/live/srv3.exemple.com/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: srv3.exemple.com
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.srv3.exemple.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.```

Description
certbot-route53.sh has bash-specific features, see #2.

Per documentation:

3. Download the certbot-route53.sh script.
+++
chmod a+x certbot-route53.sh
4. Run the script with your (comma-separated) domain(s) and email address:
sh certbot-route53.sh \
+++

Error
sh certbot-route53.sh ... would fail if sh is not bash-compatible. (for example it's link to the minimalistic /bin/dash on Ubuntue 16.0.4 LTS)

Suggestion

1. [recommended] Remove sh in step 4 -- the script is made executable(chmod a+x ...) in step 3
2. Alternatively: replace sh with bash in step 4: bash certbot-route53.sh ...

Thanks for this script. I realized that the internal sed command does not work when the host name is made up of more than three levels, for example: mail.external.example.com should return DOMAIN "example.com" but the value is "external.example. com "

# CERTBOT_DOMAIN is a hostname, not a domain (zone)
# We strip out the hostname part to leave only the domain
DOMAIN="$(sed -r 's/^[^.]+.(.*)$/\1/' <<< "${CERTBOT_DOMAIN}")"

Not sure where the fault lies... I think it's certbot....

This works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains www.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"

and this works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"

but this:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"

does not.

the log shows:
2018-04-13 09:55:04,653:INFO:certbot.auth_handler:Cleaning up challenges
2018-04-13 09:55:06,353:INFO:certbot.hooks:Output from certbot-route53.sh:
1

2018-04-13 09:55:06,353:ERROR:certbot.hooks:Error output from certbot-route53.sh:

An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: Tried to delete resource record set [name='_acme-challenge.mylinuxguy.org.', type='TXT'] but the values provided do not match the current values

Waiter ResourceRecordSetsChanged failed:

2018-04-13 09:56:08,311:INFO:certbot.hooks:Output from certbot-route53.sh:
1

I think that wildcard domain stuff uses the same name as the non-wildcard domain.. so
*.mylinuxguy.org and mylinuxguy.org use the same name for:
_acme-challenge.mylinuxguy.org
and that causes the aws route53 servers issues.

Just wanted to see if anyone else has tried this and gotten it to work.

• jack

Thank you for this great script! We placed our script in /usr/local/sbin/certbot-route53.sh and we use the Debian certbot package's default config location of /etc/letsencrypt/.

We had to replace $PWD with $SCRIPT and $CONFIG variables that held these paths for these reasons:

1. Certbot would fail to locate hook script if we ran script with absolute path (e.g. cd /root && /usr/local/sbin/certbot-route53.sh ...)
2. Certbot was not writing the correct hook script paths to the renewal conf files.
3. Certbot would only store config in default location if our PWD was /etc when we executed the script (e.g. cd /etc/ && /usr/local/sbin/certbot-route53.sh ...).

Other users might find it helpful to have similar variables near top of script, even if the default values for CONFIG and SCRIPT remain $PWD/letsencrypt and $PWD/$0 for now.

CONFIG=/etc/letsencrypt
SCRIPT=/usr/local/sbin/certbot-route53.sh

  certbot certonly \
    --non-interactive \
    --manual \
    --manual-auth-hook $SCRIPT \
    --manual-cleanup-hook $SCRIPT \
    --preferred-challenge dns \
    --config-dir $CONFIG \
    --work-dir $CONFIG \
    --logs-dir $CONFIG \
    $@

Thanks again for publishing this!