Let's Encrypt Cerbot with Route53 Validation

Ever since Let’s Encrypt started to remove the TLS-SNI-01 challenge from certbot, I have been searching for an easier way to renew my certificates. This was a great move by Let’s Encrypt (a security hole was discovered that could lead to hijacked certificates when using TLS-SNI-01), but left me with a bit of an operational gap in my little home lab. Since I don’t run anything on port 80 (the default port for HTTP-01 validation), it left me with the following procedure:

  1. Log into home router/gateway
  2. Add a port forwarding entry for port 80
  3. Start the Let’s Encrypt/Certbot renewal process
  4. Remove port forwarding entry

Not terrible, but leaves me with an operational gap and having to perform the process manually. I could not find a good way to have the HTTP-01 validation run on an alternate port –say 443 that I already had forwarded. Even if I was able to accomplish this, however, it would still force me to shut down my HAProxy/Apache/NGINX running on 443 so that the Acme Server could listen on that port to validate.

Thankfully for me, Let’s Encrypt has rolled out a new dns-01 validation type. This validator requires no server downtime, no port forwarding, and no operational gaps, as it uses your DNS providor for validation. Essentially, it logs in to your DNS providor, creates and removes TXT records. If the changes are successful, Let’s Encrypt can be sure that you are in control of the domain and can issue certificates on your behalf. Thankfully for me, I use AWS Route53 DNS, and certbot provides a plugin.


I already had the AWS CLI installed (and thus the credentials file with secret keys created) and the certbot client, so all I had to do was install the route53 plugin:

pip install certbot_dns_route53

Now getting certificates is as easy as executing the following command:

certbot certonly --dns-route53 -d mydomain.com