AWS Route53 Geo dns with letsencrypt

If it is a single host to use letsencrypt, a free ssl certificate service through certbot, it is not difficult. If you use ubuntu 16.04 with apache, it will look like this

The Route53 service of Amazon AWS has a very useful geo-based dns function. In short, it is to specify which ip is responsible for processing the reqeust from which region. However, the default dns challenge of certbot can't work normally, which makes it impossible to apply for the ssl certificate of letsecrypt smoothly.

In fact, just use the --dns-route53 parameter.

 $ sudo certbot certonly --dns-route53 -d YOUR_DOMAIN_NAME

However, the dns-route53 plugin will not be installed when certbot is installed by default, so you need to install it yourself, and the installation instructions are also very simple, as follows.

 $ sudo pip install certbot_dns_route53==0.31.0

It should be noted that the plugin version must be the same as the certbot version. To check the certbot version, use the –version parameter.

 $ sudo certbot --version

But what is more embarrassing is that the default python of ubuntu 16.04 is 2.7, so even if the above plugin is installed, there will still be an error message when actually executing certbot to apply for a certificate, mainly because there is no RSA algorithm. The way to deal with it is to remove python 2.7 (this version will be broken anyway), and then install the python 3 version. The associated pip must also be installed with pip3, and there may be a problem with the wrong version of boto, so python3-boto3 must also be installed.

 $ sudo apt-get install python3-pip
$ sudo apt-get install python3-boto3

If you have a hobby of using the latest version, you can pip3 install –upgrade pip, but after execution, please remember to modify the /usr/bin/pip3 file and put

 from pip import main
if __name__ == '__main__':
    sys.exit(main())

change to

 from pip import __main__
if __name__ == '__main__':
    sys.exit(__main__._main())

Otherwise, the error of cannot import main will be sprayed.

Generally speaking, the ssl certificate application for dns route53 can be successfully carried out.

Original link: Phanix's Blog