How do I switch letsencrypt authentication from HTTP to AWS dns-route53?

Question

I am using Certbot and have several domains that I need to switch from HTTP authorization to AWS Route 53.

Both configurations are working fine, but now I need to switch all the certificates to use route 53. Is there a certbot command that does that?

In the config file I see this:

[renewalparams]
authenticator = apache
installer = apache
account = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
manual_public_ip_logging_ok = None
server = https://acme-v02.api.letsencrypt.org/directory

Answer 1

I found this thread in the letsencrypt community forum, where it is mentioned, that the global /etc/letsencrypt/cli.ini takes precedence over the renewal config of the single domains. If all your domains should be authenticated via route53 you can add your config there.

Adding /etc/letsencrypt/cli.ini to the server is the trick.

This is a sample file from https://gist.github.com/antillean/8517fba47df25a98100a

 This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address
# email = [email protected]

# Uncomment and update to generate certificates for the specified
# domains.
# domains = sub.example.com, sub2.example.com, sub3.test.example

# Uncomment to use a text interface instead of ncurses
# text = True

# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = http-01

So for it to work, the changes required were to change authenticator to

authenticator = dns-route53

and then perform a sed statement in the /etc/letsencrypt/conf directory to remove the preferred challenges which were HTTP so it will default to the dns-route53 challenge

sed -i 's/pref_challs = http-01,//g' *.conf

then testing it by running

certbot renew

and everything worked as desired.

Answer 2

There is no command that "switches" your method of validation. If you want to ensure that future certificates can be authenticated, you can delete your existing certificates and then run certbot with your R53 configuration.

The other option would be to use --force-renewal option if you don't want to delete your existing certificates.

It is important to know that switching from HTTP validation to Route 53 (or any DNS based validation, really) only provides you the ability to create wildcard certificates on your domain. Once validations occur, the certificate isn't any different (again, with the caveat of issuing wildcard certificates).