[T0004] Receive an SSL certificate with certbot route53 plugin

I was trying to issue an SSL certificate for wildcard domain from Let's Encrypt. I needed to use certbot dns plugin. I could have done with manual option instead of dns plugin, but that doesn't support auto renew function of certbot.

Problem 1 - Installing certbot route53 dns plugin

Certbot's first page guidance for mac doesn't give me plugin names. An official doc provides dns plugin explanation, but I couldn't find a brew package name.

https://eff-certbot.readthedocs.io/en/latest/using.html#dns-plugins

Because I can't install it through brew.

Solution

In github issue(https://github.com/certbot/certbot/issues/5680), I found below command that installed dns plugin for AWS Route 53.

$(brew --prefix certbot)/libexec/bin/python -mpip install certbot-dns-route53

Problem 2 - AWS credential error

I executed below certbot command.

sudo certbot certonly \
  --dns-route53 \
  -d "ourcompanylunch.com" \
  -d "*.ourcompanylunch.com"

I got this credential related error.

And this error came from botocore.

Tracking

I checked that the IAM user permissions are enough for validating my Route 53 hosted zone. But this wasn't the problem. Boto couldn't find my profile.

My AWS profile was like this.

I put below env variables.

I tried to put both AWS_PROFILE and AWS_DEFAULT_PROFILE because there was an issue reported about AWS_PROFILE.

I put those env variables to .zshrc or .zprofile.

Nothing did work.

Solution

I added default profile, then it worked. Surely, I added access key and secret key to credential file, too.

I think boto3 have a problem reading AWS_PROFILE.