skip to Main Content

I have an Ubuntu 20.04 server on an AWS EC2 instance running Apache and I’m trying to obtain a certificate using certbot, however I’m having trouble with credentials. Below is the command I run, followed by the error output:

user@address:~$ sudo certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d mydomain.com -d *.mydomain.com -i apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-route53, Installer apache
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomain.com
dns-01 challenge for mydomain.com
Cleaning up challenges
Unable to locate credentials
To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.

I’ve followed the below guides:

  1. https://certbot.eff.org/lets-encrypt/ubuntufocal-apache.html (wildcard tab, up to step 6)
  2. https://certbot-dns-route53.readthedocs.io/en/stable/ (created an IAM policy and applied it to a new user)

and chosen to set the credentials using environment variables:

$ export AWS_ACCESS_KEY_ID=<id>
$ export AWS_SECRET_ACCESS_KEY=<secret>

When I use $ printenv AWS_ACCESS_KEY_ID and $ printenv AWS_SECRET_ACCESS_KEY I am shown the credentials on screen, so I don’t understand why certbot is unable to locate them.

Any ideas?

2

Answers


  1. By running the certbot command as sudo the environment variable is not set anymore.

    Either connect to sudo su then export the variables and run or take a look at using a credentials file to allow the command access to the IAM key and IAM secret.

    More information available here.

    Login or Signup to reply.
  2. Because you are using sudo to execute your command, as you supplied above (and here it is again for reference):

    sudo certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d mydomain.com -d *.mydomain.com -i apache
    

    Then the environment variables and home directory of the user root are used, instead of those of the current logged on user. So, you have to ensure that your setup is for the root user.

    In my case, I prefer to use a config file instead of environment variables. And because of sudo, this config file path and name is ~/.aws/config and its content is:

    [default]
    aws_access_key_id=<YOUR ACCESS KEY TO AWS>
    aws_secret_access_key=<YOUR SECRET ACCESS KEY TO AWS>
    

    More details here.

    Now, the root home directory in Linux will most probably be /root, so this is where I would start. Details here.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search