{"id":16538748,"url":"https://github.com/spyoungtech/certbot-route53-hook","last_synced_at":"2025-04-11T05:10:08.206Z","repository":{"id":146395441,"uuid":"118353349","full_name":"spyoungtech/certbot-route53-hook","owner":"spyoungtech","description":"Cerbot manual auth hook for satisfying dns challenges via AWS Route 53 / boto3","archived":false,"fork":false,"pushed_at":"2019-04-12T16:53:02.000Z","size":16,"stargazers_count":5,"open_issues_count":0,"forks_count":4,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-11T05:10:02.200Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spyoungtech.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-01-21T16:42:18.000Z","updated_at":"2024-06-25T21:37:51.000Z","dependencies_parsed_at":null,"dependency_job_id":"96c9ce90-eddc-4dc3-97f1-fc4ce2c277bd","html_url":"https://github.com/spyoungtech/certbot-route53-hook","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spyoungtech%2Fcertbot-route53-hook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spyoungtech%2Fcertbot-route53-hook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spyoungtech%2Fcertbot-route53-hook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spyoungtech%2Fcertbot-route53-hook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spyoungtech","download_url":"https://codeload.github.com/spyoungtech/certbot-route53-hook/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248345266,"owners_count":21088244,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-11T18:46:41.389Z","updated_at":"2025-04-11T05:10:08.193Z","avatar_url":"https://github.com/spyoungtech.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"certbot-route-53-hook v0.2\n==========================\n\nA pre-auth and post-auth hook for certbot's manual plugin to satisfy DNS challenges by creating the required recordset\nvia AWS Route 53 and ``boto3``. When used as cleanup hook, it will delete the previously created record set.\n\nUseful for using certbot to request or renew certs for systems that are not publicly accessible, such as those that may sit on an internal network. It is also suitable for automated non-interactive use.\n\n\nPrerequisites\n-------------\n\n1. A domain name with DNS managed by Route53\n2. A set of AWS IAM credentials with Route53 permissions\n3. Docker \n\nOR\n\n3. Certbot\n4. A Python3 environment with ``boto3`` installed (with AWS credentials configured)\n\n\nHow to use\n----------\n\nWith Docker\n^^^^^^^^^^^\n\nThe entrypoint in the dockerfile takes care of most of the arguments you need. You just need to provide AWS credentials, an email, and the domain to certify. \n\nYou can run build the image and generate your certificates using docker like so\n\n::\n\n    docker build -t certbot-route53-hook:latest . \t\n    mkdir letsencrypt\n    docker run --rm -v $(pwd)/letsencrypt:/etc/letsencrypt/ -e AWS_ACCESS_KEY_ID=\u003cYour ID\u003e -e AWS_SECRET_ACCESS_KEY=\u003cYour Key\u003e certbot-route53-hook --email=\u003cYour Email\u003e -d \u003cyour.domain.com\u003e \n\n\nYour certificates will appear in the mounted directory.\n\nManually with certbot and Python\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n\nSimply supply the path to ``certbot_hook.py`` for the ``--manual-auth-hook`` and ``--manual-cleaup-hook`` options to the certbot command. You should also specify ``--preferred-challenges`` as ``dns`` and the plugin as manual by supplying ``--manual``\n\nFor example to request a new certificate\n\n::\n\n    certbot certonly --preferred-challenges=dns --manual --manual-auth-hook=/path/to/certbot_hook.py --manual-cleanup-hook=/path/to/certbot_hook.py -d secure.example.com\n\n\nThen to renew, you can simply use ``certbot renew``.\n\n\nNOTE: the hook is called even on dry-runs.\n\n\nOther notes\n-----------\n\nIAM Policy example\n^^^^^^^^^^^^^^^^^^\n\nAs a best practice, you may want to use credentials with just minimum access needed to use the hook. An example policy might look like this\n\n::\n\n    {\n        \"Version\": \"2012-10-17\",\n        \"Id\": \"certbot-dns-route53 sample policy\",\n        \"Statement\": [\n            {\n                \"Effect\": \"Allow\",\n                \"Action\": [\n                    \"route53:ListHostedZones\",\n                    \"route53:GetChange\"\n                ],\n                \"Resource\": [\n                    \"*\"\n                ]\n            },\n            {\n                \"Effect\" : \"Allow\",\n                \"Action\" : [\n                    \"route53:ChangeResourceRecordSets\"\n                ],\n                \"Resource\" : [\n                    \"arn:aws:route53:::hostedzone/YOURHOSTEDZONEID\"\n                ]\n            }\n        ]\n    }\n\n\n\n\n\n\nUsing the hook noninteractively\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\nTo use the hook noninteractively, you should supply the noninteractive flag ``-n`` and the ``--manual-public-ip-logging-ok`` option.\n\n\nSpecifying the hosted zone ID\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\nIt's recommended that you specify the zone id(s) you need explicitly. If you do not, the hook will attempt to use the boto3 Route53 client to get the ID.\n\nThe hook will attempt to use the following methods in order to get the zone ID:\n\nBy Environment Variable\n\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n\nIf you only use one hosted zone with certbot, you can set the ``CERTBOT_ZONE_ID`` environment variable.\n\n::\n\n\n    export CERTBOT_ZONE_ID=ABCD1234567890\n\n\nBy config file\n\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n\nAlongside the ``certbot_hook.py`` file place a file named ``config.py`` (example template included in repo). The contents should contain a single variable ``zone_map`` which is a Python dictionary containing a mapping of zone names to zone IDs. This method supports multiple zones. For example\n\n::\n\n    zone_map = {\n        'example.com': 'ABCD1234567890'\n    }\n\n\nAutomatically via boto3\n\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n\nIf the zone ID is not found with the above methods, the hook will request a list of all your hosted zones and find the zone it needs.\n\nThis feature is experimental. Further, there is a known issue where identifying the zone ID might fail if you have more\nthan 100 hosted zones. If you have more than 100 hosted zones, you may want to use the config file option instead.\n\n\n\n\nConfiguring AWS credentials\n^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\nIn order to connect to AWS resources, you need to supply credentials. You can do this in the form of environment variables or through a credentials file. An easy way to create your credentials file is using the awscli.\n\nInstall aws cli\n\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n\n::\n\n    pip3 install awscli\n\nCofigure credentials\n\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n\nWith awscli installed, simply call the ``configure`` command to get an interactive prompt for setting up your credentials.\n\n::\n\n    aws configure\n\nYou will be prompted to provide your access ID and secret key.\n\nThis portion of the documentation is provided as a convenience. If you have issues with credentials, please see the Amazon docs.\n\n\nSimilar Work\n------------\n\n`certbot-route53`_ is a shell script that does pretty much exactly the same thing.\n\n.. _certbot-route53: https://github.com/jed/certbot-route53\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspyoungtech%2Fcertbot-route53-hook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspyoungtech%2Fcertbot-route53-hook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspyoungtech%2Fcertbot-route53-hook/lists"}