Search code examples

How do I switch letsencrypt authentication from HTTP to AWS dns-route53?

I am using Certbot and have several domains that I need to switch from HTTP authorization to AWS Route 53.

Both configurations are working fine, but now I need to switch all the certificates to use route 53. Is there a certbot command that does that?

In the config file I see this:

authenticator = apache
installer = apache
manual_public_ip_logging_ok = None
server =


  • I found this thread in the letsencrypt community forum, where it is mentioned, that the global /etc/letsencrypt/cli.ini takes precedence over the renewal config of the single domains. If all your domains should be authenticated via route53 you can add your config there.

    Adding /etc/letsencrypt/cli.ini to the server is the trick.

    This is a sample file from

     This is an example of the kind of things you can do in a configuration file.
    # All flags used by the client can be configured here. Run Let's Encrypt with
    # "--help" to learn more about the available options.
    # Use a 4096 bit RSA key instead of 2048
    rsa-key-size = 4096
    # Uncomment and update to register with the specified e-mail address
    # email =
    # Uncomment and update to generate certificates for the specified
    # domains.
    # domains =,, sub3.test.example
    # Uncomment to use a text interface instead of ncurses
    # text = True
    # Uncomment to use the standalone authenticator on port 443
    # authenticator = standalone
    # standalone-supported-challenges = http-01

    So for it to work, the changes required were to change authenticator to

    authenticator = dns-route53

    and then perform a sed statement in the /etc/letsencrypt/conf directory to remove the preferred challenges which were HTTP so it will default to the dns-route53 challenge

    sed -i 's/pref_challs = http-01,//g' *.conf

    then testing it by running

    certbot renew

    and everything worked as desired.