10

I have an Ubuntu 20.04 server on an AWS EC2 instance running Apache and I'm trying to obtain a certificate using certbot, however I'm having trouble with credentials. Below is the command I run, followed by the error output:

user@address:~$ sudo certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d mydomain.com -d *.mydomain.com -i apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-route53, Installer apache
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomain.com
dns-01 challenge for mydomain.com
Cleaning up challenges
Unable to locate credentials
To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.

I've followed the below guides:

  1. https://certbot.eff.org/lets-encrypt/ubuntufocal-apache.html (wildcard tab, up to step 6)
  2. https://certbot-dns-route53.readthedocs.io/en/stable/ (created an IAM policy and applied it to a new user)

and chosen to set the credentials using environment variables:

$ export AWS_ACCESS_KEY_ID=<id>
$ export AWS_SECRET_ACCESS_KEY=<secret>

When I use $ printenv AWS_ACCESS_KEY_ID and $ printenv AWS_SECRET_ACCESS_KEY I am shown the credentials on screen, so I don't understand why certbot is unable to locate them.

Any ideas?

Tom
  • 335
  • 2
  • 14

2 Answers2

11

By running the certbot command as sudo the environment variable is not set anymore.

Either connect to sudo su then export the variables and run or take a look at using a credentials file to allow the command access to the IAM key and IAM secret.

More information available here.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • I opted for the config file option, and after about an hour of further Linux-based mucking about I was able to install the certificates, many thanks! – Tom Jun 21 '20 at 19:50
  • 2
    Hey Tom I am running into this same issue. But certbot wont read my config/credentials files nor the env vars. Where did you create the config file – codeinprogress May 11 '21 at 11:10
  • 2
    @Chris Williams - none of the two options you suggested are working in my case. I created the env vars in both root and home directory as well as using the credentials file. – codeinprogress May 11 '21 at 11:12
1

Because you are using sudo to execute your command, as you supplied above (and here it is again for reference):

sudo certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d mydomain.com -d *.mydomain.com -i apache

Then the environment variables and home directory of the user root are used, instead of those of the current logged on user. So, you have to ensure that your setup is for the root user.

In my case, I prefer to use a config file instead of environment variables. And because of sudo, this config file path and name is ~/.aws/config and its content is:

[default]
aws_access_key_id=<YOUR ACCESS KEY TO AWS>
aws_secret_access_key=<YOUR SECRET ACCESS KEY TO AWS>

More details here.

Now, the root home directory in Linux will most probably be /root, so this is where I would start. Details here.

Greeso
  • 7,544
  • 9
  • 51
  • 77