Route53

This is similar to Cloudflare. This main difference is setting up the IAM user.

Account Setup

Go to route 53 and get your zone ID

Sign in to the AWS Management Console.
Search for Route 53 in the top search bar and select it.
Click on Hosted zones in the left-hand navigation pane.
You will see a list of your domains. Locate the Hosted Zone ID column next to your domain name. It typically looks like a string of random capital letters and numbers (e.g., Z1R8UBAEXAMPLE).

Go to the IAM console and create a policy and user

Navigate to the AWS IAM Console.
Click Create Policy and switch to the JSON tab.
Paste the following policy (replace YOUR_HOSTED_ZONE_ID with your actual Route 53 zone ID, or use * for all zones):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": "arn:aws:route53:::hostedzone/YOUR_HOSTED_ZONE_ID"
        }
    ]
}

Create the user

In the IAM Users section, click Add user.
Enter a name (e.g., certbot-dns-user) and click Next.
Under Permissions options, select Attach policies directly.
Search for and check the CertbotRoute53Policy you just created.
Complete the creation process.

Generate and Store Credentials

Select your new user from the list, go to the Security credentials tab, and click Create access key.
Select Command Line Interface (CLI) as the use case.
Save the Access Key ID and Secret Access Key. You will not be able to see the secret key again.

Cerbot Setup

Install and Configure Certbot and the Plugin

sudo apt install python3-certbot-dns-route53

sudo cat /etc/letsencrypt/route53.ini

[default]
aws_access_key_id=aLongString
aws_secret_access_key=anEvenLongerString

Request the Certificate

sudo AWS_SHARED_CREDENTIALS_FILE=/etc/letsencrypt/route53.ini certbot certonly --dns-route53 -d wifi.your.org

That should get a cert and create the job as shown in

cat /etc/letsencrypt/renewal/wifi.your.org.conf

Verify with

sudo openssl x509 -in /etc/letsencrypt/live/wifi.your.org/cert.pem -noout -text

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified April 6, 2026: Cert Doc additions (8d37dbc)