Skip to content
Tool to obtain certs from Let's Encrypt using DNS-01 challenge with Route53 and Amazon Certificate Manager
Branch: master
Clone or download
Latest commit 22c70b7 May 21, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
certstore minor May 17, 2019
lambda minor May 17, 2019
notifier minor May 17, 2019
.gitignore minor May 21, 2019 minor May 21, 2019
go.mod added docs; implemented build-in AWS Lambda tolerance May 3, 2019
go.sum added docs; implemented build-in AWS Lambda tolerance May 3, 2019
main.go added docs; implemented build-in AWS Lambda tolerance May 3, 2019

acme-dns-route53 is the tool for obtaining SSL certificates from Let's Encrypt CA using DNS-01 challenge with Route53 and Amazon Certificate Manager by AWS.


  • Register with CA
  • Creating the initial server certificate
  • Renewing already existing certificates
  • Support DNS-01 challenge using Route53 by AWS
  • Store certificates into ACM by AWS
  • Managing certificates of multiple domains within one request
  • Build-in AWS Lambda tolerance


Make sure that GoLang already installed

go install


Use of this tool requires a configuration file containing Amazon Web Services API credentials for an account with the following permissions:

  • sns:Publish (optional)
  • route53:ListHostedZones
  • route53:GetChange
  • route53:ChangeResourceRecordSets
  • acm:ImportCertificate
  • acm:ListCertificates
  • acm:DescribeCertificate

These permissions can be captured in an AWS policy like the one below. Amazon provides information about managing access and information about the required permissions

Example AWS policy file:

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "",
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
            "Sid": "",
            "Effect": "Allow",
            "Action": [
            "Resource": [

The access keys for an account with these permissions must be supplied in one of the following ways:

  • Using the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.
  • Using a credentials configuration file at the default location, ~/.aws/config.
  • Using a credentials configuration file at a path supplied using the AWS_CONFIG_FILE environment variable.

Example credentials config file:



  • Domains (required) - use --domains flag to determine comma-separated domains list, certificates of which should be obtained. Example:

    $ acme-dns-route53 obtain,, --email=<email>
  • Let's Encrypt Email (required) - use --email flag to determine Let's Encrypt account email. If account's private key is not provided, registers a new account. Private key expected by path <config-dir>/<email>.pem. Example:

    Path: /tmp/letsencrypt/test@test.test.pem


    -----END RSA PRIVATE KEY-----
  • Let’s Encrypt ACME server - defaults to communicating with the production Let’s Encrypt ACME server. If you'd like to test something without issuing real certificates, consider using --staging flag:

    $ acme-dns-route53 obtain --staging --domains=<domains> --email=<email>
  • Configuration directory - defaults the configuration data storing in the current directory (where the CLI runs). If you'd like to change config directory, set the desired path using --config-dir flag:

    $ acme-dns-route53 obtain --config-path=<config-dir-path> --domains=<domains> --email=<email>
  • SNS Notification topic - if you'd like to send a notification to SNS, provide SNS Topic ARN using --topic flag:

    $ acme-dns-route53 obtain --domains=<domains> --email=<email> --topic=arn:aws:sns:<AWS_REGION>:<AWS_ACCOUNT_ID>:<SNS_TOPIC_NAME>
  • Renew Before - is the number of days defining the period before expiration within which a certificate must be renewed:

    $ acme-dns-route53 obtain --domains=<domains> --email=<email> --renew-before=7

Usage by AWS Lambda:

For the latest information regarding usage by AWS Lambda see the instruction


Let's Encrypt Website:


Amazon Certificate Manager:

Route53 by AWS:

Lambda by AWS:

ACME spec:


Inspired by:

You can’t perform that action at this time.