尝试使用 Certbot 和 Route53 插件获取通配符 SSL 时出现 AccessDenied 错误

Question

I have been tasked with setting up Wilcard SSL for some domains. These domains are hosted through AWS Route53.

I am using Certbot on an Ubuntu 20.4 machine, where the apps are hosted. I have also installed the Route53 DNS plugin for Certbot.

I run this command:

sudo certbot certonly --dns-route53 --email 'me@derp.com' --domain 'mywebsite.rocks' --domain '*.mywebsite.rocks' --agree-tos --non-interactive

Real domains remove for security reasons

I get this error:

An error occurred (AccessDenied) when calling the ListHostedZones operation: User: arn:aws:sts::789148085273:assumed-role/AmazonLightsailInstanceRole/i-0871f2572906140c4 is not authorized to perform: route53:ListHostedZones because no identity-based policy allows the route53:ListHostedZones action

Let me explain first how I set up the IAM user in the AWS console.

1. I created a new Policy with this config

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "derp0",
            "Effect": "Allow",
            "Action": [
                "route53:GetHostedZone",
                "route53:ChangeResourceRecordSets",
                "route53:ListResourceRecordSets"
            ],
            "Resource": "arn:aws:route53:::hostedzone/WHAT-EVER-MY-ID-IS-HERE"
        },
        {
            "Sid": "derp1",
            "Effect": "Allow",
            "Action": "route53:ListHostedZones",
            "Resource": "*"
        }
    ]
}

Replacing WHAT-EVER-MY-ID-IS-HERE with my actual domain's Hosted Zone ID

2. I then created a new IAM User and during set-up, I attached the above Policy to the user.

3. I then created an Access Key for my new User and took note of the AccessKeyId and SecretAccessKey . This has access to be used programmatically.

4. On the server, I created a config file at /root/.aws/config as instructed in the documentation. I also tried ~/.aws/config but as I am using sudo the former seemed the preferred location (I could be wrong though, and during my tests, neither worked anyway)

And as previously aforementioned, I run the command and get the error.

Searched the web high and low for a solution, but cannot find one.

Appreciate any help I can get from folk.

Answer 1

After a quick check, I was able to find the following article:

https://certbot-dns-route53.readthedocs.io/en/stable/

Have a look at it, it might help you to set the necessary policy.

Of course, if using AWS is not a must, you can always just deploy the website to another provider where there would not be necessary to set up policies and everything will get through just fine.

Answer 2

What you'll have to do is click on 'Roles' link under 'Access Management':

Then search for the 'role' that is causing the error because it has insufficient permissions so in your case, your error message indicates that it's the 'AmazonLightsailInstanceRole'. Once you find that role, attach a policy that has the permission 'route53:ListHostedZones'. Not sure why your error message is showing an 'assumed-role' for 'AmazonLightsailInstanceRole' but mine was 'AmazonSSMRoleForInstancesQuickSetup' that was giving me the same error you were getting. But after I attached a policy that had the permissions specified by 'certbot-dns-rout53', it was able to get and install a certificate.