Overview

Suggest two options for installing Certbot on Amazon Linux 2023 (AL2023)

Option 1 : AL2023 yum repository

AL2023 version 2023.3.20231211 and later comes with Certbot 2.6.0

Install

To install

sudo dnf install -y certbot
sudo dnf install -y python3-certbot-dns-route53
sudo dnf install -y python3-certbot-apache
sudo dnf install -y python3-certbot-nginx
sudo systecmtl daemon-reload
sudo systemctl enable --now certbot-renew.timer

Verify

To verify version and plugins

certbot --version
certbot plugins

Output should be similar to below

certbot 2.6.0

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT

* dns-route53
Description: Obtain certificates using a DNS TXT record (if you are using AWS
Route53 for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-route53 =
certbot_dns_route53._internal.dns_route53:Authenticator

* nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator

* standalone
Description: Runs an HTTP server locally which serves the necessary validation
files under the /.well-known/acme-challenge/ request path. Suitable if there is
no HTTP server already running. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

* webroot
Description: Saves the necessary validation files to a
.well-known/acme-challenge/ directory within the nominated webroot path. A
seperate HTTP server must be running and serving files from the webroot path.
HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Option 2: PIP

You can use PIP with virtual environment to install latest version of Certbot

Install

sudo dnf remove -y certbot python3-certbot-*

PY_VER=python3.14
sudo dnf install -y $PY_VER $PY_VER-{pip,devel}
sudo dnf install -y gcc augeas-devel augeas-libs

sudo $PY_VER -m venv /opt/certbot
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot
sudo /opt/certbot/bin/pip install certbot-dns-route53
sudo /opt/certbot/bin/pip install certbot-apache
sudo /opt/certbot/bin/pip install certbot-nginx
sudo ln -s -f /opt/certbot/bin/certbot /usr/bin/certbot

AL2023 system Python is Python 3.9. Certbot 5.0.0 drops Python 3.9 support, while Certbot 5.2.1 adds Python 3.14 support

Automated Renewal

Add the following to enable automated renewal

cat << EoF  | sudo tee -a /usr/lib/systemd/system/certbot-renew.timer
[Unit]
Description=This is the timer to set the schedule for automated renewals
[Timer]
OnCalendar=*-*-* 00/12:00:00
RandomizedDelaySec=12hours
Persistent=true
[Install]
WantedBy=timers.target
EoF

sudo touch /etc/sysconfig/certbot
sudo chmod og-rwx /etc/sysconfig/certbot

cat << EoF  | sudo tee -a /usr/lib/systemd/system/certbot-renew.service
[Unit]
Description=This service automatically renews any certbot certificates found
[Service]
EnvironmentFile=/etc/sysconfig/certbot
Type=oneshot
ExecStart=/usr/bin/certbot renew --noninteractive --no-random-sleep-on-renew $PRE_HOOK $POST_HOOK $RENEW_HOOK $DEPLOY_HOOK $CERTBOT_ARGS
EoF

sudo systemctl daemon-reload
sudo systemctl enable --now certbot-renew.timer

Update script

To create a Certbot upgrade script

cat << EoF | sudo tee -a /opt/certbot/update-certbot
#!/bin/bash
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install --upgrade certbot
sudo /opt/certbot/bin/pip install --upgrade certbot-dns-route53
sudo /opt/certbot/bin/pip install --upgrade certbot-apache
sudo /opt/certbot/bin/pip install --upgrade certbot-nginx
EoF

sudo chmod +x /opt/certbot/update-certbot

Update certbot

You can run the update script manually or create a cron job to execute it regularly

/opt/certbot/update-cert

Verify

certbot --version
certbot plugins

certbot 5.5.0

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: EntryPoint(name='apache',
value='certbot_apache._internal.entrypoint:ENTRYPOINT', group='certbot.plugins')

* dns-route53
Description: Obtain certificates using a DNS TXT record (if you are using AWS
Route53 for DNS).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='dns-route53',
value='certbot_dns_route53._internal.dns_route53:Authenticator',
group='certbot.plugins')

* nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: EntryPoint(name='nginx',
value='certbot_nginx._internal.entrypoint:ENTRYPOINT', group='certbot.plugins')

* standalone
Description: Runs an HTTP server locally which serves the necessary validation
files under the /.well-known/acme-challenge/ request path. Suitable if there is
no HTTP server already running. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='standalone',
value='certbot._internal.plugins.standalone:Authenticator',
group='certbot.plugins')

* webroot
Description: Saves the necessary validation files to a
.well-known/acme-challenge/ directory within the nominated webroot path. A
separate HTTP server must be running and serving files from the webroot path.
HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='webroot',
value='certbot._internal.plugins.webroot:Authenticator',
group='certbot.plugins')
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Using Certbot

Refer to Certbot User Guide and Use Certbot to enable HTTPS on Amazon Linux 2023 (AL2023) EC2 instances running Apache or Nginx