Creating our Let's Encrypt hook script

auth-hook.sh

aws route53 wait resource-record-sets-changed --id \
    $(aws route53 change-resource-record-sets --hosted-zone-id \
        "$(aws route53 list-hosted-zones-by-name --dns-name $2. \
        --query HostedZones[0].Id --output text)" \
      --query ChangeInfo.Id \
      --output text \
      --change-batch "{ \
        \"Changes\": [{ \
          \"Action\": \"$1\", \
          \"ResourceRecordSet\": { \
            \"Name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\", \
            \"ResourceRecords\": [{\"Value\": \"\\\"${CERTBOT_VALIDATION}\\\"\"}], \
            \"Type\": \"TXT\", \
            \"TTL\": 30 \
          } \
        }] \
      }" \
    )

~ ./auth-hook.sh

An error occurred (InvalidInput) when calling the ChangeResourceRecordSets operation: Invalid XML ; cvc-enumeration-valid: Value '' is not facet-valid with respect to enumeration '[CREATE, DELETE, UPSERT]'. It must be a value from the enumeration.

Hi @li0nel really nice article, just tried it and ran into this error. Looks like there is an issue with the change-batch syntax:

Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomain.com
dns-01 challenge for mydomain.com
Waiting for verification...
Cleaning up challenges
Hook command "./auth-hook.sh DELETE mydomain.com" returned error code 2
Error output from auth-hook.sh:

An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: Tried to delete resource record set [name='_acme-challenge.mydomain.com.', type='TXT'] but the values provided do not match the current values
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help
aws: error: argument --id: expected one argument

Failed authorization procedure. mydomain.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "Ri0158CAZCQQm-0bgtM6MBDDoKiZgLj86-KpQ6ccHNI" found at _acme-challenge.mydomain.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mydomain.com
   Type:   unauthorized
   Detail: Incorrect TXT record
   "Ri0158CAZCQQm-0bgtM6MBDDoKiZgLj86-KpQ6ccHNI" found at
   _acme-challenge.mydomain.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory.
   You should make a secure backup of this folder now. This
   configuration directory will also contain certificates and private
   keys obtained by Certbot so making regular backups of this folder
   is ideal.

This script works fine -- in my case, errors came down to user error and not reading carefully enough. I think some of the confusion is that it's written for certbot to invoke, not manually and without arguments (hence the invalid XML operation error), and it requires modification to use your domain (as mentioned in article at Hackernoon, hence the mydomain.com related errors). Additionally, you must have Route 53 set up (as mentioned in the article).