install certbot-dns-route53 plug-in on macOS

[PeterWagemans]

Hi Wim,
I wanted to test this excellent new way to manage the FileMaker Server certificate, and moved a domain to AWS, so I could do some testing.
For my test I wanted to do it locally on my MacBook. You are not covering macOS in your blog article on https://www.soliantconsulting.com/blog/filemaker-lets-encrypt-ssl-certificates-dns/ but I thought I would give it a shot anyway.

I had some trouble though trying to install the plugin. Using Homebrew (which is required in the shell script) it seems to be impossible to install the plugin. Even trying a standard install using pip gave me trouble.

Can you tell me if you got this running already, and if yes, how did you do it?

[PeterWagemans]

Just FYI:

• DNS plugin instructions are wrong for macOS certbot/website#767 seems to point out that the homebrew install of certbot has no option to install plugins
• completely removing the homebrew version, and then installing through pip seems to work at first sight (when removing the tests in the shell script) but gives some error on my M1.

from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
ImportError: dlopen(/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/_cffi_backend.cpython-310-darwin.so, 0x0002): tried: '/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/_cffi_backend.cpython-310-darwin.so' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64')), '/System/Volumes/Preboot/Cryptexes/OS/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/_cffi_backend.cpython-310-darwin.so' (no such file), '/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/_cffi_backend.cpython-310-darwin.so' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64'))

[PeterWagemans]

The MacPorts version seems to work at first sight (after installing py-bolo3 as well)

[wimdecorte]

Great feedback, @PeterWagemans. I haven't tried any of this on macOS since that is not a primary FMS platform for us. Since standing up a server and installing the OS cannot be automated easily we'd probably not bother with LE on macOS and just use a commercial cert.
Once you have it all working reliably on macOS we can update the instructions to include what you've learned.

[PeterWagemans]

I have it partly working with the MacPorts version. I see it adding a challenge TXT record on the AWS DNS zone page, and remove it afterwards. It doesn't work completely because my DNS transfer to Route53 is taking a very long time (now days) to propagate through the root DNS servers, and LetsEncrypt is still querying the previous name servers, and not finding it.
But I'm prettty sure this will be OK soon - the local code is working, the internet is just not cooperating :-)

I wonder why the shell scripts check for the path to certbot, while they (Claris) could do a simple check on "certbot --version" to see if it is installed, and not impose how it should be installed. There is even a path difference in Homebrew depending on M1 or Intel. Which is also not taken into account. They just shouldn't do it this way.