simtabi
diff --git a/‎CHANGELOG.md‎
Lines changed: 54 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎docs/README.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/README.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/release-notes/v0.17.0.md‎
Lines changed: 150 additions & 0 deletions b/‎docs/release-notes/v0.17.0.md‎
Lines changed: 150 additions & 0 deletions
diff --git a/‎docs/tools/tls.md‎
Lines changed: 43 additions & 5 deletions b/‎docs/tools/tls.md‎
Lines changed: 43 additions & 5 deletions
diff --git a/‎pyproject.toml‎
Lines changed: 1 addition & 1 deletion b/‎pyproject.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/shimkit/__init__.py‎
Lines changed: 1 addition & 1 deletion b/‎src/shimkit/__init__.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/shimkit/config/defaults.json‎
Lines changed: 2 additions & 0 deletions b/‎src/shimkit/config/defaults.json‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/shimkit/config/schema.py‎
Lines changed: 10 additions & 5 deletions b/‎src/shimkit/config/schema.py‎
Lines changed: 10 additions & 5 deletions
@@ -6,6 +6,60 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ## [Unreleased]
 
+## [0.17.0] — 2026-05-16
+
+### Added
+
+- **`shimkit tls --method dns-route53`** — AWS Route53 DNS-01
+  alongside the v0.13.0 Cloudflare path. Uses the upstream
+  `certbot/dns-route53:v3.0.1` image (auto-selected when
+  `--method dns-route53` is passed).
+- `tools.tls.certbot_dns_route53_image` config field — pin the
+  Route53 plugin image independently.
+- `tools.tls.route53_propagation_seconds` config field — same
+  range (`[0, 600]`) as the Cloudflare equivalent. Default `60`.
+
+### Changed
+
+- `certbot.container_volumes` accepts a `credentials_mount`
+  parameter (`"cloudflare"` or `"route53"`). Cloudflare keeps the
+  v0.13.0 behaviour of mounting the credentials file's parent
+  directory at `/credentials`; Route53 mounts the file itself at
+  `/root/.aws/credentials` (boto3's default search path — no
+  `--dns-route53-credentials` flag exists).
+- `certbot.request_argv` accepts `method="dns-route53"`. Emits
+  `--dns-route53` + `--dns-route53-propagation-seconds`.
+- `TlsConfig.default_method` widened to include `"dns-route53"`.
+- `tls request` `--credentials` flag help text covers both
+  Cloudflare token format and AWS credentials file format.
+
+### Tests
+
+- 14 new tests in `tests/test_tools_tls_dns_route53.py` (1116 →
+  1130 total). Pure argv-builder shape (Route53 flags +
+  propagation + staging/dry-run; webroot + cloudflare paths
+  unaffected), container_volumes route53 mount target
+  (`/root/.aws/credentials` vs Cloudflare's `/credentials`),
+  manager validation (missing-credentials / missing-file /
+  loose-mode refusal / happy path picks dns-route53 image /
+  uses route53_propagation_seconds not cloudflare's / JSON
+  output includes method), config plumbing (route53 image +
+  propagation_seconds range validation).
+- Adjusted one Cloudflare test that previously used `dns-route53`
+  as the "unknown method" placeholder — now uses
+  `dns-digitalocean`.
+
+### Notes
+
+Second DNS-01 provider. Cloudflare + Route53 cover the two
+most-used providers in the ACME ecosystem. Other providers
+(DigitalOcean, Hurricane Electric, etc.) each need their own
+credential surface and provider-specific image — opt-in extras
+in a future release.
+
+Gates: pytest 1130 passed, ruff clean, mypy strict clean. No new
+optional dependency extras.
+
 ## [0.16.0] — 2026-05-16
 
 ### Added
 
@@ -98,6 +98,8 @@ Top-level utilities (not tools):
 
 Per-version, user-facing summaries (newest first):
 
+- **[`v0.17.0`](release-notes/v0.17.0.md)** — `shimkit tls --method
+  dns-route53` for AWS Route53 DNS-01.
 - **[`v0.16.0`](release-notes/v0.16.0.md)** — `shimkit framework
   django` third framework recipe.
 - **[`v0.15.0`](release-notes/v0.15.0.md)** — `shimkit db redis`
 
@@ -0,0 +1,150 @@
+# shimkit 0.17.0
+
+`shimkit tls --method dns-route53` — AWS Route53 DNS-01 alongside
+the v0.13.0 Cloudflare path. Second DNS-01 provider. For the full
+machine-readable changelog, see
+[`CHANGELOG.md`](../../CHANGELOG.md).
+
+---
+
+## TL;DR
+
+```
+shimkit tls request --method dns-route53 --credentials FILE -d ...
+```
+
+Uses `certbot/dns-route53:v3.0.1` (auto-selected). Cloudflare path
+still uses `certbot/dns-cloudflare:v3.0.1`; webroot still uses
+`certbot/certbot:v3.0.1`. The three image families are
+independent — pin each via its own `tools.tls.certbot_*_image`
+config field.
+
+---
+
+## Why Route53
+
+After Cloudflare, AWS Route53 is the most-common ACME DNS-01
+provider in the wild. Adding it covers the two providers most
+teams actually use; other providers (DigitalOcean, Hurricane
+Electric, Google Cloud DNS, etc.) follow the same pattern and
+can be added in future minor releases.
+
+DNS-01 is the only ACME path that supports wildcards
+(`*.example.com`).
+
+---
+
+## Setup
+
+1. **Create an IAM key** with the minimum scope:
+
+   ```json
+   {
+     "Statement": [
+       {
+         "Effect": "Allow",
+         "Action": [
+           "route53:ListHostedZones",
+           "route53:GetChange",
+           "route53:ChangeResourceRecordSets"
+         ],
+         "Resource": "*"
+       }
+     ]
+   }
+   ```
+
+2. **Write the credentials file** — standard AWS format:
+
+   ```ini
+   [default]
+   aws_access_key_id = AKIAIOSFODNN7EXAMPLE
+   aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+   ```
+
+   ```bash
+   chmod 600 ~/.shimkit/data/tls/aws-credentials
+   ```
+
+3. **Issue the cert** (staging first):
+
+   ```bash
+   shimkit tls request --yes --staging \
+       --email ops@example.com \
+       --method dns-route53 \
+       --credentials ~/.shimkit/data/tls/aws-credentials \
+       -d example.com -d '*.example.com'
+   ```
+
+---
+
+## How it differs from Cloudflare
+
+The Route53 plugin reads `~/.aws/credentials` via boto3 — there's
+no `--dns-route53-credentials` flag like Cloudflare has. shimkit
+handles this transparently:
+
+| | Cloudflare | Route53 |
+|---|---|---|
+| Container image | `certbot/dns-cloudflare:v3.0.1` | `certbot/dns-route53:v3.0.1` |
+| Credentials file format | `dns_cloudflare_api_token = <token>` | AWS `[default]` ini |
+| Mount target inside container | parent dir at `/credentials` | file at `/root/.aws/credentials` |
+| Certbot flag | `--dns-cloudflare-credentials /credentials/cloudflare.ini` | (none — boto3 finds it) |
+| Mode 0600 enforced | yes | yes |
+
+The same `--credentials` CLI flag works for both methods; shimkit
+detects which provider and mounts accordingly.
+
+---
+
+## Renewal
+
+Same as Cloudflare and webroot:
+
+```bash
+shimkit tls renew --yes
+```
+
+certbot reads `/etc/letsencrypt/renewal/<domain>.conf` per cert
+(written at issuance time) and reuses the same method. The daily
+renewal cron from v0.8.0 covers all three methods.
+
+---
+
+## Config
+
+```json
+{
+  "tools": {
+    "tls": {
+      "certbot_dns_route53_image": "certbot/dns-route53:v3.0.1",
+      "route53_propagation_seconds": 60
+    }
+  }
+}
+```
+
+Pin the image to a specific version if you don't want auto-
+updates. Lower `route53_propagation_seconds` if Route53 propagates
+fast in your account (often 10-30s in practice).
+
+---
+
+## Stats
+
+- Tests: 1116 → 1130 (+14)
+- Gates: pytest, ruff, mypy strict — all green
+- New optional extras: 0
+
+---
+
+## Upgrading
+
+```bash
+uv tool upgrade shimkit
+pipx upgrade shimkit
+```
+
+Existing webroot + Cloudflare users see no behavioural change. To
+start using Route53, set up the IAM key + credentials file then
+pass `--method dns-route53 --credentials`.
@@ -41,6 +41,43 @@ docker run --rm \
   [--staging]
 ```
 
+### DNS-route53 (DNS-01, v0.17.0+)
+
+`shimkit tls request --method dns-route53` runs:
+
+```
+docker run --rm \
+  -v ~/.shimkit/data/tls/etc-letsencrypt:/etc/letsencrypt \
+  -v ~/.shimkit/data/tls/var-lib-letsencrypt:/var/lib/letsencrypt \
+  -v <aws-credentials-file>:/root/.aws/credentials:ro \
+  certbot/dns-route53:v3.0.1 \
+  certonly --non-interactive --agree-tos \
+  --email ops@example.com \
+  --dns-route53 \
+  --dns-route53-propagation-seconds 60 \
+  -d example.com [-d '*.example.com'] \
+  [--staging]
+```
+
+**Required for wildcards on AWS-hosted domains.** The Route53
+plugin reads boto3's default credentials file —
+`/root/.aws/credentials` inside the container. shimkit mounts
+your local AWS credentials file directly at that path (different
+from Cloudflare's `--dns-cloudflare-credentials` flag).
+
+**Credentials file format** (standard AWS):
+
+```ini
+[default]
+aws_access_key_id = AKIAIOSFODNN7EXAMPLE
+aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+```
+
+The IAM key needs `route53:ChangeResourceRecordSets` and
+`route53:GetChange` on the hosted zone you're issuing for.
+
+**Mode 0600 required** (same check as Cloudflare).
+
 ### DNS-cloudflare (DNS-01, v0.13.0+)
 
 `shimkit tls request --method dns-cloudflare` runs:
@@ -207,11 +244,12 @@ in `tls list` / `tls status` (which shells out to `openssl x509
   punishing (5 failed validations / hour / hostname). Always
   pass `--staging` for first runs; the resulting cert isn't
   trusted but proves the webroot setup works.
-- **Webroot vs DNS-01.** Both are wired as of v0.13.0. Webroot
-  (HTTP-01) is the default; DNS-01 via Cloudflare is opt-in via
-  `--method dns-cloudflare` and is the **only** path to wildcard
-  certs. Other DNS providers (Route53, DigitalOcean, etc.) each
-  need their own credential surface and are deferred.
+- **Webroot vs DNS-01.** As of v0.17.0, three methods are wired:
+  webroot (HTTP-01, default), dns-cloudflare (DNS-01), and
+  dns-route53 (DNS-01). DNS-01 is the only path to wildcard
+  certs. Other DNS providers (DigitalOcean, Hurricane Electric,
+  etc.) each need their own credential surface and provider-
+  specific image — opt-in extras in a future release.
 - **No PyPI extra.** This tool reuses the `[docker-clean]`
   extra's `docker` package — no new install footprint.
 - **Renewal cadence.** Let's Encrypt certs are valid for 90 days;
 
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "shimkit"
-version = "0.16.0"
+version = "0.17.0"
 description = "A toolkit of developer utilities — Java version manager, shell upgrader, and more. Python tools, shimmed by bash."
 readme = "README.md"
 license = { file = "LICENSE" }
 
@@ -3,5 +3,5 @@
 Python tools, shimmed by bash.
 """
 
-__version__ = "0.16.0"
+__version__ = "0.17.0"
 __all__ = ["__version__"]
@@ -195,8 +195,10 @@
       "data_dir": "~/.shimkit/data/tls",
       "certbot_image": "certbot/certbot:v3.0.1",
       "certbot_dns_cloudflare_image": "certbot/dns-cloudflare:v3.0.1",
+      "certbot_dns_route53_image": "certbot/dns-route53:v3.0.1",
       "default_method": "webroot",
       "cloudflare_propagation_seconds": 60,
+      "route53_propagation_seconds": 60,
       "default_email": null,
       "renewal_schedule": "17 3 * * *",
       "revoke_severe_token": "REVOKE-TLS"
 
@@ -428,13 +428,18 @@ class TlsConfig(_StrictModel):
     # Certbot image with the dns-cloudflare plugin pre-installed.
     # Used when `--method dns-cloudflare` is passed.
     certbot_dns_cloudflare_image: str = "certbot/dns-cloudflare:v3.0.1"
+    # Certbot image with the dns-route53 plugin pre-installed
+    # (v0.17.0+).
+    certbot_dns_route53_image: str = "certbot/dns-route53:v3.0.1"
     # Default ACME challenge method. `webroot` (HTTP-01) is the
-    # original; `dns-cloudflare` (DNS-01) lands in v0.13.0 and is the
-    # path to wildcard certs.
-    default_method: Literal["webroot", "dns-cloudflare"] = "webroot"
-    # Cloudflare DNS propagation seconds. The plugin's recommended
-    # baseline; safe to lower on accounts with fast propagation.
+    # original; `dns-cloudflare` (DNS-01) landed in v0.13.0 +
+    # `dns-route53` in v0.17.0, both paths to wildcard certs.
+    default_method: Literal["webroot", "dns-cloudflare", "dns-route53"] = "webroot"
+    # DNS propagation seconds. Same knob for both Cloudflare and
+    # Route53 — actual real-world propagation usually 10-30s but
+    # 60s is the safe published default for both plugins.
     cloudflare_propagation_seconds: int = Field(default=60, ge=0, le=600)
+    route53_propagation_seconds: int = Field(default=60, ge=0, le=600)
     # ACME account email. Required by Let's Encrypt for issuance unless
     # `--register-unsafely-without-email` is passed (we don't expose
     # that flag). User config overrides per-install.