I am using Certbot and have several domains that I need to switch from HTTP authorization to AWS Route 53.

Both configurations are working fine, but now I need to switch all the certificates to use route 53. Is there a certbot command that does that?

In the config file I see this:

[renewalparams]
authenticator = apache
installer = apache
account = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
manual_public_ip_logging_ok = None
server = https://acme-v02.api.letsencrypt.org/directory

I found this thread in the letsencrypt community forum, where it is mentioned, that the global /etc/letsencrypt/cli.ini takes precedence over the renewal config of the single domains. If all your domains should be authenticated via route53 you can add your config there.

Adding /etc/letsencrypt/cli.ini to the server is the trick.

This is a sample file from https://gist.github.com/antillean/8517fba47df25a98100a

 This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address
# email = antillean@example.com

# Uncomment and update to generate certificates for the specified
# domains.
# domains = sub.example.com, sub2.example.com, sub3.test.example

# Uncomment to use a text interface instead of ncurses
# text = True

# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = http-01

So for it to work, the changes required were to change authenticator to

authenticator = dns-route53

and then perform a sed statement in the /etc/letsencrypt/conf directory to remove the preferred challenges which were HTTP so it will default to the dns-route53 challenge

sed -i 's/pref_challs = http-01,//g' *.conf

then testing it by running

certbot renew

and everything worked as desired.