diff --git a/encryption/route53.go b/encryption/route53.go
index 51fa4f370..d9f13e030 100644
--- a/encryption/route53.go
+++ b/encryption/route53.go
@@ -13,6 +13,8 @@ import (
 	"golang.org/x/crypto/acme"
 )
 
+// Route53TLS by default, loads the AWS configuration from the environment.
+// env variables: AWS_REGION, AWS_PROFILE, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
 type Route53TLS struct {
 	DataDir            string
 	Email              string
@@ -28,17 +30,14 @@ func (r *Route53TLS) GetCertificate() (*tls.Config, error) {
 	certmagic.DefaultACME.Agreed = true
 	certmagic.DefaultACME.Email = r.Email
 	if r.CA == "" {
-		certmagic.DefaultACME.CA = certmagic.LetsEncryptProductionCA
+		certmagic.DefaultACME.CA = certmagic.LetsEncryptStagingCA
 	} else {
 		certmagic.DefaultACME.CA = r.CA
 	}
 
 	certmagic.DefaultACME.DNS01Solver = &certmagic.DNS01Solver{
 		DNSManager: certmagic.DNSManager{
-			DNSProvider: &route53.Provider{
-				AccessKeyId:     r.AwsAccessKeyID,
-				SecretAccessKey: r.AwsSecretAccessKey,
-			},
+			DNSProvider: &route53.Provider{},
 		},
 	}
 	cm := certmagic.NewDefault()
diff --git a/relay/cmd/main.go b/relay/cmd/main.go
index f980d7e22..a94ad58ed 100644
--- a/relay/cmd/main.go
+++ b/relay/cmd/main.go
@@ -30,17 +30,18 @@ type Config struct {
 	ListenAddress string
 	// in HA every peer connect to a common domain, the instance domain has been distributed during the p2p connection
 	// it is a domain:port or ip:port
-	ExposedAddress                string
-	LetsencryptEmail              string
-	LetsencryptDataDir            string
-	LetsencryptDomains            []string
-	LetsencryptAWSAccessKeyID     string
-	LetsencryptAWSSecretAccessKey string
-	TlsCertFile                   string
-	TlsKeyFile                    string
-	AuthSecret                    string
-	LogLevel                      string
-	LogFile                       string
+	ExposedAddress     string
+	LetsencryptEmail   string
+	LetsencryptDataDir string
+	LetsencryptDomains []string
+	// in case of using Route 53 for DNS challenge the credentials should be provided in the environment variables or
+	// in the AWS credentials file
+	LetsencryptAWSRoute53 bool
+	TlsCertFile           string
+	TlsKeyFile            string
+	AuthSecret            string
+	LogLevel              string
+	LogFile               string
 }
 
 func (c Config) Validate() error {
@@ -61,22 +62,6 @@ func (c Config) HasLetsEncrypt() bool {
 	return c.LetsencryptDataDir != "" && c.LetsencryptDomains != nil && len(c.LetsencryptDomains) > 0
 }
 
-func (c Config) HasRoute54Credentials() bool {
-	if c.LetsencryptDataDir == "" {
-		return false
-	}
-
-	if c.LetsencryptEmail == "" {
-		return false
-	}
-
-	if c.LetsencryptDomains == nil || len(c.LetsencryptDomains) == 0 {
-		return false
-	}
-
-	return true
-}
-
 var (
 	cobraConfig *Config
 	cfgFile     string
@@ -97,8 +82,7 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&cobraConfig.LetsencryptDataDir, "letsencrypt-data-dir", "d", "", "a directory to store Let's Encrypt data. Required if Let's Encrypt is enabled.")
 	rootCmd.PersistentFlags().StringArrayVarP(&cobraConfig.LetsencryptDomains, "letsencrypt-domains", "a", nil, "list of domains to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS")
 	rootCmd.PersistentFlags().StringVar(&cobraConfig.LetsencryptEmail, "letsencrypt-email", "", "email address to use for Let's Encrypt certificate registration")
-	rootCmd.PersistentFlags().StringVar(&cobraConfig.LetsencryptAWSAccessKeyID, "letsencrypt-aws-accesskeyid", "", "AWS Access Key ID for Route 53 DNS provider")
-	rootCmd.PersistentFlags().StringVar(&cobraConfig.LetsencryptAWSSecretAccessKey, "letsencypt-aws-secretaccesskey", "", "AWS Secret Access Key for Route 53 DNS provider")
+	rootCmd.PersistentFlags().BoolVar(&cobraConfig.LetsencryptAWSRoute53, "letsencrypt-aws-route53", false, "use AWS Route 53 for Let's Encrypt DNS challenge")
 	rootCmd.PersistentFlags().StringVarP(&cobraConfig.TlsCertFile, "tls-cert-file", "c", "", "")
 	rootCmd.PersistentFlags().StringVarP(&cobraConfig.TlsKeyFile, "tls-key-file", "k", "", "")
 	rootCmd.PersistentFlags().StringVarP(&cobraConfig.AuthSecret, "auth-secret", "s", "", "log level")
@@ -141,11 +125,8 @@ func loadConfig(configFile string) (*Config, error) {
 	if cobraConfig.LetsencryptEmail != "" {
 		loadedConfig.LetsencryptEmail = cobraConfig.LetsencryptEmail
 	}
-	if cobraConfig.LetsencryptAWSAccessKeyID != "" {
-		loadedConfig.LetsencryptAWSAccessKeyID = cobraConfig.LetsencryptAWSAccessKeyID
-	}
-	if cobraConfig.LetsencryptAWSSecretAccessKey != "" {
-		loadedConfig.LetsencryptAWSSecretAccessKey = cobraConfig.LetsencryptAWSSecretAccessKey
+	if cobraConfig.LetsencryptAWSRoute53 {
+		loadedConfig.LetsencryptAWSRoute53 = true
 	}
 
 	if loadedConfig.LogLevel == "" {
@@ -218,14 +199,12 @@ func execute(cmd *cobra.Command, args []string) error {
 }
 
 func handleTLSConfig(cfg *Config) (*tls.Config, bool, error) {
-	if cfg.HasRoute54Credentials() {
+	if cfg.LetsencryptAWSRoute53 {
 		log.Debugf("using Let's Encrypt DNS resolver with Route 53 support")
 		r53 := encryption.Route53TLS{
-			DataDir:            cfg.LetsencryptDataDir,
-			Email:              cfg.LetsencryptEmail,
-			AwsAccessKeyID:     cfg.LetsencryptAWSAccessKeyID,
-			AwsSecretAccessKey: cfg.LetsencryptAWSSecretAccessKey,
-			Domains:            cfg.LetsencryptDomains,
+			DataDir: cfg.LetsencryptDataDir,
+			Email:   cfg.LetsencryptEmail,
+			Domains: cfg.LetsencryptDomains,
 		}
 		tlsCfg, err := r53.GetCertificate()
 		if err != nil {