Amazon route53 wildcard domain support question / issue

Do wildcard domains and Amazons Route53 DNS server work? I am running something like:
/opt/certbot/certbot-auto --server
-d *
–preferred-challenges dns-01
–manual-auth-hook "./get_letsencrypt_cert.php dnsauth "
–manual-cleanup-hook "./get_letsencrypt_cert.php dnsclean "

where "./get_letsencrypt_cert.php dnsauth " updates my route53 stuff with the requested TXT record and
"./get_letsencrypt_cert.php dnsclean " deletes the requested TXT record.

I can run this without the
–manual-auth-hook "./get_letsencrypt_cert.php dnsauth "
–manual-cleanup-hook "./get_letsencrypt_cert.php dnsclean "
options and manually do the TXT records when instructed but when I let the automation fully kick in I get an error.

It appears that the --manual-auth-hook "./get_letsencrypt_cert.php dnsauth " is called 2 times… before the
–manual-cleanup-hook "./get_letsencrypt_cert.php dnsclean " and Amazons Route53 won’t let you have 2 TXT records with the same name.

The 2nd time the add txt record call fires off, I get:

Error: InvalidChangeBatch: Tried to create resource record set [name=’’, type=‘TXT’] but it already exists
status code: 400, request id: d1e535b4-3dd8-11e8-bd57-8d70af6798a7

which is true… ont godaddy dns servers… you can have two TXT records… on route53 you apparently can not have two records with the same name.

IF the system did a --manual-auth-hook followed by a --manual-cleanup-hook and then did the 2nd batch of
–manual-auth-hook followed by a --manual-cleanup-hook I think it wold be fine… that’s when I do when I run the command without the hooks and manually create and remove the TXT records.

Anyway… is it just me or am I doing something wrong?

  • jack

If that’s the case, then you won’t be able to get a single cert that covers both the base domain and the wildcard.

1 Like

This is not true, it’s just a matter of understanding how Route53 organizes records.

In the user interface, you need to just provide the TXT values on separate lines.

For the API, you need to read the documentation. (i.e. the author of whatever script you are using is not using the API correctly).


Still having an issue with this.

I have opened an issue with: [jed/certbot-route53] letsencrypt wildcard domain support (#16) on github.

I think that it’s a certbot issue though.

So before anyone says something like " you need to read the documentation" I really want to know if anyone has gotten it to actually work… not just work in theory?

I can use: from [jed/certbot-route53] to do

–domains *
but NOT

–domains *,

so… before anyone gives any ‘theory’ responses… certbot with the manual options actually work with * and and aws route53 servers?

I can get certbot manual stuff to work with Godaddy’s DNS server but they allows TXT records with the same name.

Amazon Route53 DNS servers do NOT allow TXT records with the same name.

So WHO has actually gotten certbot, route53 and * and type domains to work?

  • jack


Here you go bud:

$ sudo certbot certonly --dns-route53 -d '*' -d '' --staging
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found credentials in shared credentials file: ~/.aws/credentials
Plugins selected: Authenticator dns-route53, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for
dns-01 challenge for
Starting new HTTPS connection (1):
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges only supports one TXT record at a time, overwriting any existing ones (like the other one it set 30 seconds earlier) when it sets a new one.

It would have to be modified to support doing “-d -d '*'” in one step.

I do it all the time, with a custom manual hook that does support adding and removing individual records from the record set. (I haven’t released it.)

Certbot’s own Route 53 plugin, which @_az linked to the documentation for, would also be a good choice, if you can install it conveniently.

Edit: Honestly, the Route 53 API makes this a pain.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.