AWS Lightsail - Name does not end in a public suffix


Hello Let’s Encrypt

I was following this AWS Tutorial on how to install an SSL certificate.

But when I got step 3 part 6 I got an error message (see below)

I entered my email address and verified it with the Electronic Frontier Foundation
I agreed to the terms and conditions

What have I done wrong? .com is a public suffix

Any help is appreciated.


My domain is:

I ran this command: sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly

It produced this output: The request message was malformed :: Error creating new order :: Name does not end in a public suffix

My web server is (include version): Server version: Apache/2.4.34 (Unix) Server built: Jul 30 2018 17:17:22

The operating system my web server runs on is (include version):Linux 4.4.0-1065-aws x86_64

My hosting provider, if applicable, is: AWS - Lightsail - Bitnami WordPress Instance

I can login to a root shell on my machine (yes or no, or I don’t know): yes via Lightsail SSH terminal

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0


What are $DOMAIN and $WILDCARD set to?


Thanks for the fast reply!



*.DOMAIN isn’t a public suffix. It’s supposed to be *

By the way, relying on manual validation is problematic. It means the certificate can’t be automatically renewed and you have to do it by hand every couple months.

That tutorial is apparently using Ubuntu; your domain is using Cloudflare’s DNS. You can install the Certbot Cloudflare DNS plugin with sudo apt-get install python3-certbot-dns-cloudflare and use it to validate with less copying and pasting and more automatic renewal. (You still have to fix the domain, though.)


@mnordhoff thanks for your help, it’s appreciated.

Sorry for making an obvious syntax error, my apologies. I’ll pay closer attention from now on.

Thank you for the suggestion of using the Certbot Cloudflare DNS plugin.
I’m tempted to move the domain to AWS Route 53 to manage the DNS there.
If so would I be able to set-up auto renewal?

A quick Google reveals:

Am I on the right track?


Certbot also has a Route 53 plugin. :slightly_smiling_face:



You’re very helpful, thank you! :smile:

closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.