Hey guys,
I have some issues with getting a certificate for an aws linux server using route53 and certbot with "dns-route53" plugin.
I set up a public hosted zone:
cdk.syrocon.cloud with according iam roles for my ec2 instance.
cdk.syrocon.cloud.
NS
ns-331.awsdns-41.com.
ns-1427.awsdns-50.org.
ns-745.awsdns-29.net.
ns-1950.awsdns-51.co.uk.
I ran this command:
certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d cdk.syrocon.cloud
Output is:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for cdk.syrocon.cloud
Please deploy a DNS TXT record under the name
_acme-challenge.cdk.syrocon.cloud with the following value:
V38T5yEmL5mx7vXqOWyykxdQnAdaLOVq6vECvuv3WVc
Before continuing, verify the record is deployed.
Press Enter to Continue note: txt created successfully
Waiting for verification...
Challenge failed for domain cdk.syrocon.cloud
dns-01 challenge for cdk.syrocon.cloud
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: cdk.syrocon.cloud
Type: None
Detail: DNS problem: SERVFAIL looking up TXT for
_acme-challenge.cdk.syrocon.cloud
According to Route53
Response from Route 53 based on the following options.
DNS request sent to Route 53
_acme-challenge.cdk.syrocon.cloud. IN TXT
EDNS0 client subnet IP
24
DNS response code
NOERROR
Protocol
UDP
Response returned by Route 53
"V38T5yEmL5mx7vXqOWyykxdQnAdaLOVq6vECvuv3WVc"
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
certbot 0.34.2
A dig command results in:
[root@ci ~]# dig @8.8.8.8 _acme-challenge.cdk.syrocon.cloud txt
<<>> DiG 9.9.4-RedHat-9.9.4-73.amzn2.1.2 <<>> @8.8.8.8 _acme-challenge.cdk.syrocon.cloud txt
(1 server found)
global options: +cmd
Got answer:
->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34218
flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
OPT PSEUDOSECTION:
EDNS: version: 0, flags:; udp: 512
QUESTION SECTION:
_acme-challenge.cdk.syrocon.cloud. IN TXT
Query time: 92 msec
SERVER: 8.8.8.8#53(8.8.8.8)
WHEN: Wed May 15 14:39:47 UTC 2019
MSG SIZE rcvd: 62
What am I missing here?
Regards, Mirko