DNSSEC: DNSKEY Missing Wordpress Multisite on AWS Lightsail

I've read countless threads and tried multiple solutions, but I think it's something with either the domain registrar or the DNS and not the hosting setup. The domain name was initially hosted with Fasthosts and then moved to 123 reg simultaneously as I moved the hosting from another provider onto AWS Lightsail.

Its a bitnami Wordpress multiste installation,

I can issue a certificate for the main domain that's hosted on the multistate which is brfpaintingcontractors.co.uk

I've run letsdebug - Let's Debug
and from what I can tell the domain name and DNS are resolving as expected - DNS Lookup for thenorwichdecorator.co.uk

A friend of mine has duplicated my exact setup with 2 spare domain names and had no issue with issuing certificates, hopefully, someone can make sense of it all.

I did try and switch the DNS back to the original hosting as well, and then tried to issue the cert with them but I got exactly the same error, which makes me think its 123 reg that is causing the issue,

My domain is:

I ran this command:
sudo /opt/bitnami/letsencrypt/lego --tls --email="******" --domains="thenorwichdecorator.co.uk" --domains="www.thenorwichdecorator.co.uk" --path="/opt/bitn
ami/letsencrypt" run

It produced this output:
2023/09/25 14:53:12 Could not obtain certificates: error: one or more domains had a problem: [thenorwichdecorator.co.uk] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: looki ng up A for thenorwichdecorator.co.uk: DNSSEC: DNSKEY Missing; DNS problem: looking up AAAA for then orwichdecorator.co.uk: DNSSEC: DNSKEY Missing [www.thenorwichdecorator.co.uk] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: l ooking up A for www.thenorwichdecorator.co.uk: DNSSEC: DNSKEY Missing; DNS problem: looking up AAAA for www.thenorwichdecorator.co.uk: DNSSEC: DNSKEY Missing

My web server is (include version):
Server version: Apache/2.4.57 (Unix)

The operating system my web server runs on is (include version):
Its running a bitnami Wordpress multisite

My hosting provider, if applicable, is:
AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Yes there is definitely something wrong with your DNS. You could try turning off DNSSEC and use unboundtest or DNSViz to check. Then re-enable DNSSEC and hopefully it gets set up properly.




I don't usually configure DNSSEC manually but I think your current registrar ultimately holds the DNSSEC DS record, which in turn expects certain records in your domains DNS. I would suggest removing DNSSEC and adding it again (assuming you want to have it). Removing it involves your registrar doing stuff on their side, so it's not just a DNS edit for you.


Thanks for the reply, this is the bit I'm stuck on, how do I turn off DNSSEC with AWS, according to some articles AWS Lightsail doesn't support DNSSEC and when I asked 123Reg they say that DNSSEC isn't enabled on that domain.

1 Like

So the co.uk nameservers think that DNSSEC is enabled for thenorwichdecorator.co.uk, and specify the key that it should be using, but the nameservers aren't signing it with DNSSEC. If you aren't using DNSSEC, you need to have the registrar fix it so that it isn't enabled for the domain. If you are using DNSSEC, you need to have the DNS servers sign with a key and have the key set with the registrar. Either way, the registrar will need to update something.

Well, they're wrong. Bug them again.


One thing I don't think I mentioned is I'm not using the 123reg name servers, so all the DNS records are on AWS lightsail, when I say all its 2, 1 A record and 1 CNAME pointing to the A record.

Not sure if that's going to make a difference.

That's not really true. DNS is a tree and in your case starts at the .uk name servers and works toward your fully qualified name level by level

I see Peter is about to add so I'll let him finish :slight_smile:

See the DNSViz site I linked to earlier


No, your DNS servers are fine (at least if you don't want DNSSEC, and I agree I don't think you can do that with Lightsail yet).

It's the registrar that handles the updates to the co.uk level, which currently thinks your domain is DNSSEC-secured. There's usually a web interface somewhere to set or remove the DNSSEC key, but I'm not familiar with your particular registrar.

(And really, this isn't related to certificates at all. Your domain just doesn't work from any DNSSEC-checking resolver.)


Thank you for your help, I've raised a new support ticket with 123-reg, on their website the article on DNSSEC has this within it;

Should I enable DNSSEC?

If your website processes sensitive data for customers, then we recommend enabling DNSSEC for your domain name.

To do this, please get in touch with our Support team and they will be able to assist you.

I'll post any updates once I have them.


I would:

  • disable DNSSEC [that happens at the regiustrar]
  • Issue new cert(s) - a.k.a. renew the cert(s)
    [that will reset the clock - and it would give you 90 days to fix/break/fix it]
  • then reenable DNSSEC
  • then test cert renewals with --dry-run OR Let's Debug

I don't think lego supports --dry-run like Certbot does. But, I agree disabling DNSSEC and then getting a cert is good idea. Can try re-enabling DNSSEC after that and test with https://unboundtest.com and/or dnsviz


Oh well..
3 out of 4 ain't bad!

Maybe use LetsDebug instead of --dry-run.


Thank you so much for all your help, after pushing 123 again and pointing them to this support ticket I finally got it resolved, their response was;

Hi there,

I have looked into this a little bit more and found that there is a DNSSEC record on the domain.

I have now removed this, as per your request.

This may take up to 24 hours to update and propagate over the internet.

Then please try to reissue the SSL and let me know if there will be anything else I may assist you with.

Kind regards,

I'm sure had I not pointed them to this post though, it would not have been so quick.

I just wish I'd opened this ticket 2 weeks ago and saved myself a lot of time and effort, once again thanks.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.