Error with using bncert on AWS Lightsail

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo /opt/bitnami/bncert-tool

It produced this output:
An error occurred creating certificates with Let's Encrypt:

error: one or more domains had a problem:
[] acme: error: 400 :: urn:ietf:params:
:: During secondary validation: DNS problem: SERVFAIL looking up
CAA for - the domain's nameservers may be malf

Please check our documentation and support forums, we'll be happy
to help!

Press [Enter] to continue:


An error occurred when applying configurations.

The web server configuration was left unchanged. There was an err
or in the new or in the new
configuration, so it was reverted.

Failed steps:

  • Running Let's Encrypt: Error creating certificates

Find more details in the log file:


If you find any issues, please check Bitnami Support forums at:

Press [Enter] to continue:

My web server is (include version): Apache/2.4.43

The operating system my web server runs on is (include version): Debian 4.19.118

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

There are DNS problems.
See: | DNSViz


When you ask a root DNS server, is says (four nameservers):

nslookup -q=ns
nslookup -q=ns  nameserver =  nameserver =  nameserver =  nameserver =

When you ask one of those servers, it says (four different nameservers):

nslookup -q=ns
nslookup -q=ns  nameserver =  nameserver =  nameserver =  nameserver =
1 Like

The first set of NS records (from the .com. nameservers) actually function properly. But it seems the Let's Encrypt DNS resolvers apparently resolve the authorative nameservers from the would be authorative name servers first and then continue resolving again, trying the wrong set of nameservers..

The mismatched names alone is enough to break it.

If you're strict, yes. I agree this is an issue. But if you just query the NS servers provided by the .com servers, you'll get a proper NXDOMAIN as result.

Here are the records that have set up with Amazon Route 53:

Records (4)

Record name Type Routing policy Differentiator Alias Value/Route traffic to TTL (seconds) Health check Evaluate target health Record ID A Simple - No 300 - - -


|||SOA|Simple|-|No| 1 7200 900 1209600 86400|900|-|-|-|


Do I need to do anything on the Debian instance where I ran the command :

sudo /opt/bitnami/bncert-tool

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.