Help with wildcard SSL for AWS Lightsail shell timeout

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: crownglobalhr.com

I ran this command:
Sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly --server https://acme-v02.api.letsencrypt.org/directory

It produced this output:
Gives more TXT records. after the first time the txt records were deployed

My web server is (include version):
Apache

The operating system my web server runs on is (include version):
Linux

My hosting provider, if applicable, is:
aws (Lightsail)

I can login to a root shell on my machine (yes or no, or I don’t know):
YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Addl comments-
Due to long propagation time, the shell logs out, how to continue with the rest of SSL process

Try running certbot in a screen instance.

Also, did you remove the TXT record(s) again? I can’t seem to find them.

At which hoster are you adding those TXT records by the way? I’m finding some company called “Wild West Domains” when I do a whois on the base domain of the nameservers for your domain (whois domaincontrol.com as your domain is hosted on ns41.domaincontrol.com. and ns42.domaincontrol.com..

Hi @sujatha-crown

checking your domain there are a lot of wrong entries ( https://check-your-website.server-daten.de/?q=crownglobalhr.com ):

TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
crownglobalhr.com _acme-challenge.crownglobalhr.com=z3dPWcU99a_pK-2YDkHZSs7VsVHF6szESiytyQFPXbI warning: _acme-challenge as TXTValue, not part of the domain name 1 0
crownglobalhr.com _acme-challenge.crownglobalhr.com=6C37ghGzqbWAxwIbAh0w8szkOS9ExERF-1zZPJ7Kb9g warning: _acme-challenge as TXTValue, not part of the domain name 1 0
crownglobalhr.com _acme-challenge.crownglobalhr.com=1Y6Uf5oQ2NaIPW9s8G8_6uqSJu6MMDzIEMHGG29zPFQ warning: _acme-challenge as TXTValue, not part of the domain name 1 0
crownglobalhr.com google-site-verification=w6QAcLmqwv21cXQCqHshDdpTMee5daJ0AAcVIbXEHic ok 1 0
crownglobalhr.com _acme-challenge.crownglobalhr.com=1_sL7lgl8H0d5UyFvwWBGDFUZ_4979WTkB98dNRGbtg warning: _acme-challenge as TXTValue, not part of the domain name 1 0
www.crownglobalhr.com _acme-challenge.crownglobalhr.com=z3dPWcU99a_pK-2YDkHZSs7VsVHF6szESiytyQFPXbI warning: _acme-challenge as TXTValue, not part of the domain name 1 0
www.crownglobalhr.com _acme-challenge.crownglobalhr.com=6C37ghGzqbWAxwIbAh0w8szkOS9ExERF-1zZPJ7Kb9g warning: _acme-challenge as TXTValue, not part of the domain name 1 0
www.crownglobalhr.com _acme-challenge.crownglobalhr.com=1Y6Uf5oQ2NaIPW9s8G8_6uqSJu6MMDzIEMHGG29zPFQ warning: _acme-challenge as TXTValue, not part of the domain name 1 0
www.crownglobalhr.com google-site-verification=w6QAcLmqwv21cXQCqHshDdpTMee5daJ0AAcVIbXEHic ok 1 0
www.crownglobalhr.com _acme-challenge.crownglobalhr.com=1_sL7lgl8H0d5UyFvwWBGDFUZ_4979WTkB98dNRGbtg warning: _acme-challenge as TXTValue, not part of the domain name 1 0
_acme-challenge.crownglobalhr.com Name Error - The domain name does not exist 1 0
_acme-challenge.www.crownglobalhr.com Name Error - The domain name does not exist 1 0

You have created entries with

_acme-challenge.crownglobalhr.com=z3dPWcU99a_pK-2YDkHZSs7VsVHF6szESiytyQFPXbI

as value.

Instead,

_acme-challenge.crownglobalhr.com

must be the domain name, the value must be

z3dPWcU99a_pK-2YDkHZSs7VsVHF6szESiytyQFPXbI

The last two rows show the correct domain name, but there is no value.

We have domain hosting in Go daddy,

Based on your forum, I have created as below in Go daddy

https://www.godaddy.com/community/Managing-Domains/Problem-adding-txt-record-for-letsencrypt/td-p/115376

I do not have any blank entries, these are entries I have on the godaddy

Please let me know your thoughts

Thank you so much for your help.

These are wrong.

Use

_acme-challenge

instead of @, as value only something like

6C37ghGzqbWAxwIbAh0w8szkOS9ExERF-1zZPJ7Kb9g

without the “=”. The length is always 43.

I have added the txt records in godaddy

You’ve modified the TXT records, but they’re still named @ instead of _acme-challenge and still have an extra “_acme-challenge=” in the value.

(Also, you can just delete the records from past validations. It’s important that you can set them correctly, but they aren’t used for anything after the Let’s Encrypt validation attempt has executed.)

I see, I should share a screenshot:

All red marked entries are wrong, so remove these.

You need entries like the entry with the blue name.

_acme-challenge

instead of the @.

Remove all wrong entries, start new, create the entries, then recheck your domain to see if it is good (must be green).

Also, we recommend using Let’s Encrypt in a fully automated way. Manual validation is a hassle, and you’ll have to repeat it every time you renew the certificate.

Do you absolutely need to use wildcards? One certificate can include up to 100 names, and you can issue many certificates. If not, use automated HTTP validation.

If so, it might be better to switch to an ACME client with GoDaddy DNS API support, or a DNS service supported by Certbot.

What version?

What distro? What version number?

Thanks for your help, will wait for the propagation.
My original question was how to I continue with the rest of the commands in shell after it timed out to complete the cert installation.

It’s already visible:

Your SOA-record:

|Domain:|crownglobalhr.com|
|---|---|
|Primary:|ns41.domaincontrol.com|
|Mail:|dns.jomax.net|
|Serial:|2019040807|
|Refresh:|28800|
|Retry:|7200|
|Expire:|604800|
|TTL:|600|
|num Entries:|4|

So you have a standard TTL of 600 seconds.

Thank you Awesome!!!

is it safe to run this command
certbot renew

Does it auto renew without undergoing all these steps again.

Thank you

certbot renew isn’t dangerous—it won’t harm anything—but it doesn’t work with --manual, because you have to repeat the DNS update steps each time you reissue your certificate (with new DNS records). certbot renew only performs unattended, noninteractive renewals, which doesn’t include this situation.

We recommend using some method to update the DNS records automatically, so that you won’t have to perform this procedure all the time.

Thank you for your help

Lets Encrypt wild card certificate is working very nicely on the main domain.

How do I apply the same cert to its sub-domains ?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.