How to avoid challenge failures due to slow propagation of Route53?

So my understanding of the certbot plugin is that it uses the AWS GetChange API to confirm that all of the AWS servers have the updated records. So I don't think that's your problem, especially as the error message:

Isn't what I'd expect for servers being out of sync. If it was querying a server that didn't have the update, it would be getting a no-record-found error. But instead it's not getting a reply back at all (at least not within its timeout), from some of the "secondary validation" checks.

That's certainly one possibility. Do the DNS servers accept requests worldwide?

One thing to try to do is to remove certbot from the equation entirely, just put a test TXT record up in your domain, and then try to query it from various places around the world and see how quickly it's getting a response, if it's getting one at all. You may want to particularly check from Sweden and Singapore, but Let's Encrypt is planning on continuing to add more validation perspectives and so your DNS server needs to be able to reply worldwide.

If it's just for using in CloudFront, wouldn't it be easier to just use the Amazon-provided certificates that Amazon Certificate Manager has built in? Why are you looking to get a Let's Encrypt certificate? (I'm not familiar with AWS China, so there may be good reasons for it.)

4 Likes