HTTP and DNS acme challenges fail on AWS Route53


My domain is:

I ran this command: certbot certonly --staging --manual --preferred-challenges dns -d

It produced this output: 2018-07-04 10:54:01,877:DEBUG:certbot.main:certbot version: 0.25.1 2018-07-04 10:54:01,878:DEBUG:certbot.main:Arguments: ['--staging', '--manual', '--preferred-challenges', 'dns', '-d', ''] 2018-07-04 10:54:01,878:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-r oute53:auth,PluginEntryPoint#dns-route53,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#s tandalone,PluginEntryPoint#webroot) 2018-07-04 10:54:01,891:DEBUG:certbot.log:Root logging level set at 20 2018-07-04 10:54:01,892:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2018-07-04 10:54:01,892:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None 2018-07-04 10:54:01,898:DEBUG:certbot.plugins.selection:Single candidate plugin: * manual Description: Manual configuration or run your own shell scripts Interfaces: IAuthenticator, IPlugin Entry point: manual = certbot.plugins.manual:Authenticator Initialized: <certbot.plugins.manual.Authenticator object at 0x7fde85d8ded0> Prep: True 2018-07-04 10:54:01,898:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.manual.Au thenticator object at 0x7fde85d8ded0> and installer None 2018-07-04 10:54:01,898:INFO:certbot.plugins.selection:Plugins selected: Authenticator manual, Installer None 2018-07-04 10:54:01,902:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registratio n(status=u'valid', terms_of_service_agreed=None, contact=(u'',), agre ement=None, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey obje ct at 0x7fde85d94690>)>)), uri=u'', new_aut hzr_uri=None, terms_of_service=u''), b52 ca7c579dcb14c785d202d67ec3e84, Meta(creation_host=u'', creatio n_dt=datetime.datetime(2018, 7, 4, 10, 52, 7, tzinfo=<UTC>)))>

My web server is (include version): nginx/1.12.1

The operating system my web server runs on is (include version): Linux 4.14.33-51.37.amzn1.x86_64

My hosting provider, if applicable, is: Bought with GoDaddy but nameserver records of Route53

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I have tried multiple times to get a certificate but cannot get past the acme-challenge. DNS Manual challenge tells me to create the TXT record and I do - but it reports Invalid TXT record with a different token than what I created in Route53.
Tried HTTP Manual but that too does not help. I create the requested file with the content but certbot cannot fetch it and instead shows a Invalid Type Response. If I use the same http acme-challenge url in a browser, I can see the content ok. I cannot figure out what’s wrong here.

Any help is appreciated.

Btw, I messed up by not using staging ACME server - it looks like every time I tried, letsencrypt generated a certificate but did not publish it to me because of the acme-challenge errors. Now, when I try to generate, I get the ‘rate limit exceeded’ error - is there a way to clean up all certificates I may have created?



Are you sure it generated certificates? What was the actual rate limit error? You probably just hit the 5 Failed Validations per hour limit, which is gone by now.

Anyway, your nameservers appear to be mixed:

$ dig +noall +answer ns           3575    IN      NS           3575    IN      NS           3575    IN      NS           3575    IN      NS           3575    IN      NS           3575    IN      NS

Either commit fully to GoDaddy’s nameservers or to Route53’s, and get rid of the others.

Once you’ve done that, if you still have problems, then post a full log file from /var/log/letsencrypt - the partial one you’ve provided doesn’t contain the relevant info to identify your problem.

One suggestion - your Linux distribution might have the official Certbot Route53 plugin available for installation from its repositories, which saves you from having to set up manual records, and would allow automatic renewal.

If not, you can also use a client like to achieve the samething.


Thank you for this - I will clean up the NS entries and then proceed with the cert generation. I do not have access to the GoDaddy control panel; only the Route53 one. I have requested the owner to clear the NS entries of GoDaddy (ns71 and ns72).

I cannot recollect the exact error now but there was a link to the rate limits page which led me to believe that certs were generated. I would be glad if that isn’t the case.

Will report back in a couple days after the NS entries are cleared up.



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.