Incomplete Authorizations error when trying to renew

NS and DNS are all at Route 53.

Just out of curiosity, if I wanted to could I tell certbot just to check barredislands.com and ignore .org?

Well, the nameserver settings in the Route 53 Registrar console are incorrect.

You could use something like "sudo certbot --nginx [other options you used when creating the certificate] --cert-name barredislands.com -d barredislands.com".

That would issue a new certificate that includes barredislands.com and does not include barredislands.org and save it on top of the old one.

From what I can see everything looks normal in my Route 53 admin. But I suppose something could be going on under the hood that I’m not aware of. I just created the “hosted zone” for .org and added the A record about an hour ago, so maybe I just need to wait a bit. This cert is good for 13 more days so I’ll give it another shot tomorrow. Thanks again.

Did you update the nameserver settings in the Registrar console?

I just checked that and they didn’t match. My bad–I thought when you have a domain name registered at Rte. 53 and you create a “hosted zone” for that domain name, that Route 53 automatically inserts the correct NS record. But apparently not–at least it didn’t in this case. Lesson learned.

If the AWS support forums are any indication, it’s one of the more common issues people have with Route 53. :slightly_frowning_face: The console needs a bunch of warnings or something.

Glad you pointed that out. AWS can be tricky alright.

I just tried again, no dice, probably need to wait for propagation to happen? Will give it a shot tomorrow.

You switched it the wrong way. :sweat_drops: You changed the hosted zone’s NS records to match what the registrar currently has, but it needs to go the other way. They both need to be set to:

ns-193.awsdns-24.com.
ns-578.awsdns-08.net.
ns-1262.awsdns-29.org.
ns-1988.awsdns-56.co.uk.

No worries about the disruption.

How would I delete the ACME staging account? Is it a matter of deleting this directory?
/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org

tt is better to use:

certbot unregister --staging
1 Like

OK–not sure I get that exactly but I followed your advice. Route 53 says I’ll get an email confirmation when the domain name NS changes.

Appreciate the help.

Ran certbot renew and it worked! Muchas gracias.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.