Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

certbot certonly --non-interactive --manual \

--manual-auth-hook "./ UPSERT" \

--manual-cleanup-hook "./ DELETE" \

--preferred-challenge dns \

--config-dir "./letsencrypt" \

--work-dir "./letsencrypt" \

--logs-dir "./letsencrypt" \

--agree-tos \

--manual-public-ip-logging-ok \

--domains $2 \


aws route53 wait resource-record-sets-changed --id \

$(aws route53 change-resource-record-sets --hosted-zone-id \

    "$(aws route53 list-hosted-zones-by-name --dns-name $2. \

    --query HostedZones[0].Id --output text)" \

  --query ChangeInfo.Id \

  --output text \

  --change-batch "{ \

    \"Changes\": [{ \

      \"Action\": \"$1\", \

      \"ResourceRecordSet\": { \

        \"Name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\", \

        \"ResourceRecords\": [{\"Value\": \"\\\"${CERTBOT_VALIDATION}\\\"\"}], \

        \"Type\": \"TXT\", \

        \"TTL\": 30 \

      } \

    }] \

  }" \


It produced this output:

Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for
Running manual-auth-hook command: ./ UPSERT
Waiting for verification...
Challenge failed for domain
dns-01 challenge for
Cleaning up challenges
Running manual-cleanup-hook command: ./ DELETE
manual-cleanup-hook command "./ DELETE" returned error code 2

Some challenges have failed.

  • The following errors were reported by the server:

    Type: unauthorized
    Detail: Incorrect TXT record
    "bxsKelGFl32JRVmNO6aSKAgCLmXD7TRMCDfIsJ0f3YE" found at

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.


My web server is (include version):

Its an EKS cluster and we use route53

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): I can log into the pod which runs letsencrypt

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @kurian-dm, and welcome to the LE community forum :slight_smile:

Just a wild guess....
But shouldn't that also be ""?


And is there a reason that you're using your own auth hook instead of an existing Route 53 Certbot plugin? (There might be good reasons to do so, but understanding what you're trying to do beyond what's there out-of-the-box might be helpful.)

I think it might actually be correct, as the second parameter to the script is just looking up which AWS Hosted Zone to update using the API. So if the hostname is in that zone, I think it may be doing the right thing.

The thing this script might be missing (which may be in the default plugin, I'm not sure), is polling the AWS API to find out when all their DNS servers are in sync with the change.


It looks like the certbot route53 plugin does poll for completion in its wait_for_change routine.

I'd guess changes usually happen pretty fast in route53 so a static wait might be good enough.

@kurian-dm Did your script work when testing it directly from the command line. Or did it fail only as a hook from certbot?



So this cronjob in Kubernetes runs every 90 days. The job ran on 5/1/2022 and failed to renew the certs. I logged into the cluster and then ran the same job manually and the certs got renewed.

Command that is executed by the kubernetes job:

command: ["bash","-c","/apps/ arn:aws:iam::140199734014:role/ROLE-USW2-DEZ-SS-PRD-LETSENCRYPT *"]

#!/usr/bin/env sh

echo ">$1<"

aws sts assume-role --role-session-name Letsencrypt01 --role-arn "$1" > awscre

export AWS_ACCESS_KEY_ID=$(jq -r .Credentials.AccessKeyId awscre)

export AWS_SECRET_ACCESS_KEY=$(jq -r .Credentials.SecretAccessKey awscre)

export AWS_SESSION_TOKEN=$(jq -r .Credentials.SessionToken awscre)

export AWS_REGION=us-west-2

#aws sts get-caller-identity

certbot certonly --non-interactive --manual \

--manual-auth-hook "./ UPSERT" \

--manual-cleanup-hook "./ DELETE" \

--preferred-challenge dns \

--config-dir "./letsencrypt" \

--work-dir "./letsencrypt" \

--logs-dir "./letsencrypt" \

--agree-tos \

--manual-public-ip-logging-ok \

--domains $2 \


echo ">$2<"


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.