Installation Error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-c
hallenges dns certonly

It produced this output:
Type: None
Detail: DNS problem: SERVFAIL looking up TXT for - the domain's nameservers may be

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): the newest version (0.31.0-1+deb10u1)

You have enabled DNSSEC on your domain registration, but you haven't set DNSSEC up on the Route53 side.

As a result, your domain name doesn't work and Let's Encrypt can't look up the TXT record.

The first thing you should do is login to your domain registrar and disable DNSSEC on your domain.

That should get you back up and running, after a short wait.

Then, if you want to use DNSSEC, you can try set it up again, carefully following the instructions that Route53 gives you.


Thank you, I did not realize it was enabled there. I have removed it and am giving it that short wait. For future reference, as long as DNSSEC is configured correctly I should not have to disable it to renew a cert, right?

1 Like

Yes, correctly configured DNSSEC is not a problem.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.