I am doing a test with only one domain (one Hosted Zones) and several sub domain where I found some interesting things.
As it is only one Hosted Zone I have the possibility to refresh the AWS Web Console and see how the _acme.. TXT subdomain for the challenge are inserted.
I executed the following command:
certbot certonly --non-interactive --dns-route53 --cert-name domaintest --domain 1.domain.com --domain 2.domain.com --domain 3.domain.com --domain 4.domain.com --domain 5.domain.com --domain 6.domain.com --domain 7.domain.com --domain 8.domain.com --domain 9.domain.com --domain 10.domain.com --domain 11.domain.com --domain 12.domain.com --domain 13.domain.com --domain 14.domain.com --domain 15.domain.com --keep-until-expiring --renew-with-new-domains --rsa-key-size 2048 --email one@email.com --agree-tos --test-cert --debug
I realize that to insert the acme TXT records it take a long time, like approximately 10 second per each record. After the insertion of 7 records the command output Resetting dropped connection: route53.amazonaws.com but later it continue with the insertion of the acme TXT records for the next domains, which after exactly 7 records more it throw another Resetting dropped connection: route53.amazonaws.com, later it follow with the insertion of the last domain and it finish properly.
I illustrate a merge between the AWS Console and the command output:
1.domain.com
_acme record created
10.domain.com
_acme record created
11.domain.com
_acme record created
12.domain.com
_acme record created
13.domain.com
_acme record created
14.domain.com
_acme record created
15.domain.com
_acme record created
> Resetting dropped connection: route53.amazonaws.com
2.domain.com
_acme record created
3.domain.com
_acme record created
4.domain.com
_acme record created
5.domain.com
_acme record created
6.domain.com
_acme record created
7.domain.com
_acme record created
8.domain.com
_acme record created
> Resetting dropped connection: route53.amazonaws.com
9.revoldev.com
_acme record created
Additionally after certbot finish to insert all the _acme records, this was the output of the command (full output attached in the file):
Resetting dropped connection: route53.amazonaws.com
Resetting dropped connection: route53.amazonaws.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org
Cleaning up challenges
Resetting dropped connection: route53.amazonaws.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/cuextest/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/cuextest/privkey.pem
Your cert will expire on 2019-02-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
I find that the Resetting dropped connection: acme-staging-v02.api.letsencrypt.org could be interesting to notice, as well another Resetting dropped connection: route53.amazonaws.com after all acme records were inserted.
The whole command took ~10 minutes to run, so we can say that each approximately 3 minutes is a Resetting dropped connection: route53.amazonaws.com.
I still keep the change propuse by @jsha from 120 to 1200 in the dns_route53.py code.
After all the certificate was created correctly.
Here a clean log file and command output from this test:
https://drive.google.com/open?id=15dAm8F3YyCgwColM6ZEe5CkLUehWh-cf
Our production app which is affected by this have an amount of 70 domains/subdomains in several hosted zones.
Following the result of the test, get a new certificate or renew it could take up to 46 minutes (10 minutes each 15 domains), the first time that I tried to get a certificate for our production app, certbot was running more than 60 minutes without result, then I opened a ticket in AWS and after a month of research a ticket here.
I will try to leave certbot running several hours to see if it can renew the certificate. But, if I am not confuse, the cron tab should did it, but the certificate is already near to expire and it was not renew.
Let’s me know if you have any question or need more information.