Lightsail Letsencrypt Error Cannot issue for "*.domain": Name does not end in a public suffix (.org)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot -d $WILDCARD --manual --preferred-challenges dns certonly

It produced this output: Starting new HTTPS connection (1):
Obtaining a new certificate
An unexpected error occurred:
Error creating new order :: Cannot issue for “*.domain”: Name does not end in a public suffix
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): Amazon Lightsail

The operating system my web server runs on is (include version): Ubuntu 16.04.6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes using web based SSH

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hi @LoNo

looks like your $WILDCARD isn't defined or wrong / incomplete.

What says


when I put in the command echo $WILDCARD

it says *.DOMAIN

There you see the problem. You want to create a certificate with *.DOMAIN as domain name. That's not possible.


 sudo certbot -d -d * --manual certonly

instead. You can remove the --preferred-challenges option because a wildcard certificate requires dns validation.

awesome it gave me the DNS txt record, just wondering, will this cert auto renew or will I have to do it manually?

Also the tutorial doesn’t mention anything about the response I received which says:

Create a file containing just this data:


And make it available on your web server at this URL:

am I supposed to copy the code into a txt file and upload it to a page I create and name the page the provided directory?

Certbot can't autorenew certificates that require DNS challenges unless you give it a way to create DNS TXT records in your zone without human intervention (because the DNS TXT record will be different for each renewal—just maintaining the original TXT record is of no benefit). You may be able to do this, depending on how your DNS is hosted and whether it can be updated from software.

Yes, that's right. The idea is that the exact URL that was mentioned here has to exist on your site, and it has to have the exact text content that was indicated. So if you're doing that yourself, you might arrange to do that by uploading a text file to your site with that content, under that location.

But for wildcard certificates the validation method will require creating DNS records rather than creating files on your server.

More information about these methods of proving your control of domain names is at

when I go to setup a DNS record under lightsail it doesn’t allow me to point the txt to the specific location, it just lets add a prefix to my domain. Sorry super new to this.

Are you confusing the TXT record (DNS-01 challenge) with the file upload (HTTP-01 challenge)? Did you get a message with a specific TXT record that you have to create?

This is response I got
Create a file containing just this data:


And make it available on your web server at this URL:

Press Enter to Continue

I am using wordpress and lightsail, I don’t have a cpanel, and I don’t know how to upload the txt file, It asked me to create a DNS record which I did and I checked on mxtoolbox and it says that one is okay. I just don’t know what to do with the above response

Looks like you have startet two different commands. One with the wildcard -> dns-challenge, one with the main domain -> http-challenge.

That’s wrong. You need one command with both domain names -> you have to create two TXT entries with the same name, but different values.

Result: You have one certificate with two domain names. Not two certificates with one domain name.

Thats what the tutorial was saying, but it didn’t give me the second txt entry it just told me to make the txt file, how do I start the command again for the 2nd txt entry.

It’s not invalid to use DNS validation for one name and HTTP validation for the other name, it’s just unusual.

You can add --preferred-challenges dns to make Certbot to use DNS for both.

You should really use automated validation if at all possible.

Do you really need a wildcard certificate? Let’s Encrypt certificates can have up to 100 names, and you can get many certificates.

You’re using Amazon Route 53 DNS, which has a good API that is supported by Certbot, but I don’t know if Lightsail gives access to the API.

1 Like

No I think lightsail is pretty limited, I don’t know if there is an integrate transfer system setup to push lightsail into AWS and route 53, currently the domains are registered with godaddy, but all the DNS & networking is setup in lightsail.

I was just following the lightsail tutorial on how to setup letsencrypt and thats what it was telling me.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.