No Hosted Zone for .com Route53

I've shared the relevant required information at the bottom of this post. I'm not understanding how I can configure certbot to allow me to use a wildcard ssl. I am following these instructions: Install a wildcard Let’s Encrypt certificate in Lightsail
The issue is that I'm not sure how I can give access to the hosted zones when .com domains cannot have hosted zones in Amazon's Route 53. See CreateHostedZone - Amazon Route 53 for reference.

How can I add the required permissions if there is no hosted zone for my domain?

My domain is:

I would like to protect and (both work with HTTP, but not HTTPS)

I ran this command: sudo certbot certonly --dns-route53 -d -d *

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for and *
An error occurred (AccessDenied) when calling the ListHostedZones operation:
User: arn:aws:sts::176827265370:assumed-role/AmazonLightsailInstanceRole/i-0bd48cdf50e21cee4 
is not authorized to perform: route53:ListHostedZones because no identity-based policy allows the
route53:ListHostedZones action To use certbot-dns-route53, configure credentials
as described at
and add the necessary permissions for Route53 access.
Ask for help or search for solutions at
See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is: Amazon Lightsail

I can login to a root shell on my machine (yes or no, or I don't know): yes (I just use sudo for stuff)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.8.0

The error says the credentials your are using don't have permission to list zones. The required roles are listed here: Welcome to certbot-dns-route53’s documentation! — certbot-dns-route53 0 documentation

The AWS docs that mention .com mean actual .com, not your domain (which is a subdomain of .com, as most are).


Thank you for your answer, that helped clarify a few things. However, I'm still a little confused about how to allow the required roles. Should I be creating a hosted zone on route53 for the domain that I already have nameservers for on lightsail (I purchased the domain through route53, but the nameservers point to an amazon lightsail instance)? Even when I try that, I get lost trying to get the correct roles for the user. Furthermore, I'm not sure where I should be placing the aws policy file.

I feel as though this whole configuration doesn't have clear-cut documentation, but maybe I'm just running around in circles when I should be reading a little closer. Maybe you can offer me a little bit of guidance as I swim through this configuration. Any help would be much appreciated.
Thanks again for helping :slight_smile:

1 Like

I should say, I haven't used the certbot route53 provider, I'm just a developer for a similar provider for a different client (on Windows) so that's why I generally know what it's expecting to do.

Just to clarify in case there is confusion, your nameservers are currently hosted by AWS Route 53, you are not hosting the DNS yourself using lightsail (but you are hosting your website on lightsail).

You are trying to create a certificate which includes a wildcard *. so this requires you to use DNS validation (which creates/updates a TXT record in your DNS).

If you just used multiple domain/subdomain names without the wildcard you could just use http validation instead which is generally simpler (just specify multiple names when setting up the certificate, or use the certbot expand command to add them to the existing renewal).

If you do want to use DNS validation, you do not have to create any new zones. You are just trying to automatically adding a TXT record called _acme-challenge and dynamically setting the value of it to prove control the domain. For your wildcard this record is just called _acme-challenge, for a specific subdomain it's like _acme-challenge.api or _acme-challenge.www etc.

In AWS, you have two things: Route 53 (your DNS zones etc) and IAM (Identity and Access Management - user roles and permissions). The stuff you need to do is using the IAM part of AWS to setup and the docs are assuming you already know AWS stuff, which IAM is a common part of.

The example AWS policy shown in the docs is something you would paste into IAM, perhaps you would find the instructions for the app I develop useful: AWS Route53 DNS | Certify The Web Docs - just the first part is relevant here and is an example of how you create a user with the required permissions (this example creates a group, defines the policy for the group, then assigns a new user into the group) .

You then copy your access key and secret into the a "credential config file" which you create yourself (as shown in the certbot route 53 docs) and set your access key + secret there. As stated in the docs you can create it at a particular location or you can set an environment variable to say where the file is kept.


Is it possible that registering a domain via Lightsail DNS doesn't create a corresponding Route53 managed zone?

I was looking through the AWS CLI docs and there seem to be separate APIs for Route 53 zone management vs Lightsail DNS zone management :person_shrugging:.


Very good point! It didn't occur to me that the DNS would be anything other than route53. In which case, @osamaramihafez would need to use manual DNS or script the update themselves as I don't know of any Lightsail specific DNS providers for certbot: Tutorial: Using Let’s Encrypt SSL certificates with your WordPress instance in Amazon Lightsail | Lightsail Documentation

[all the more reason to use http validation instead and just drop the wildcard from the cert]


Another option is using Route53 for Lightsail


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.