Renew Let´s Encrypt Certificate (AWS Lightsail + Route 53)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
~ ~ WILDCARD=*.DOMAIN ~ echo $DOMAIN && echo WILDCARD * ~ sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-chal
lenges dns certonly

Are you OK with your IP being logged? (Y)es/(N)o: y

I deployed the DNS TXT records.

It produced this output:

Press Enter to Continue
Waiting for verification…
Resetting dropped connection:
Cleaning up challenges
Failed authorization procedure. (dns-01): urn:ietf:params:acme:error:dns :: DNS
problem: SERVFAIL looking up TXT for, (dns-01): urn:ie
tf:params:acme:error:dns :: DNS problem: SERVFAIL looking up TXT for _acme-challenge.dmkwk


  • The following errors were reported by the server:

    Type: None
    Detail: DNS problem: SERVFAIL looking up TXT for

    Type: None
    Detail: DNS problem: SERVFAIL looking up TXT for

My web server is (include version): AWS Lightsail + Route 53

The operating system my web server runs on is (include version): Apache/Ubuntu

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hi @dmkwke

checking your domain you use DNSSEC - and your DNSSEC is broken -


There are 3 DS RR in the parent zone, so your parent zone says: Your zone must be signed.

But your zone isn’t signed, there is no DNSKEY RR -> no chain of trust is created.

Looks like you have changed your dns provider. Old - with DNSSEC, new - without DNSSEC.

So you have two options:

  • remove the DS RR in your parent zone (your dns provider must do that) (or, better)
  • add a correct DNSKEY and change your DS in your parent zone so your zone is signed.

PS: Rechecked with to see if my tool is correct - same result - DS in the parent zone, no DNSKEY in your zone

1 Like

Hi @JuergenAuer thanks for your feedback!

Where can I find the correct DNSKEY and how can I change DS in my parent zone?

For most TLDs, DS records are managed via your domain registrar. Their control panel should have an area for it.

There is none. Amazon Route 53’s DNS service does not support DNSSEC. You have to delete the DS records, or switch to another DNS service.

1 Like

You use

Is there a one-click solution? If yes, use that.

If no, it’s bad.

DNSSEC configurations are normally one-click solutions. Activate -> the DNSKEY and the DS is created and deployed. Deactivate -> DNSKEY is removed, same with the DS in the parent zone.

So normally a customer doesn’t create these records manual.

–>> Ask Amazon.


Ah, thanks. So @dmkwke - perhaps switch back to your previous domain registrar, then delete the DNSSEC (should remove the DS), then switch back to AWS.

Changing the subject somewhat, why do you want to use manual DNS validation, and why do you want to create a wildcard certificate?

If you’re following Amazon’s tutorial, it gives bad advice. Let’s Encrypt is intended to be used – where possible – with automated validation, so that it’s easier for you to work with, and so that renewal can be fully automated. And in most circumstances, wildcard certificates aren’t necessary.

Do you absolutely need to use wildcards?

If not, it should be easy to follow a better tutorial and use HTTP validation and get one or more certificates for the names you need.

If so, you should use a DNS service with an appropriate API and an ACME client that can work with it. (The regular AWS version of Route 53 would work, but I don’t know if the Lightsail version of Route 53 includes API access.)

Alright, thanks I know. I am using the DNS Zone from AWS Lightsail.

Okay, I see - I gonna switch back to World4You with DNSSEC.

Thanks for you feedback!

I gonna switch back to my previous DNS Zone with DNSSEC.

I am a newbie and I followed the instruction of the documentation from AWS -->

I found a documentation from Let´s Encrypt. Do you think that´s a better way how to set up the certificate?


Thanks for your help. Highly appreciated!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.