Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: dmkwke.at
I ran this command:
~ DOMAIN=dmkwke.at
~ WILDCARD=*.DOMAIN
~ echo $DOMAIN && echo WILDCARD
dmkwke.at
*.dmkwke.at
~ sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-chal
lenges dns certonly
Are you OK with your IP being logged? (Y)es/(N)o: y
I deployed the DNS TXT records.
It produced this output:
Press Enter to Continue
Waiting for verification…
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
Failed authorization procedure. dmkwke.at (dns-01): urn:ietf:params:acme:error:dns :: DNS
problem: SERVFAIL looking up TXT for _acme-challenge.dmkwke.at, dmkwke.at (dns-01): urn:ie
tf:params:acme:error:dns :: DNS problem: SERVFAIL looking up TXT for _acme-challenge.dmkwk
e.at
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: dmkwke.at
Type: None
Detail: DNS problem: SERVFAIL looking up TXT for
_acme-challenge.dmkwke.at
Domain: dmkwke.at
Type: None
Detail: DNS problem: SERVFAIL looking up TXT for
_acme-challenge.dmkwke.at
My web server is (include version): AWS Lightsail + Route 53
The operating system my web server runs on is (include version): Apache/Ubuntu
My hosting provider, if applicable, is: AWS Lightsail
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
DNSSEC configurations are normally one-click solutions. Activate -> the DNSKEY and the DS is created and deployed. Deactivate -> DNSKEY is removed, same with the DS in the parent zone.
So normally a customer doesn't create these records manual.
-->> Ask Amazon.
PS:
Ah, thanks. So @dmkwke - perhaps switch back to your previous domain registrar, then delete the DNSSEC (should remove the DS), then switch back to AWS.
Changing the subject somewhat, why do you want to use manual DNS validation, and why do you want to create a wildcard certificate?
If you’re following Amazon’s tutorial, it gives bad advice. Let’s Encrypt is intended to be used – where possible – with automated validation, so that it’s easier for you to work with, and so that renewal can be fully automated. And in most circumstances, wildcard certificates aren’t necessary.
Do you absolutely need to use wildcards?
If not, it should be easy to follow a better tutorial and use HTTP validation and get one or more certificates for the names you need.
If so, you should use a DNS service with an appropriate API and an ACME client that can work with it. (The regular AWS version of Route 53 would work, but I don’t know if the Lightsail version of Route 53 includes API access.)