Thanks you @mnordhoff that’s a great find! I’m awful at DNS and the combination of Route 53 and Lightsail have me beyond confused. I see now that my first attempt was a total hack, so I’m sort of shocked that the site worked most of the time.
I just matched put the Lightsail nameservers into the Route 53 NS record:
And put A records for the domain and www. subdomain in Route 53. I guess I could do them in Lightsail as well, but their “easy” platform is just too confusing.
sudo certbot renew --dry-run a bunch of time and seen no problems. I’m unable to do a normal run because the cert is not yet up for renewal:
....../cloudconfusing.com/fullchain.pem expires on 2018-10-09 (skipped)
As for confirmation: Google Transparency report looks good, crt.sh and SSLshopper don’t. Is it common (possible) for them to be running behind?
Oh hey, SSL Labs looks OK.