I'm not sure what's certbot is having trouble with, any debug information would be very helpful! I also tried with achme.sh script and was failing right after creating a txt record at log message - Let's check each DNS record now. Checking stg.api.getbuzzed.io for _acme-challenge.stg.api.getbuzzed.io
Domain: stg.api.getbuzzed.io
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.stg.api.getbuzzed.io - check that a DNS record
exists for this domain
My web server is (include version):
Nginx
The operating system my web server runs on is (include version):
Amazon Linux 2
My hosting provider, if applicable, is:
Route 53
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.11.0
If not, then you may need to switch to the correct plugin.
If so, then you need to check the plugin credentials; as the zone hasn't been changed by your plugin (not even once):
getbuzzed.io
primary name server = ns-1258.awsdns-29.org
responsible mail addr = awsdns-hostmaster.amazon.com
serial = 1
[serial #1 means that is hasn't been updated since it was created]
@wfuener I see you're using the --debug-challenges option. Did you verify the existence of the TXT record manually during the debug step? It might be just as simple as increasing the propogation delay.
Route 53 doesn't care about the serial number in SOA records at all. It uses its own change APIs (you can poll using their API to see if a specific change is done propagating to all their servers), but the serial number in the SOA only changes if you update it directly. I suspect most Route 53 SOA records are just left at the default of 1 forever.
I don't know if the Route 53 certbot plugin uses that API to poll if the change is actually complete; if it doesn't then yes probably the propagation delay needs to be increased a bit. It's usually a fairly fast process as these things go, though (usually done within a minute or two), at least in my experience.
So, did you try it with --debug-challenges and see if one can get to the TXT records at that time? Maybe trying something like https://unboundtest.com/ to use the same kind of software/configuration that Let's Encrypt uses? And maybe posting on here when you do so and others could take a look as well?
(And your initial command line you posted just says --debug-challenge without the s at the end, though I'm hoping that's just a transcription error.)
Although --debug-challenges is the recommended form of the option, the argument parser that Certbot uses also allows options to be abbreviated, so --debug-challenge would be recognized too.
@MikeMcQ It doesn't work when I use the webroot challenge instead.
@petercooperjr I did but I don't think it's creating a TXT file. I don't see it in the log output and when I sit and click refresh on the route53 console I don't see a file. Strangely enough when I use the acme.sh script it will create a text file but then not be able to verify it.
Logs from unbound test:
----- Unbound logs -----
Oct 12 04:36:07 unbound[52654:0] notice: init module 0: validator
Oct 12 04:36:07 unbound[52654:0] notice: init module 1: iterator
Oct 12 04:36:07 unbound[52654:0] info: start of service (unbound 1.12.0).
Oct 12 04:36:08 unbound[52654:0] info: 127.0.0.1 stg.api.getbuzzed.io. TXT IN
Oct 12 04:36:08 unbound[52654:0] info: resolving stg.api.getbuzzed.io. TXT IN
Oct 12 04:36:08 unbound[52654:0] info: priming . IN NS
Oct 12 04:36:08 unbound[52654:0] info: response for . NS IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <.> 2001:503:c27::2:30#53
Oct 12 04:36:08 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:08 unbound[52654:0] info: priming successful for . NS IN
Oct 12 04:36:08 unbound[52654:0] info: response for stg.api.getbuzzed.io. TXT IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <.> 2001:dc3::35#53
Oct 12 04:36:08 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:08 unbound[52654:0] info: resolving b0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: resolving a2.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: resolving c0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: resolving a0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: response for a0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.160.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was DNSSEC LAME
Oct 12 04:36:08 unbound[52654:0] info: response for b0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.160.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was DNSSEC LAME
Oct 12 04:36:08 unbound[52654:0] info: response for c0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.162.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was DNSSEC LAME
Oct 12 04:36:08 unbound[52654:0] info: response for b0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.162.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was DNSSEC LAME
Oct 12 04:36:08 unbound[52654:0] info: response for a2.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.161.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was DNSSEC LAME
Oct 12 04:36:08 unbound[52654:0] info: response for a0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.163.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was DNSSEC LAME
Oct 12 04:36:08 unbound[52654:0] info: response for a2.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.160.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was DNSSEC LAME
Oct 12 04:36:08 unbound[52654:0] info: response for c0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.161.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was DNSSEC LAME
Oct 12 04:36:08 unbound[52654:0] info: response for b0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.161.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was DNSSEC LAME
Oct 12 04:36:08 unbound[52654:0] info: response for a2.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.163.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was DNSSEC LAME
Oct 12 04:36:08 unbound[52654:0] info: response for c0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.163.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was DNSSEC LAME
Oct 12 04:36:08 unbound[52654:0] info: response for a0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.161.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was DNSSEC LAME
Oct 12 04:36:08 unbound[52654:0] info: response for a2.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.162.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:08 unbound[52654:0] info: response for c0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.160.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:08 unbound[52654:0] info: response for a0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.162.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:08 unbound[52654:0] info: response for b0.nic.io. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.163.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:08 unbound[52654:0] info: response for stg.api.getbuzzed.io. TXT IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <io.> 65.22.163.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:08 unbound[52654:0] info: resolving ns-1258.awsdns-29.org. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: resolving ns-1689.awsdns-19.co.uk. A IN
Oct 12 04:36:08 unbound[52654:0] info: resolving ns-940.awsdns-53.net. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: resolving ns-1258.awsdns-29.org. A IN
Oct 12 04:36:08 unbound[52654:0] info: resolving ns-1689.awsdns-19.co.uk. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: resolving ns-940.awsdns-53.net. A IN
Oct 12 04:36:08 unbound[52654:0] info: response for ns-1258.awsdns-29.org. A IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <.> 192.36.148.17#53
Oct 12 04:36:08 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:08 unbound[52654:0] info: resolving a0.org.afilias-nst.info. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: priming . IN NS
Oct 12 04:36:08 unbound[52654:0] info: resolving d0.org.afilias-nst.org. A IN
Oct 12 04:36:08 unbound[52654:0] info: priming . IN NS
Oct 12 04:36:08 unbound[52654:0] info: resolving a0.org.afilias-nst.info. A IN
Oct 12 04:36:08 unbound[52654:0] info: priming . IN NS
Oct 12 04:36:08 unbound[52654:0] info: resolving d0.org.afilias-nst.org. AAAA IN
Oct 12 04:36:08 unbound[52654:0] info: priming . IN NS
Oct 12 04:36:08 unbound[52654:0] info: response for ns-940.awsdns-53.net. A IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <.> 2001:500:a8::e#53
Oct 12 04:36:08 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:08 unbound[52654:0] info: response for ns-1689.awsdns-19.co.uk. A IN
Oct 12 04:36:08 unbound[52654:0] info: reply from <.> 2001:503:c27::2:30#53
Oct 12 04:36:08 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for ns-940.awsdns-53.net. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <.> 199.7.91.13#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for . NS IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <.> 202.12.27.33#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: priming successful for . NS IN
Oct 12 04:36:09 unbound[52654:0] info: priming successful for . NS IN
Oct 12 04:36:09 unbound[52654:0] info: priming successful for . NS IN
Oct 12 04:36:09 unbound[52654:0] info: priming successful for . NS IN
Oct 12 04:36:09 unbound[52654:0] info: response for ns-940.awsdns-53.net. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <net.> 192.35.51.30#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for ns-1689.awsdns-19.co.uk. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <uk.> 2610:a1:1010::3#53
Oct 12 04:36:09 unbound[52654:0] info: query response was nodata ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for a0.org.afilias-nst.info. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <.> 192.58.128.30#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for a0.org.afilias-nst.info. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <.> 2001:503:ba3e::2:30#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for d0.org.afilias-nst.org. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <.> 192.203.230.10#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for ns-940.awsdns-53.net. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <awsdns-53.net.> 205.251.199.181#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for d0.org.afilias-nst.org. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <.> 2001:500:2d::d#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for a0.org.afilias-nst.info. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <info.> 199.254.50.1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for a0.org.afilias-nst.info. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <info.> 199.254.31.1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for a0.org.afilias-nst.info. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <afilias-nst.info.> 65.22.8.1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for a0.org.afilias-nst.info. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <afilias-nst.info.> 2a01:8840:8::1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for a0.org.afilias-nst.info. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <org.afilias-nst.info.> 199.19.53.1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for ns-1689.awsdns-19.co.uk. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <uk.> 156.154.103.3#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for a0.org.afilias-nst.info. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <org.afilias-nst.info.> 199.19.56.1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for ns-1689.awsdns-19.co.uk. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <awsdns-19.co.uk.> 205.251.195.147#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for a0.org.afilias-nst.info. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <org.afilias-nst.info.> 2001:500:e::1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for ns-1258.awsdns-29.org. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <org.> 199.19.56.1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for stg.api.getbuzzed.io. TXT IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <getbuzzed.io.> 205.251.198.153#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: resolving ns-46.awsdns-05.com. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: resolving ns-46.awsdns-05.com. A IN
Oct 12 04:36:09 unbound[52654:0] info: response for ns-1258.awsdns-29.org. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <.> 198.97.190.53#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for ns-940.awsdns-53.net. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <awsdns-53.net.> 205.251.197.117#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for ns-1689.awsdns-19.co.uk. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <.> 2001:500:1::53#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for stg.api.getbuzzed.io. TXT IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <getbuzzed.io.> 205.251.198.153#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for ns-46.awsdns-05.com. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <.> 192.203.230.10#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for ns-1689.awsdns-19.co.uk. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <uk.> 156.154.101.3#53
Oct 12 04:36:09 unbound[52654:0] info: query response was nodata ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for stg.api.getbuzzed.io. TXT IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <getbuzzed.io.> 205.251.198.153#53
Oct 12 04:36:09 unbound[52654:0] info: query response was nodata ANSWER
Oct 12 04:36:09 unbound[52654:0] info: prime trust anchor
Oct 12 04:36:09 unbound[52654:0] info: generate keytag query _ta-4f66. NULL IN
Oct 12 04:36:09 unbound[52654:0] info: resolving . DNSKEY IN
Oct 12 04:36:09 unbound[52654:0] info: resolving _ta-4f66. NULL IN
Oct 12 04:36:09 unbound[52654:0] info: response for ns-46.awsdns-05.com. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <com.> 2001:502:8cc::30#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for ns-1689.awsdns-19.co.uk. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <uk.> 2001:502:2eda::3#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for ns-940.awsdns-53.net. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <net.> 192.12.94.30#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for _ta-4f66. NULL IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <.> 2001:7fe::53#53
Oct 12 04:36:09 unbound[52654:0] info: query response was NXDOMAIN ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for ns-1689.awsdns-19.co.uk. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <awsdns-19.co.uk.> 2600:9000:5303:9300::1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for . DNSKEY IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <.> 2001:500:2d::d#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: validate keys with anchor(DS): sec_status_secure
Oct 12 04:36:09 unbound[52654:0] info: Successfully primed trust anchor . DNSKEY IN
Oct 12 04:36:09 unbound[52654:0] info: resolving io. DS IN
Oct 12 04:36:09 unbound[52654:0] info: response for ns-940.awsdns-53.net. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <awsdns-53.net.> 2600:9000:5303:3700::1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for ns-46.awsdns-05.com. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <awsdns-05.com.> 2600:9000:5306:c500::1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for ns-46.awsdns-05.com. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <awsdns-05.com.> 2600:9000:5306:c500::1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for io. DS IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <.> 198.97.190.53#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: validated DS io. DS IN
Oct 12 04:36:09 unbound[52654:0] info: resolving io. DNSKEY IN
Oct 12 04:36:09 unbound[52654:0] info: response for d0.org.afilias-nst.org. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <org.> 2001:500:48::1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for d0.org.afilias-nst.org. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <afilias-nst.org.> 65.22.6.1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for d0.org.afilias-nst.org. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <org.afilias-nst.org.> 199.19.57.1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for d0.org.afilias-nst.org. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <org.> 2001:500:40::1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for d0.org.afilias-nst.org. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <afilias-nst.org.> 2a01:8840:9::1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for d0.org.afilias-nst.org. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <org.afilias-nst.org.> 199.19.54.1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for ns-1258.awsdns-29.org. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <org.> 2001:500:40::1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for d0.org.afilias-nst.org. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <org.afilias-nst.org.> 199.19.54.1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for ns-1258.awsdns-29.org. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <awsdns-29.org.> 2600:9000:5304:2000::1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for ns-1258.awsdns-29.org. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <awsdns-29.org.> 205.251.192.157#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for ns-1258.awsdns-29.org. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <awsdns-29.org.> 2600:9000:5300:9d00::1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for ns-1689.awsdns-19.co.uk. AAAA IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <awsdns-19.co.uk.> 2600:9000:5301:5300::1#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: response for io. DNSKEY IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <.> 2001:500:9f::42#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for io. DNSKEY IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <io.> 65.22.160.17#53
Oct 12 04:36:09 unbound[52654:0] info: query response was ANSWER
Oct 12 04:36:09 unbound[52654:0] info: validated DNSKEY io. DNSKEY IN
Oct 12 04:36:09 unbound[52654:0] info: resolving getbuzzed.io. DS IN
Oct 12 04:36:09 unbound[52654:0] info: response for ns-46.awsdns-05.com. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <.> 193.0.14.129#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for ns-46.awsdns-05.com. A IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <com.> 2001:502:7094::30#53
Oct 12 04:36:09 unbound[52654:0] info: query response was REFERRAL
Oct 12 04:36:09 unbound[52654:0] info: response for getbuzzed.io. DS IN
Oct 12 04:36:09 unbound[52654:0] info: reply from <io.> 2a01:8840:9f::17#53
Oct 12 04:36:09 unbound[52654:0] info: query response was nodata ANSWER
Oct 12 04:36:09 unbound[52654:0] info: NSEC3s for the referral proved no DS.
Oct 12 04:36:09 unbound[52654:0] info: Verified that unsigned response is INSECURE
Certbot definitely has access to the aws credentials. It was letting me know before I got to this point that it needed more permissions, which I did follow that documentation as a guide and haven't had a permission issue since. Plus to double check I ran aws sts get-caller-identity
1: Manually create a TXT record in your called _acme-test.stg.api and set the value to hello, we can then check that from here.
2: If you have a Windows machine a quick way (a couple of minutes) to test your AWS credentials and domain validation via Let's Encrypt is by downloading https://certifytheweb.com, install it on any machine (even desktop), click New Certificate (prompted to add a contact for Let's Encrypt first time), manually enter your domain as stg.api.getbuzzed.io under 'Add domains to certificate' and click + (or hit return) to add it to the list of names on the cert.
On the authorization tab, change Challenge Type to DNS, Set DNS Update Method to Amazon Route 53, click New next to Credentials and enter them, select your DNS Zone Id (..., then choose from dropdown), Click Test to confirm test DNS records can be created then click 'Request Certificate` to try getting an actual certificate.
If that all works (phew!) then your credentials and DNS settings etc are correct and the fault you are see is something to do with the command line config of certbot. If it doesn't work it may tell us more about what exactly isn't working.
Hmm. Yes, I see now you do not have nginx running yet as you have nothing listening on ports 80 or 443. At least, nothing that can be reached from outside. Perhaps your EC2 Security Group or VPC Network ACL is blocking access.
Unless you need a wildcard cert or are using the cert for some other specialized purpose, webroot is normally much easier to setup.
@webprofusion I did not get a certificate when I tried this.So must be user error . I think I did it correctly I have a multi account setup within aws so it gets pretty confusing. Was I suppose to put this in the record set of stg.api.getbuzzed.io or inside of record set _acme-challenge.stg.api.getbuzzed.io? I'll put in inside of stg.api.getbuzzed.io but I'll try with the second one tonight just to make sure. Here are the last lines from the logs. It looks like it created it but couldn't validate which is what happened with the acme script too. My only thought right now is maybe I'm missing a permission to pull down the created file.
2021-10-12 06:27:50.296 -06:00 [INF] Attempting Domain Validation: stg.api.getbuzzed.io
2021-10-12 06:27:50.297 -06:00 [INF] Registering and Validating stg.api.getbuzzed.io
2021-10-12 06:27:50.297 -06:00 [INF] Performing automated challenge responses (stg.api.getbuzzed.io)
2021-10-12 06:27:50.298 -06:00 [INF] DNS: Creating TXT Record '_acme-challenge.stg.api.getbuzzed.io' with value 'JkJfzRfB_xUsrwuHmsmynLc8MOoiJE9cWL45MeC5QRg', in Zone Id '' using API provider 'Certify DNS'
2021-10-12 06:27:50.804 -06:00 [ERR] DNS update failed: Certify DNS :: Failed to register with Certify DNS. Check API Url and required credentials (if any).
2021-10-12 06:27:50.804 -06:00 [INF] Requesting Validation: stg.api.getbuzzed.io
2021-10-12 06:27:50.805 -06:00 [INF] Certify DNS :: Failed to register with Certify DNS. Check API Url and required credentials (if any).
2021-10-12 06:27:51.159 -06:00 [INF] Certify DNS :: Failed to register with Certify DNS. Check API Url and required credentials (if any).
2021-10-12 06:27:51.159 -06:00 [INF] Certify DNS :: Failed to register with Certify DNS. Check API Url and required credentials (if any).
@MikeMcQ It could be something like that I'll take a look. Since it can create the file it seems weird that it wouldn't have all the required permissions but I'm thinking it might not be able to pull the created file back down.
You've just used the wrong option - the app supports many, many DNS providers and you've used the default, Certify DNS, that's our cloud hosted CNAME challenge response service, it's nothing to do with AWS Route 53.
If you want to try again, go back to the Authorization tab and select Amazon Route 53 (instead of Certify DNS). You'll then need to add your AWS API credentials.
. I think I did it correctly I have a multi account setup within aws so it gets pretty confusing. Was I suppose to put this in the record set of