Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy and only makes it harder for us to provide help.
My domain is: moden.uno, *.moden.uno
I ran this command: sudo certbot certonly -v --dns-route53 -i nginx -d moden.uno -d *.moden.uno --test-cert --break-my-certs
(Note: I use --break-my-certs
only because --test-cert
requires it.)
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Credentials found in config file: ~/.aws/config
Plugins selected: Authenticator dns-route53, Installer nginx
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/moden.uno.conf)
It contains these names: moden.uno
You requested these names for the new certificate: moden.uno, *.moden.uno.
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate for moden.uno and *.moden.uno
Performing the following challenges:
dns-01 challenge for moden.uno
dns-01 challenge for moden.uno
Waiting for verification...
Challenge failed for domain moden.uno
Challenge failed for domain moden.uno
dns-01 challenge for moden.uno
dns-01 challenge for moden.uno
Certbot failed to authenticate some domains (authenticator: dns-route53). The Certificate Authority reported these problems:
Domain: moden.uno
Type: unauthorized
Detail: No TXT record found at _acme-challenge.moden.uno
Domain: moden.uno
Type: unauthorized
Detail: No TXT record found at _acme-challenge.moden.uno
Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-route53. Ensure the above domains have their DNS hosted by AWS Route53.
Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
(Note: The redundant dns-01 challenge for moden.uno only happens when I use --test-cert
)
My web server is (include version): nginx/1.22.1
The operating system my web server runs on is (include version): Debian 12
My hosting provider, if applicable, is: Route 53 pointing to a Lightsail instance.
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 2.9.0
Comments: Hello! I have followed and double checked the instructions on the certbot website, here. I have also checked that the certbot process has a proper AWS IAM user, permissions, and credentials, as a different error occurs if any are wrong. I have also verified that the TXT record/s are created on Route 53; I am not sure how or why the above error types are "unauthorized."
I can check Route 53 and see that the TXT record is added when certbot runs (and removed when certbot finishes), but external investigation has never shown the record. The certbot process errors-out after about 30 seconds, but I have never had a record propagate on Route 53 within that time. I have a feeling that the record is not being given time to propagate, but the --dns-route53-propagation-seconds
argument has been deprecated.
I appreciate any feedback the community may have and am more than happy to answer any questions.