Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:ntdet.distancelearning.ninja
I ran this command:CertifyTheWeb dns-01 Amazon Route 53 DNS API
It produced this output: The test completed successfully The request certificate failed
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is: Windows Server 2012R2
I can login to a root shell on my machine (yes or no, or I donât know): Yes
Iâm using a control panel to manage my site (no, or provide the name and version of the control panel):No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if youâre using Certbot): Certify SSL/TLS Certificate Manager 5.1.7.0
I have tried both by manually creating an _acme-challenge.ntdet.distancelearning.ninja DNS record and without. Any assistance would be appreciated.
Could you please take a screenshot of the NS record in your Route 53 interface?
Sometimes users have ended up in a situation where theyâre trying to validate using the wrong zone in the wrong account. Thatâs the first thing that comes to mind, anyway.
But it only has a TTL of 5 seconds it disappears very quickly.
The debug output states it doesnât exist:
2020-09-18 13:04:27.300 +09:30 [INF] Performing automated challenge responses (ntdet.distancelearning.ninja)
2020-09-18 13:04:27.302 +09:30 [INF] DNS: Creating TXT Record â_acme-challenge.ntdet.distancelearning.ninjaâ with value â6SFGTaKFHicalfyH1GTjBtIaL4ECI2ePrG9hZrsomd8â, in Zone Id â/hostedzone/Z02508492RWOXJ1VQOBK7â using API provider âAmazon Route 53 DNS APIâ
2020-09-18 13:05:01.925 +09:30 [INF] DNS change completed.
2020-09-18 13:05:01.925 +09:30 [INF] DNS: Amazon Route 53 DNS API :: Dns Record Created/Updated: _acme-challenge.ntdet.distancelearning.ninja
2020-09-18 13:05:01.925 +09:30 [INF] Requesting Validation: ntdet.distancelearning.ninja
2020-09-18 13:06:02.207 +09:30 [INF] Attempting Challenge Response Validation for Domain: ntdet.distancelearning.ninja
2020-09-18 13:06:02.207 +09:30 [INF] Registering and Validating ntdet.distancelearning.ninja
2020-09-18 13:06:02.207 +09:30 [INF] Checking automated challenge response for Domain: ntdet.distancelearning.ninja
2020-09-18 13:06:03.027 +09:30 [WRN] Challenge response validation still pending. Re-checking [10]âŚ
2020-09-18 13:06:05.066 +09:30 [INF] No TXT record found at _acme-challenge.ntdet.distancelearning.ninja
2020-09-18 13:06:05.530 +09:30 [INF] DNS: Deleting TXT Record â_acme-challenge.ntdet.distancelearning.ninjaâ, in Zone Id â/hostedzone/Z02508492RWOXJ1VQOBK7â using API provider âAmazon Route 53 DNS APIâ
2020-09-18 13:06:05.718 +09:30 [INF] Validation of the required challenges did not complete successfully. No TXT record found at _acme-challenge.ntdet.distancelearning.ninja
Hi. We wait for route53 to say itâs finished doing itâs update but you can also modify the propagation delay time (for instance set to to 120 seconds instead of 60).
Note that the TTL of the record isnât what makes it disappear, itâs the cleanup phase of the challenge response validation in Certify thatâs removing it.
I think the problem may be the wrong Zone ID selection? In Certify when you choose Route 53, then choose the API credentials to use you can select from the Zone ID dropdown list to pick which specific DNS zone you want to update (perhaps you have more than one zone with the same name?). I notice in your log it says the zone id is Z02508492RWOXJ1VQOBK7 but in your screenshot the zone id is Z08...PASK165
After you add your Credentials I am only offered one selection and after selecting distancelearning.ninja it is automatically populated by the ID that matches the Host Zone ID.
â/hostedzone/Z02508492RWOXJ1VQOBK7â
I have tried with and without the /hostedzone/ tag removed without success.
I can confirm that it is the script that removes the acme txt listing I increased the pause to 90 seconds and the acme test listing was not removed until after that pause.
. Itâs a long shot, but can you also screenshot the âHosted zone detailsâ interface from my earlier comment? Or anywhere else you can see the nameserver list.
Ahhh, I should have pressed you for that information earlier. Thatâs definitely the problem.
Here is the actual list of nameservers of your domain:
distancelearning.ninja. 86400 IN NS ns-1870.awsdns-41.co.uk.
distancelearning.ninja. 86400 IN NS ns-1486.awsdns-57.org.
distancelearning.ninja. 86400 IN NS ns-490.awsdns-61.com.
distancelearning.ninja. 86400 IN NS ns-955.awsdns-55.net.
See how none of them match with whatâs in your user interface?
I think this domain might be managed from a different AWS account and different Route 53 zone. Are you aware of any other accounts, or other people who configured this domain?
If you instead want to use the this Route 53 zone (as shown in your screenshot), I think you will have to go to Route 53, go to the âRegistered Domainsâ list, and change the nameservers of the domain so they match the ones in your screenshot.
Well thank you so much - I am the only account for this domain - it was started as a light sail network. Just out of interest how do you know which are the correct nameservers I am having no issues with dns lookups?
I suppose that "correct" is a matter of interpretation.
Your intent is that the nameservers should be the ones in the Route 53 screenshot.
In reality, a different set of nameservers is in effect. I check this by doing an iterative DNS query (dig +trace distancelearning.ninja ns). Or you can check with a website like intoDNS: - check DNS server and mail server health.
I guess something went wrong during your Lightsail setup? Maybe some things got added and deleted, and then the domain's configuration got out of sync with your Route 53 configuration somehow.
Either way, you should be able to fix it by following the last paragraph in my previous reply.
Maybe just individually add and remove the nameservers that it thinks it should have (to see if it forces the top level UI to update):
distancelearning.ninja. 0 IN NS ns-1486.awsdns-57.org.
distancelearning.ninja. 0 IN NS ns-1870.awsdns-41.co.uk.
distancelearning.ninja. 0 IN NS ns-490.awsdns-61.com.
distancelearning.ninja. 0 IN NS ns-955.awsdns-55.net.
It looks like the main AWS UI at the top level is confused (so possibly a bug in how AWS has configured the domain), but that could mean that when the AWS SDK tries to make the TXT record change that the wrong servers are updated? It may even be worth contacting AWS support to get them to check, in case itâs a fundamental bug that could affect other users.
As suggested I have edited the ns entries and it hasnât altered the Hosted Zone ns. I went to delete the Hosted zone but it wants me to remove all my ns entries before doing that.
It is a bit crazy as I actually see the _acme-challenge entry being added and removed so you would think it is correctly resolved.