Reputation: 66
Unable to issue Let's Encrypt certificate for AWS Route 53 domain
I have a DigitalOcean droplet with Dokku running on it. I also have an AWS Route 53 hosted zone (the domain was registered elsewhere, I changed the name servers to Route 53). In that hosted zone I have created an A record pointing to my droplet.
The A record seems to work fine (I can access my Dokku container from Postman by domain): image.
I am now trying to issue a Let's Encrypt certificate for my domain. I'm using dokku-letsencrypt for this. However, I'm receiving the following error:
CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5705758732
Challenge validation has failed, see error log.
The link provided by the error contains this:
DNS problem: SERVFAIL looking up A for gmail-bot.bloberenober.dev - the domain's nameservers may be malfunctioning
I performed a query on unboundtest.com and the response is kinda cryptic to me, but these are the last lines:
Jul 06 18:40:21 unbound[5640:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Jul 06 18:40:21 unbound[5640:0] info: Could not establish a chain of trust to keys for bloberenober.dev. DNSKEY IN
Jul 06 18:40:21 unbound[5640:0] info: 127.0.0.1 gmail-bot.bloberenober.dev. A IN SERVFAIL 6.743746 0 44
I did some research and found out that DNSKEY records are part of DNSSEC, and apparently it is not supported by Route 53 for existing domains:
Amazon Route 53 supports DNSSEC for domain registration. However, Route 53 does not support DNSSEC for DNS service, regardless of whether the domain is registered with Route 53. If you want to configure DNSSEC for a domain that is registered with Route 53, you must either use another DNS service provider or set up your own DNS server.
I have also tried running certbot manually and added a TXT record to my hosted zone, but received the similar error:
Failed authorization procedure. gmail-bot.bloberenober.dev (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up TXT for _acme-challenge.gmail-bot.bloberenober.dev - the domain's nameservers may be malfunctioning
The domain in question is gmail-bot.bloberenober.dev
What am I doing wrong? Can I even issue a Let's Encrypt certificate for this case?
Upvotes: 1
Views: 2300
Answers (1)
Reputation: 66
I solved this issue by changing my DNS service provider to CloudFlare instead of Route 53. They provide DNSSEC support and a generic SSL certificate out of the box which was enough for my needs, so in the end I didn't need to issue a Let's Encrypt certificate at all.
Upvotes: 1
Related Questions
- Certbot unable to find AWS credentials when issuing certificate via dns for route53
- Can't create CAA record for subdomain on AWS Route 53
- Let's encrypt certbot on AWS Linux
- Route53 Secure Certificate
- I got error when i use on AWS SSL Activate?
- Trying to install SSL certificate using LetsEncrypt
- SSL certificates not working (AWS Route 53)
- AWS Let's encrypt Wildcard certificate
- AWS certificate manager https configuration for domain
- "Unauthorized" error in adding SSL Certificate to an AWS EC2 instance using Let's Encrypt