0

I moved my domain to Route53 and am now getting problems with Certbot renewal. Certbot has been running great for 4 years, but is now failing to renew.

When running sudo certbot renew --apache i get this error:

   Type:   None
   Detail: DNS problem: looking up A for somedomain.com: DNSSEC:
   DNSKEY Missing; DNS problem: looking up AAAA for
   somedomain.com: DNSSEC: DNSKEY Missing

DNSSEC is not, and hasn't ever been enabled for that domain in Route53, so not sure why Certbot fails.

I am at a loss here and would really like to use Route53 instead of the old domain manager.

EDIT: It looks like DNSSEC was activated by default for .se domains in the old domain manager (Loopia).

This is what i see under Registered domains in Route 53:

Registered domains

Using Ubuntu/Apache/python3-certbot-apache

UPDATE: I removed the record in Route53 Registered domains, but now i'm getting this error instead:

   Detail: DNS problem: looking up A for somedomain.com: DNSSEC:
   DNSKEY Missing; DNS problem: looking up AAAA for
   somedomain.com: DNSSEC: Bogus
Malako
  • 101
  • 3
  • 2
    `DNSSEC is not, and hasn't ever been enabled for that domain in Route53` - did you used to have DNSSEC set up? – Jaromanda X Jul 30 '23 at 04:47
  • In the old domain manager it looks like DNSSEC was enabled by default. I just did a domain transfer to Route53, copied all the DNS records and changed name servers and thought that was it. Any help is really appreciated. – Malako Jul 30 '23 at 14:58

1 Answers1

1

It looks like DNSSEC was activated by default for .se domains in the old domain manager (Loopia).

It sounds like you need to either remove the DS record if you don't want to have the zone signed, or otherwise sign the zone and update the DS record to reflect the current DNSKEY.

The DS record is part of the delegation (parent zone) and is managed through your registrar.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • I added a screenshot to the question just to make sure I am on the right track. I should delete this record right? I don't want to enable DNSSEC for now. – Malako Jul 30 '23 at 15:42
  • @Malako Looks reasonable to me, if this is in the registrar section of Route53. – Håkan Lindqvist Jul 30 '23 at 16:19
  • I deleted the record but nom i'm getting another error - question updated. Thanks a lot for your taking your time Håkan, I really appreciate it! – Malako Jul 30 '23 at 19:50
  • @Malako That looks like the same error, no? It could just be a caching problem, but hard to tell from my end. Maybe see what dnsviz.net says? – Håkan Lindqvist Jul 30 '23 at 20:14
  • Hi Håkan. For A record it's the same, for AAAA it's different. I will try again this evening. – Malako Jul 31 '23 at 05:54