I post a domain challenge TXT record to AWS Route 53, but Let's Encrypt doesn't see it

Question

I finally got certbot-auto installed on the AWS EC2 Linux instance that was giving me trouble, and I'm trying to get a wildcard cert from Let's Encrypt.

I was told to put up a TXT record under the name (changed to protect the innocent) _acme-challenge.foo.bar.net, with a given value.

So I go to the Route 53 console page, and select the bar.net hosted zone. I add the _acme-challenge.foo.bar.net record, with the specified value, click "Save Record Set," and wait a few minutes. Then I select it, and click "Test Record Set," and Route 53 thinks it's published.

But when I tell certbot-auto to proceed, and Let's Encrypt looks for the record, it isn't there. And if I do an nslookup -q=txt _acme-challenge.foo.bar.net, I get

server can't find _acme-challenge.foo.bar.net

and for nslookup -q=txt foo.bar.net, I get

server can't find foo.bar.net

And yet, if I do a regular nslookup on foo.bar.net, I find it.

What is going wrong?

Answer 1

I found the source of the problem.

While cross-checking the servers listed in the NS record, I happened to notice that the name on the TXT record was not (names still changed to protect the innocent)

_acme-challenge.foo.bar.net

but

_acme-challenge.foo.bar.net.bar.net

I'd failed to notice that the Route 53 Console's record set editor puts the hosted zone's domain name to the right of the field for entering the record set name, and then appends it to what you enter. So I was entering the whole record name, and thus getting the ".bar.net" in there twice, once explicitly, and once implicitly.

To coin a phrase first uttered by a certain fictional engineer named Montgomery Scott,

The more you overthink the plumbing, the easier it is to stop up the drain.