无法为 AWS Route 53 域颁发 Let's Encrypt 证书

Unable to issue Let's Encrypt certificate for AWS Route 53 domain

我有一个带有 Dokku 运行 的 DigitalOcean 液滴。我还有一个 AWS Route 53 托管区域(该域已在别处注册,我将名称服务器更改为 Route 53)。在该托管区域中,我创建了一个指向我的 Droplet 的 A 记录。

A 记录似乎工作正常(我可以通过域从 Postman 访问我的 Dokku 容器): image.

我现在正在尝试为我的域颁发 Let's Encrypt 证书。我为此使用 dokku-letsencrypt。但是,我收到以下错误:

CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5705758732
Challenge validation has failed, see error log.

错误提供的link包含这个:

DNS problem: SERVFAIL looking up A for gmail-bot.bloberenober.dev - the domain's nameservers may be malfunctioning

我在 unboundtest.com 上执行了查询,响应对我来说有点神秘,但这些是最后几行:

Jul 06 18:40:21 unbound[5640:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Jul 06 18:40:21 unbound[5640:0] info: Could not establish a chain of trust to keys for bloberenober.dev. DNSKEY IN
Jul 06 18:40:21 unbound[5640:0] info: 127.0.0.1 gmail-bot.bloberenober.dev. A IN SERVFAIL 6.743746 0 44

full report

我做了一些研究,发现 DNSKEY 记录是 DNSSEC 的一部分,显然现有域的 Route 53 不支持它:

Amazon Route 53 supports DNSSEC for domain registration. However, Route 53 does not support DNSSEC for DNS service, regardless of whether the domain is registered with Route 53. If you want to configure DNSSEC for a domain that is registered with Route 53, you must either use another DNS service provider or set up your own DNS server.

source

我也曾手动尝试 运行 certbot 并将 TXT 记录添加到我的托管区域,但收到类似的错误:

Failed authorization procedure. gmail-bot.bloberenober.dev (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up TXT for _acme-challenge.gmail-bot.bloberenober.dev - the domain's nameservers may be malfunctioning

有问题的域是 gmail-bot.bloberenober.dev

我做错了什么?我什至可以为这种情况颁发 Let's Encrypt 证书吗?

我通过将我的 DNS 服务提供商更改为 CloudFlare 而不是 Route 53 解决了这个问题。他们提供 DNSSEC 支持和开箱即用的通用 SSL 证书,这足以满足我的需求,所以最后我没有根本不需要颁发 Let's Encrypt 证书。