Strange problem with Certify the Web and AWS Route53

We are evaluating Certify the Web on several dev machines in AWS. One particular machine suddenly failed to renew its certificate a while back. While investigating the issue we found that we’re receiving the following error:

“[ERR] DNS update failed: Amazon Route 53 DNS API :: DNS Zone match could not be determined.”

Attempting to test the renewal fails with the same error. Attempting to test the credentials in use did not generate an error, but also did not indicate success. We have verified that all servers are using the same IAM user with the same Access Key ID and same Secret Access Key, and all servers are in the same security groups with the same access to the internet. Testing renewal and credentials on other servers works as expected.

We removed the software from the machine completely, including removing the Certify folder from C:\ProgramData and purging all mentions of Certify the Web from the registry. We then rebooted the machine and reinstalled the software. Upon configuration we get exactly the same error. The only difference is that now when we try to test the credentials in use we receive the response “Test completed, but no zones returned.” Clicking the ellipsis does not update the (Select Zone) list. I manually entered the DNS Zone ID with the information from one of the working servers (and confirmed it was identical to the Zone ID that had been previously configured on the broken server).

Searching the web for either of the errors mentioned previously has so far been unfruitful. Anybody have any ideas?

Hi, can you please check you are on the latest version of the app and double check the Zone ID for the Authorization configuration. If the problem persists can you please email support at with the log file for your managed certificate? This will help us diagnose the issue further.

same problem here. we use the same credentials like in another install. some testing shows, that, no matter what you enter in api key and secret, you always get back "Test completed, but no zones returned.”

Thanks, there are no other reported issues with the AWS provider but I’ll test from our side as well. The “No Zones Returned” message indicates either a problem talking to the AWS API (a timeout etc) or that the credentials used have no permissions on to list any zones.

Do other https connections from a browser on that machine work ok and there are no proxies in use for the internet connection?

ok, I think our credentials were wrong, but what throwed us was, that the test button in the credentials area told us “credentials ok, just a minor problem getting domains”. we afterwards teseted with literally key: 1/secret: 2 - same message.

I agree this could/should be improved, it’s a design thing with our DNS providers where test doesn’t throw exceptions, it just returns zones or it doesn’t. Not all/many providers are testable which is why I think this has been de-prioritised. We may eventually remove the Test option under credentials, which would mean you could only test directly in your managed certificate with the Test options that’s there (that actually creates a dummy TXT record in your DNS, instead of just querying zones, so it’s a more complete test).