traefik dns01 challenge aws route53
Been using the built-in traefik Lets Encrypt certificate management for a long while. Recently I need to switch a working setup to a different domain I own but I could not get it to work. Same IAM credentials, correct IAM policy.
Example
labels:
- "traefik.enable=true"
### DNS CHALLENGE AWS Route53 *.domain1.com
- "traefik.http.routers.domain1-com.tls.certresolver=le-aws"
- "traefik.http.routers.domain1-com.tls.domains[0].main=*.domain1.com"
- "traefik.http.routers.domain1-com.tls.domains[0].sans=domain1.com"
### DNS CHALLENGE AWS Route53 *.domain2.com
#- "traefik.http.routers.domain2-com.tls.certresolver=le-aws"
#- "traefik.http.routers.domain2-com.tls.domains[0].main=*.domain2.com"
#- "traefik.http.routers.domain2-com.tls.domains[0].sans=domain2.com"
The error looked like this
traefik | 2026-07-03T10:34:21-05:00 ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [prometheus-mgmt.domain1.com]: resolver: one or more domains had a problem: [prometheus-mgmt.domain1.com: dns01: error presenting token (prometheus-mgmt.domain1.com): route53: failed to determine hosted zone ID: could not find zone for FQDN \"_acme-challenge.prometheus-mgmt.domain1.com.\": [fqdn=_acme-challenge.prometheus-mgmt.domain1.com.] unexpected response for '_acme-challenge.prometheus-mgmt.domain1.com.' [question='_acme-challenge.prometheus-mgmt.domain1.com. IN SOA', code=SERVFAIL]]" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["prometheus-mgmt.domain1.com"] providerName=le-aws.acme routerName=prometheus-mgmt@docker rule=Host(`prometheus-mgmt.domain1.com`)
Added resolvers to my certificatesResolvers resolved the issue
dnsChallenge:
provider: route53
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
I actually wanted to manage two domains but once I got it working with adding DNS servers and only the one domain I moved on for now. In future I would like to retry with more than one domain. I read that it may be tricky and Traefik does not find the correct route 53 zone id but I do think above should work with two or more domains.