Route53 wildcard not working

Hello Guys, how are you?

We are facing a problem with Caddy Wildcard.

Our scenario is having a wildcard configuration to prevent the generation of certs to the domain that we have control.

  • We installed the module: Route53 because our domains are hosted on AWS (Downloaded from:

In order to install the module I executed the following commands:
sudo wget -O /usr/bin/caddy “

caddy list-modules
sudo systemctl start caddy
sudo systemctl status caddy

After that, I edited the Caddyfile inserting the code:

* {
	tls {
		dns route53 {
			max_retries 10
	reverse_proxy {

Then we reload the service (or even reboot the machine) and now we receive the following error message after sudo systemctl status caddy:

Jul 19 20:49:29 caddy[1827]: {"level":"error","ts":1658263769.5214586,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*","issuer":"","error":"[*] solving challenges: presenting for challenge: adding temporary record for zone operation error Route 53: ListHostedZonesByName, failed to sign request: failed to retrieve credentials: static credentials are empty (order= (ca="}

I have no idea what else to do, and what we need is to generate wildcard certificates for 5 domains.

Ps. Our IAM on AWS is working fine and has Full Control on Route53.

Can you guys help us?

OS: Ubuntu 22.04 LTS
Caddy Version: v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs= Wildcard not working

Are you sure you set up the AWS credentials on your server, as explained by the route53 plugin README?

You might want to ask for help on that plugin’s github issues. I don’t use route53 so I’m not sure I can do much to help. The error is coming from the plugin.

Edit: Looks like you already got helped on github:

1 Like

Hello Francis, how are you?
Thanks for replying. I solved the issue yesterday, but I think worth commenting here to help the community.

  1. The AWS Credentials were setup, as explained at the route53 module BUT it had a bug and the author corrected it yesterday.

  2. One tip: Even adding the AWS Credentials I noticed that the best option is include the IAM Key inside the caddyfile. Reason: sometimes works, sometimes dont work. With the IAM inside the caddyfile always works.

I mean, the documentation says it is optional but I dont think so.

tls {
  dns route53 {
    max_retries 10 // optional
    aws_profile "real-profile" // optional
    access_key_id "AKI..." // optional (Even its optional, use it!)
    secret_access_key "wJa..." // optional (Even its optional, use it!)
    token "TOKEN..." // optional
    region "us-east-1" // optional
  1. The Wildcard process is not that fast at AWS, so wait at least 4 or 5 minutes after boot the server, it will generate the wildcard domain, but it take some time.

Caddy works very well in our scenario… so far, so good!


1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.