# Troubleshoot common Lightsail resource issues
<a name="troubleshooting"></a>

This section covers troubleshooting topics for the following Amazon Lightsail resources. Follow the step-by-step instructions and guidance to diagnose and resolve common problems you might encounter while working with Lightsail instances, databases, networking, load balancers, and other resources.

The troubleshooting topics cover a wide range of scenarios, including WordPress configuration failures, IAM permission issues, disk errors, connectivity problems, service unavailability, IPv6 connectivity, instance capacity limitations, load balancer errors, notification delivery failures, and SSL/TLS certificate issues. By following this guide, you can effectively troubleshoot and resolve various issues related to your Lightsail resources, ensuring smooth operation and optimal performance of your applications and workloads.

**Topics**
+ [Troubleshoot WordPress setup issues on Lightsail instances](amazon-lightsail-troubleshooting-wp-setup.md)
+ [Resolve 403 (unauthorized) errors in the Lightsail console](create-policy-that-grants-access-to-amazon-lightsail.md)
+ [Resolve Lightsail disk attachment and usage issues](troubleshooting-block-storage-disk-issues.md)
+ [Resolve connection errors with Lightsail browser-based SSH and RDP clients](amazon-lightsail-troubleshooting-browser-based-ssh-rdp-client-connection.md)
+ [Troubleshoot Ghost instance 503 service unavailable error on Lightsail](troubleshoot-ghost-instance-service-unavailable.md)
+ [Troubleshoot Identity and Access Management (IAM) in Lightsail](security_iam_troubleshoot.md)
+ [Verify IPv6 reachability for Lightsail instances](amazon-lightsail-ipv6-reachability.md)
+ [Resolve insufficient instance capacity errors in Lightsail](amazon-lightsail-instance-capacity.md)
+ [Troubleshoot Lightsail load balancer issues](troubleshooting-lightsail-load-balancer-issues.md)
+ [Troubleshoot notification delivery in Lightsail](amazon-lightsail-troubleshooting-notifications.md)
+ [Troubleshoot SSL/TLS certificates in Lightsail](troubleshooting-tls-ssl-certificate-issues.md)

# Troubleshoot WordPress setup issues on Lightsail instances
<a name="amazon-lightsail-troubleshooting-wp-setup"></a>

Two types of error messages can appear during the WordPress setup workflow in Amazon Lightsail: 

**Common errors**  
These types of errors occur immediately after you choose **Create certificate** in the final step of the workflow. These errors will appear in a banner at the top of the Lightsail console. They're typically caused by running the setup workflow on older WordPress instances, or by submitting incorrect information. For example, selecting a DNS record that doesn't point to the public IP address of your instance.

**Setup failures**  
These types of errors occur within a few minutes after you complete the final step in the workflow. These failure messages will appear in the **Set up your WordPress website** section of the instance **Connect** tab. These errors happen when the Let's Encrypt HTTPS certificate cannot be configured on your instance.

Use the information in the following topics to help you diagnose and fix any errors that you might encounter with the WordPress setup guided workflow.

**Topics**
+ [Common errors](wp-setup-common-errors.md)
+ [Setup failures](wordpress-setup-failures.md)

For more information about the WordPress setup guided workflow in Amazon Lightsail, see [Configure your WordPress instance](amazon-lightsail-tutorial-launching-and-configuring-wordpress.md#set-up-wordpress-instance-website).

# Resolve WordPress setup errors on Lightsail
<a name="wp-setup-common-errors"></a>

An error message will appear at the top of the Lightsail console if there's an issue with the information that was submitted during the workflow.

The first line of the message informs you that setup has encountered an error:

Could not complete setup on your instance *InstanceName* in the *InstanceRegion* Region.

The second line contains the error that setup encountered:

An error occurred and we were unable to connect or stay connected to your instance

![\[WordPress setup failure message in the Lightsail console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/wp-setup-error-message.png)


To begin troubleshooting, match the error that appeared in the message with one of the following errors.

**Topics**
+ [DNS records not found. Confirm that the domain's DNS records point to the public IP address of your instance, and allow time for DNS changes to propagate.](#dns-not-found)
+ [DNS records do not match. Confirm that the domain's DNS records point to the public IP address of your instance, and allow time for DNS changes to propagate.](#dns-mismatch-error)
+ [Unable to connect to your instance. Allow a few minutes for the SSH connection to become ready. Then, start setup again.](#unable-to-connect)
+ [Unsupported WordPress version. Setup only supports WordPress versions 6, and up.](#unsupported-wp-version)
+ [Setup only supports WordPress instances that were created on or after January 1, 2023.](#instance-create-date-error)
+ [Instance firewall ports 22, 80, and 443 must allow a TCP connection from any IP address during the setup workflow. You can change these settings from the instance Networking tab.](#firewall-ports-error)

## DNS records not found. Confirm that the domain's DNS records point to the public IP address of your instance, and allow time for DNS changes to propagate.
<a name="dns-not-found"></a>

**Reason**  
This error is caused by misconfigured DNS records, or DNS records that have not had sufficient time to propagate throughout the Internet's DNS.

**Fix**  
Confirm that the **A** or **AAAA** DNS records are present in the DNS zone, and that they point to the public IP address of your instance. For more information, see [DNS in Lightsail](understanding-dns-in-amazon-lightsail.md).  
When you add or update DNS records that point traffic from your apex domain (`example.com`) and its `www` subdomains (`www.example.com`), they will need to propagate throughout the Internet's DNS. You can verify that your DNS changes have taken effect by using tools such as [nslookup](https://aws.amazon.com/blogs//messaging-and-targeting/how-to-check-your-domain-verification-settings/), or [DNS Lookup](https://mxtoolbox.com/DnsLookup.aspx) from *MxToolbox*.  
Allow time for any DNS record changes to propagate through the internet's DNS, which may take several hours.

## DNS records do not match. Confirm that the domain's DNS records point to the public IP address of your instance, and allow time for DNS changes to propagate.
<a name="dns-mismatch-error"></a>

**Reason**  
The **A** or **AAAA** DNS records do not point to the public IP address of the instance.

**Fix**  
Confirm that the **A** or **AAAA** DNS records are present in the DNS zone, and that they point to the public IP address of your instance. For more information, see [DNS in Lightsail](understanding-dns-in-amazon-lightsail.md).  
Allow time for any DNS record changes to propagate through the internet's DNS, which may take several hours.

## Unable to connect to your instance. Allow a few minutes for the SSH connection to become ready. Then, start setup again.
<a name="unable-to-connect"></a>

**Reason**  
The instance was just created or rebooted, and the SSH connection is not ready.

**Fix**  
Allow a few minutes for the SSH connection to become ready. Then, retry the guided workflow. For more information, see [Troubleshooting SSH in Lightsail](amazon-lightsail-troubleshooting-browser-based-ssh-rdp-client-connection.md).

## Unsupported WordPress version. Setup only supports WordPress versions 6, and up.
<a name="unsupported-wp-version"></a>

**Reason**  
The version of WordPress that’s installed on the instance is older than WordPress version 6. Older WordPress versions contain incompatible software and dependencies that prevent the HTTPS certificate from being generated.

**Fix**  
Create a new WordPress instance from the Lightsail console. Then, migrate the WordPress website from the older instance to the new one. For more information, see [Migrate an existing WordPress blog](migrate-your-wordpress-blog-to-amazon-lightsail.md).  
If you’re creating a new instance to replace the existing instance, make sure to update your application dependencies to your new instance.

## Setup only supports WordPress instances that were created on or after January 1, 2023.
<a name="instance-create-date-error"></a>

**Reason**  
The instance that is being used with setup, might contain outdated software. Older software will prevent the HTTPS certificate from being generated.

**Fix**  
Create a new WordPress instance from the Lightsail console. Then, migrate the WordPress website from the older instance to the new one. For more information, see [Migrate an existing WordPress blog](migrate-your-wordpress-blog-to-amazon-lightsail.md).  
If you’re creating a new instance to replace the existing instance, make sure to update your application dependencies to your new instance.

## Instance firewall ports 22, 80, and 443 must allow a TCP connection from any IP address during the setup workflow. You can change these settings from the instance Networking tab.
<a name="firewall-ports-error"></a>

**Reason**  
Instance firewall ports 22, 80, and 443 must allow TCP connections from any IP address while setup is running. This error is generated when one or more of these ports are closed. For more information, see [Instance firewalls](understanding-firewall-and-port-mappings-in-amazon-lightsail.md).

**Fix**  
Add or edit the instance’s IPv4 and IPv6 firewall rules to allow TCP connections over ports 22, 80, and 443. For more information, see [Add and edit instance firewall rules](amazon-lightsail-editing-firewall-rules.md). 

# Troubleshooting WordPress setup failures in Lightsail
<a name="wordpress-setup-failures"></a>

The following information can help you troubleshoot failure messages that can appear in the **Set up your WordPress website** section of the instance **Connect** tab. Setup failures can occur within a few minutes after you complete the final step in the workflow. They're caused when the Let's Encrypt HTTPS certificate cannot be configured on your instance.

Failed to complete setup – Review the following status messages, and restart setup to update your configuration. Download the error log for more details.

![\[WordPress setup failure message in the Lightsail console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/wp-setup-failure-message.png)


From the failure message, choose the **Download the error log** link to download and view the error logs that setup generated. To begin troubleshooting, match the error message from the logs with one of the following errors.

------
#### [ Bitnami ]

## Certbot.errors.AuthorizationError: Some challenges have failed
<a name="certbot-authorization-error"></a>

**Reason**  
This error is caused by misconfigured DNS records, or DNS records that have not had sufficient time to propagate throughout the Internet.

**Fix**  
Verify that the **A** or **AAAA** DNS records are present in the DNS zone, and that they point to the public IP address of your instance. For more information, see [DNS in Lightsail](understanding-dns-in-amazon-lightsail.md).  
When you add or update DNS records that point traffic from your apex domain (`example.com`) and its `www` subdomains (`www.example.com`), they will need to propagate throughout the Internet. You can verify that your DNS changes have taken effect by using tools such as [nslookup](https://aws.amazon.com/blogs//messaging-and-targeting/how-to-check-your-domain-verification-settings/), or [DNS Lookup](https://mxtoolbox.com/DnsLookup.aspx) from *MxToolbox*.  
Allow time for any DNS record changes to propagate through the internet's DNS, which may take several hours.

## Certbot failed to authenticate some domains
<a name="domain-authentication-failed"></a>

**Reason**  
This error can surface if another process is using port 80 while the HTTPS certificate is being configured on the instance.

**Fix**  
Restart your WordPress instance. Then, run the guided workflow again. Use the following procedure to terminate any running processes on the instance that are running on port 80 if restarting doesn’t resolve the issue.

**Procedure**

1. Connect to your instance by using the Lightsail [browser-based SSH client](lightsail-how-to-connect-to-your-instance-virtual-private-server.md), or by using [AWS CloudShell](amazon-lightsail-cloudshell.md). 

1. Stop the Bitnami process that's running on the instance:

   ```
   $ sudo /opt/bitnami/ctlscript.sh stop
   ```

   Verify that the Bitnami process is stopped:

   ```
   $ sudo /opt/bitnami/ctlscript.sh status
   ```

1. Check if there are other processes that are using port 80:

   ```
   $ fuser -n tcp 80
   ```

1. Terminate any processes that are not needed by another application:

   ```
   $ fuser -k -n tcp 80
   ```

1. Restart WordPress setup.

## The repository http://cdn-aws.deb.debian.org/debian buster-backports no longer has a Release file
<a name="deprecated-debian-repo"></a>

**Reason**  
There is a deprecated Debian repository on your instance that cannot be updated.

**Fix**  
Use the following procedure to edit the repository URL that's listed in the Debian repository file.

**Procedure**

1. Connect to your instance by using the Lightsail [browser-based SSH client](lightsail-how-to-connect-to-your-instance-virtual-private-server.md), or by using [AWS CloudShell](amazon-lightsail-cloudshell.md). 

1. Navigate to the `/etc/apt/sources.list.d/` directory.

   ```
   $ cd /etc/apt/sources.list.d/
   ```

1. Use a text editor of your choice to open the `buster-backports.list` file. If the file isn't found in this directory, you can also check in `/etc/apt/sources.list`. The preinstalled Vim text editor is used in the example command. For more information, see the [https://www.vim.org/docs.php](https://www.vim.org/docs.php).

   ```
   $ vim buster-backports.list
   ```

1. Locate any line that contains the following text: `http://deb.debian.org/debian buster-backports main`.

   Replace `deb.debian.org` with `archive.debian.org`. For example, `http://deb.debian.org/debian buster-backports main contrib non-free` would become `http://archive.debian.org/debian buster-backports main contrib non-free`.

1. Save and close the file.

1. Restart WordPress setup.

## The repository http://ppa.launchpad.net/certbot/certbot/ubuntu lunar Release does not have a Release file
<a name="deprecated-ppa-repo-error"></a>

**Reason**  
There is a deprecated Certbot Personal Package Archive (PPA) repository on your instance that cannot be updated.

**Fix**  
Use the following procedure to manually remove the deprecated PPA repository from your instance.

**Procedure**

1. Connect to your instance by using the Lightsail [browser-based SSH client](lightsail-how-to-connect-to-your-instance-virtual-private-server.md), or by using [AWS CloudShell](amazon-lightsail-cloudshell.md). 

1. Navigate to the `/etc/apt/sources.list.d/` directory.

   ```
   $ cd /etc/apt/sources.list.d/
   ```

1. Use a text editor of your choice to open the `certbot-ubuntu-certbot-version.list` file. The preinstalled Vim text editor is used in the example command. For more information, see the [https://www.vim.org/docs.php](https://www.vim.org/docs.php).

   In the command, replace **version** with the version of Ubuntu that the repository is incompatible with; this will be the same version that shows up in the error message. For example, **lunar** or **mantic**.

   ```
   $ vim certbot-ubuntu-certbot-version.list
   ```

1. Remove any line that contains the following text: `http://ppa.launchpad.net/certbot/certbot/ubuntu`.

1. Save and close the file.

1. Restart WordPress setup.

## Too many certificates (5) already issued for this exact set of domains in the last 168 hours
<a name="too-many-certificates"></a>

**Reason**  
One or more of your domains or subdomains has already been used to create 5 certificates within the last week. For more information, see [Rate Limits](https://letsencrypt.org/docs/rate-limits/) on the *Let’s Encrypt website*.

**Fix**  
Wait one week (168 hours), and then restart the guided workflow for this domain.

## Too many failed authorizations
<a name="too-many-failed-authorizations"></a>

**Reason**  
One or more of the domains or subdomains in the request has exceeded the limit of five validations per hour. For more information, see [Rate Limits](https://letsencrypt.org/docs/rate-limits/) on the *Let’s Encrypt website*. 

**Fix**  
Wait one hour and run WordPress setup again. Verify that other validation errors have been fixed before you restart setup.

------
#### [ Lightsail ]

## Certbot.errors.AuthorizationError: Some challenges have failed
<a name="certbot-authorization-error"></a>

**Reason**  
This error is caused by misconfigured DNS records, or DNS records that have not had sufficient time to propagate throughout the Internet.

**Fix**  
Verify that the **A** or **AAAA** DNS records are present in the DNS zone, and that they point to the public IP address of your instance. For more information, see [DNS in Lightsail](understanding-dns-in-amazon-lightsail.md).  
When you add or update DNS records that point traffic from your apex domain (`example.com`) and its `www` subdomains (`www.example.com`), they will need to propagate throughout the Internet. You can verify that your DNS changes have taken effect by using tools such as [nslookup](https://aws.amazon.com/blogs//messaging-and-targeting/how-to-check-your-domain-verification-settings/), or [DNS Lookup](https://mxtoolbox.com/DnsLookup.aspx) from *MxToolbox*.  
Allow time for any DNS record changes to propagate through the internet's DNS, which may take several hours.

## Certbot failed to authenticate some domains
<a name="domain-authentication-failed"></a>

**Reason**  
This error can surface if another process is using port 80 while the HTTPS certificate is being configured on the instance.

**Fix**  
Restart your WordPress instance. Then, run the guided workflow again. Use the following procedure to terminate any running processes on the instance that are running on port 80 if restarting doesn't resolve the issue.

**Procedure**

1. Connect to your instance by using the Lightsail [browser-based SSH client](lightsail-how-to-connect-to-your-instance-virtual-private-server.md), or by using [AWS CloudShell](amazon-lightsail-cloudshell.md). 

1. Stop the Apache service that's running on the instance:

   ```
   $ sudo systemctl stop apache2
   ```

   Verify that the Apache service is stopped:

   ```
   $ sudo systemctl status apache2
   ```

1. Check if there are other processes that are using port 80:

   ```
   $ fuser -n tcp 80
   ```

1. Terminate any processes that are not needed by another application:

   ```
   $ fuser -k -n tcp 80
   ```

1. Restart WordPress setup.

## The repository http://cdn-aws.deb.debian.org/debian buster-backports no longer has a Release file
<a name="deprecated-debian-repo"></a>

**Reason**  
There is a deprecated Debian repository on your instance that cannot be updated.

**Fix**  
Use the following procedure to edit the repository URL that's listed in the Debian repository file.

**Procedure**

1. Connect to your instance by using the Lightsail [browser-based SSH client](lightsail-how-to-connect-to-your-instance-virtual-private-server.md), or by using [AWS CloudShell](amazon-lightsail-cloudshell.md). 

1. Navigate to the `/etc/apt/sources.list.d/` directory.

   ```
   $ cd /etc/apt/sources.list.d/
   ```

1. Use a text editor of your choice to open the `buster-backports.list` file. If the file isn't found in this directory, you can also check in `/etc/apt/sources.list`. The preinstalled Vim text editor is used in the example command. For more information, see the [https://www.vim.org/docs.php](https://www.vim.org/docs.php).

   ```
   $ vim buster-backports.list
   ```

1. Locate any line that contains the following text: `http://deb.debian.org/debian buster-backports main`.

   Replace `deb.debian.org` with `archive.debian.org`. For example, `http://deb.debian.org/debian buster-backports main contrib non-free` would become `http://archive.debian.org/debian buster-backports main contrib non-free`.

1. Save and close the file.

1. Restart WordPress setup.

## The repository http://ppa.launchpad.net/certbot/certbot/ubuntu lunar Release does not have a Release file
<a name="deprecated-ppa-repo-error"></a>

**Reason**  
There is a deprecated Certbot Personal Package Archive (PPA) repository on your instance that cannot be updated.

**Fix**  
Use the following procedure to manually remove the deprecated PPA repository from your instance.

**Procedure**

1. Connect to your instance by using the Lightsail [browser-based SSH client](lightsail-how-to-connect-to-your-instance-virtual-private-server.md), or by using [AWS CloudShell](amazon-lightsail-cloudshell.md). 

1. Navigate to the `/etc/apt/sources.list.d/` directory.

   ```
   $ cd /etc/apt/sources.list.d/
   ```

1. Use a text editor of your choice to open the `certbot-ubuntu-certbot-version.list` file. The preinstalled Vim text editor is used in the example command. For more information, see the [https://www.vim.org/docs.php](https://www.vim.org/docs.php).

   In the command, replace **version** with the version of Ubuntu that the repository is incompatible with; this will be the same version that shows up in the error message. For example, **lunar** or **mantic**.

   ```
   $ vim certbot-ubuntu-certbot-version.list
   ```

1. Remove any line that contains the following text: `http://ppa.launchpad.net/certbot/certbot/ubuntu`.

1. Save and close the file.

1. Restart WordPress setup.

## Too many certificates (5) already issued for this exact set of domains in the last 168 hours
<a name="too-many-certificates"></a>

**Reason**  
One or more of your domains or subdomains has already been used to create 5 certificates within the last week. For more information, see [Rate Limits](https://letsencrypt.org/docs/rate-limits/) on the *Let's Encrypt website*.

**Fix**  
Wait one week (168 hours), and then restart the guided workflow for this domain.

## Too many failed authorizations
<a name="too-many-failed-authorizations"></a>

**Reason**  
One or more of the domains or subdomains in the request has exceeded the limit of five validations per hour. For more information, see [Rate Limits](https://letsencrypt.org/docs/rate-limits/) on the *Let's Encrypt website*. 

**Fix**  
Wait one hour and run WordPress setup again. Verify that other validation errors have been fixed before you restart setup.

------

# Resolve 403 (unauthorized) errors in the Lightsail console
<a name="create-policy-that-grants-access-to-amazon-lightsail"></a>

If you get a 403 error when trying to access the [Lightsail console](https://lightsail.aws.amazon.com/), don’t panic. Try these steps to troubleshoot the problem:
+ If your AWS account or your AWS Identity and Access Management (IAM) user was recently created, wait a few minutes, and then refresh your browser.
+ If it’s been a while since you last signed in, refresh your browser. If you're prompted to sign in again, be sure to use an IAM user that has access to Lightsail.
+ If your IAM user doesn’t have access to Lightsail, then contact the [AWS account root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html) or an IAM user with administrator access to request access to Lightsail. To learn more, see [Manage access to Amazon Lightsail for an IAM user](amazon-lightsail-managing-access-for-an-iam-user.md).
+ If you continue to get the 403 error after trying the above steps, contact [AWS Support](https://console.aws.amazon.com/support/home#/). In some rare cases for AWS accounts created before 2011, support will have to manually subscribe your account to Lightsail.

# Resolve Lightsail disk attachment and usage issues
<a name="troubleshooting-block-storage-disk-issues"></a>

You might encounter errors with your block storage disks in Lightsail. This topic identifies common issues and workarounds for those errors.

## General disk errors
<a name="general-disk-errors"></a>

Choose the issue below that best describes your problem, and follow the links to fix the issue. If you encounter an issue that's not in the list, use the **Questions? Comments?** link at the bottom of this page to submit feedback or contact [AWS Support](https://aws.amazon.com/premiumsupport/).

**I can't delete a disk because it's still attached to an instance.**  
Try detaching the disk from your instance first, and then try to delete the disk. For more information, see [Detach and delete a block storage disk](detach-and-delete-block-storage-disks.md).  
 *Actual error message:* **You can't perform this operation because the disk is still attached to a Lightsail instance: *YOUR\$1INSTANCE*** 

**My disk has a status of error.**  
 The **error** status indicates that the underlying hardware related to your Lightsail disk has failed. You can restore the disk from a recent snapshot, otherwise the data associated with the disk is unrecoverable. For more information, see [Create a block storage disk from a snapshot](create-new-block-storage-disk-from-snapshot.md).  
You are not billed for disks with a status of **error**. 

**I can't detach a disk because the Lightsail instance is still running.**  
Try stopping your instance first, and then try to detach the disk. For more information, see [Stop an instance](lightsail-how-to-start-stop-or-restart-your-instance-virtual-private-server.md).  
 *Actual error message:* **You can't detach this disk right now. The state of this disk is: *DISK\$1STATE*** 

**I can't specify a custom disk size above 16 TB (16,384 GB).**  
Try creating a smaller disk. Additional disks can be up to 16 TB. If your disk is less than 16 TB and you still can't create it, you might encounter the next error in the list (too many big disks). That's because you can't have more than 20 TB in additional disk storage across your AWS account. For more information, see [Block storage disks](elastic-block-storage-and-ssd-disks-in-amazon-lightsail.md).  
 *Actual error message:* **The size of a block storage disk must be between 8 and 16384 GB.** 

**I can't create any more disks in Lightsail.**  
You might have reached your quota for the number of disks you can create. Or you might have created too many big disks (the total size of disk storage can't exceed 20 TB) in your AWS account. For more information, see [Block storage disks](elastic-block-storage-and-ssd-disks-in-amazon-lightsail.md).  
*Actual error message:***You've reached the maximum size limit of all disks in this account.** or **You've reached the limit of disks in this account.**

**I can't attach my disk to my Lightsail instance**  
If you encounter the following error, you need to recreate your disk in the same AWS Region and Availability Zone as the instance where you plan to attach the disk.  

![\[Block storage disk can't be attached because it's in the wrong Availability Zone\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/block-storage-disk-in-different-zone-than-lightsail-instance.png)

 *Actual error message:* **There are currently no instances in the *AWS Region* that can use this disk.** 

# Resolve connection errors with Lightsail browser-based SSH and RDP clients
<a name="amazon-lightsail-troubleshooting-browser-based-ssh-rdp-client-connection"></a>

You might get an error message when trying to connect to an instance using the browser-based SSH or RDP clients available in the Amazon Lightsail console. The possible reasons for this error are discussed in the following sections.

## Error message: Can’t connect
<a name="error-cant-connect-reset-record"></a>

The SSH and RDP browser-based clients use host key or certificate validation to authenticate an instance when trying to connect to it. If the instance presents a host key or certificate that doesn’t match the one that Lightsail has on record, one of two error messages display. Both error messages are shown and described in this section.

**Can’t connect, reset record**

The following error message displays when there’s a host key or certificate mismatch, and Lightsail determines that the mismatch might have been caused by a recent operating system upgrade, or a deliberate update to the host key or certificate by you or another user. In this case, Lightsail has determined that the host key or certificate mismatch was not caused by a bad actor on the network between your browser and the instance.

![\[Host key or certificate mismatch error for the Lightsail browser-based SSH or RDP client.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-browser-ssh-rdp-cant-connect-resest-record.png)


Choose **Reset record** if you expected the mismatch. This action deletes the host key or certificate that Lightsail has on record for the instance, and permits the browser-based SSH or RDP session to connect to the instance.

You can also delete the host key or certificate that Lightsail has on record by using the following AWS Command Line Interface (AWS CLI) command. For *InstanceName*, enter the name of your instance for which you want to delete the known host key or certificate. For *Region*, enter the AWS Region of the instance.

```
aws lightsail delete-known-host-keys --region Region --instance-name InstanceName
```

Example:

```
aws lightsail delete-known-host-keys --region us-west-2 --instance-name WordPress-512MB-Oregon-1
```

**Note**  
For more information about the AWS CLI, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).

**Can’t connect, contact customer support**

The following error message displays when there’s a host key or certificate mismatch, and Lightsail determines that there is suspicious activity that warrants further investigation, such as a man-in-the-middle attack.

![\[Host key or certificate mismatch error for the Lightsail browser-based SSH or RDP client.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-browser-ssh-rdp-cant-connect.png)


This error message means that you can’t connect to the instance using the browser-based SSH or RDP client. [Contact support](https://console.aws.amazon.com/support/home#/) for assistance.

## Error message: Can’t connect right now
<a name="error-cant-connect-right-now"></a>

The following error message displays when you try to connect to an instance that hasn’t yet started after it’s created, rebooted, or restarted. Wait a few minutes and then choose **Reconnect** to try again.

![\[Instance unavailable when trying to connect using the Lightsail browser-based SSH or RDP client.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-browser-ssh-rdp-cant-connect-right-now.png)


If you still can’t connect, [contact AWS Support ](https://console.aws.amazon.com/support/home#/).

# Troubleshoot Ghost instance 503 service unavailable error on Lightsail
<a name="troubleshoot-ghost-instance-service-unavailable"></a>

After you create a new Ghost instance in Amazon Lightsail, and try to access your website, you might see an error stating that the service is unavailable (503). In some cases, the Ghost service on the instance is not automatically started when the instance is created. This can happen when you select the \$15 USD/month bundle for your instance. Use the following procedure to start the Ghost service, and resolve the "service is unavailable" error.

## Start the Ghost service
<a name="start-ghost-service"></a>

1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).

1. In the left navigation pane, choose **Instances**.

1. Choose the browser-based SSH client icon for your Ghost instance.  
![\[Browser-based SSH client in the Lightsail console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ghost-quick-connect.png)

1. After the SSH client is connected, enter the following command to restart all services on the instance:

   ```
   sudo /opt/bitnami/ctlscript.sh restart
   ```

   You should see a result similar to the following example:  
![\[Ghost service restarted.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-restart-ghost-services.png)

1. Browse to the public IP address of your instance to confirm that your Ghost website is up and running.

   The public IP address of your instance is listed next to the instance name in the **Instances** section of the Lightsail console.  
![\[Instance public IP address.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ghost-public-ip.png)

   When you browse to the public IP of your new Ghost instance, you should see the default Ghost website template:  
![\[Ghost default website template.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ghost-website.png)

# Troubleshoot Identity and Access Management (IAM) in Lightsail
<a name="security_iam_troubleshoot"></a>

Use the following information to help you diagnose and fix common issues that you might encounter when working with Lightsail and IAM.

## I am not authorized to perform an action in Lightsail
<a name="security_iam_troubleshoot-no-permissions"></a>

If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your user name and password.

The following example error occurs when the `mateojackson` IAM user tries to access the Lightsail console but does not have `lightsail:*` (full-access) permissions.

![\[Unauthorized access error message in the Lightsail console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-unauthorized-error-message.png)


In this case, Mateo asks his administrator to update his policies to allow him to access the Lightsail console using the `lightsail:*` (full-access) permissions.

## I am not authorized to perform iam:PassRole
<a name="security_iam_troubleshoot-passrole"></a>

If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to Amazon Lightsail.

Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.

The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in Amazon Lightsail. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service.

```
User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole
```

In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action.

If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.

## I want to view my access keys
<a name="security_iam_troubleshoot-access-keys"></a>

After you create your IAM user access keys, you can view your access key ID at any time. However, you can't view your secret access key again. If you lose your secret key, you must create a new access key pair. 

Access keys consist of two parts: an access key ID (for example, `AKIAIOSFODNN7EXAMPLE`) and a secret access key (for example, `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`). Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.

**Important**  
Do not provide your access keys to a third party, even to help [find your canonical user ID](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-identifiers.html#FindCanonicalId). By doing this, you might give someone permanent access to your AWS account.

When you create an access key pair, you are prompted to save the access key ID and secret access key in a secure location. The secret access key is available only at the time you create it. If you lose your secret access key, you must add new access keys to your IAM user. You can have a maximum of two access keys. If you already have two, you must delete one key pair before creating a new one. To view instructions, see [Managing access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) in the *IAM User Guide*.

## I'm an administrator and want to allow others to access Lightsail
<a name="security_iam_troubleshoot-admin-delegate"></a>

To allow others to access Amazon Lightsail, you must grant permission to the people or applications that need access. If you are using AWS IAM Identity Center to manage people and applications, you assign permission sets to users or groups to define their level of access. Permission sets automatically create and assign IAM policies to IAM roles that are associated with the person or application. For more information, see [Permission sets](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html) in the *AWS IAM Identity Center User Guide*.

If you are not using IAM Identity Center, you must create IAM entities (users or roles) for the people or applications that need access. You must then attach a policy to the entity that grants them the correct permissions in Amazon Lightsail. After the permissions are granted, provide the credentials to the user or application developer. They will use those credentials to access AWS. To learn more about creating IAM users, groups, policies, and permissions, see [IAM Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) and [Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.

## I want to allow people outside of my AWS account to access my Lightsail resources
<a name="security_iam_troubleshoot-cross-account-access"></a>

You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.

To learn more, consult the following:
+ To learn whether Amazon Lightsail supports these features, see [How Amazon Lightsail works with IAM](security_iam_service-with-iam.md).
+ To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*.
+ To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*.
+ To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*.
+ To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.

# Verify IPv6 reachability for Lightsail instances
<a name="amazon-lightsail-ipv6-reachability"></a>

You can verify IPv6 connectivity from your local computer to an Amazon Lightsail instance using the ping tool. Ping is a network diagnostic utility that’s used to troubleshoot connectivity issues between two or more networked devices. If ping succeeds, you should be able to connect to your instance over IPv6. If a network setting or device isn't configured to allow IPv6, the ping command fails. For more information, see [IPv6-only considerations](amazon-lightsail-ipv6-only-plans.md)

**Topics**
+ [Enable IPv6 for dual-stack instances](#ipv6-reachability-enable-ipv6)
+ [Configure the instance's firewall](#ipv6-reachability-configure-firewall)
+ [Test reachability to your instance](#ipv6-reachability-test)

## Enable IPv6 for dual-stack instances
<a name="ipv6-reachability-enable-ipv6"></a>

Enable IPv6 for your dual-stack instance before you begin testing. IPv6 is always on for IPv6-only instances. 

Complete the following procedure to enable IPv6 on your dual-stack instance if it's not enabled.

1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).

1. Choose the name of the instance for which you want to enable IPv6. Make sure that your instance is running.

1. Choose the **Networking** tab from the instance management page.

1. Enable IPv6 on the **IPv6 Networking** section of the page.  
![\[Lightsail IPv6 toggle showing the off position with the cursor about to turn it on.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/lightsail-enable-ipv6.png)

   After you enable IPv6, a public IPv6 address is assigned to your instance, and the IPv6 firewall becomes available.  
![\[Lightsail IPv6 firewall showing applications, protocols, ports, and IPv6 address restrictions.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/lightsail-ipv6-firewall.png)

1. <a name="step_copy_ip"></a>Take note of the instance's **Public IPv4** and **Public IPv6** addresses at the top of the page. You will use them in the following sections.

## Configure the instance's firewall
<a name="ipv6-reachability-configure-firewall"></a>

The firewall in the Lightsail console acts as a virtual firewall. Meaning it controls which traffic is allowed to connect to your instance through its public IP address. Each dual-stack instance that you create in Lightsail has an individual firewall for IPv4 addresses and another for IPv6 addresses. Each firewall contains a set of rules that filter traffic coming into the instance. Both firewalls are independent of each other—you must configure firewall rules separately for IPv4 and IPv6. Instances with an IPv6-only instance plan don't have an IPv4 firewall that you can configure.

Complete the following procedure to configure your instance’s firewall for Internet Control Message Protocol (ICMP) traffic. The ping utility uses the ICMP protocol to communicate with your instance. For more information, see [Control instance traffic with firewalls in Lightsail](understanding-firewall-and-port-mappings-in-amazon-lightsail.md).

**Important**  
Windows and Linux contain an operating system (OS) level firewall that can block ping commands. Verify that the instance’s OS firewall can accept ICMP traffic over IPv4 and IPv6 before you continue. For more information, see the following documentation:  
[Connect to your Lightsail Windows instance using RDP](connect-to-your-windows-based-instance-using-amazon-lightsail.md)
[Connect to Linux or Unix instances on Lightsail](lightsail-how-to-connect-to-your-instance-virtual-private-server.md)

1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).

1. Choose the name of the instance for which you want to configure the firewall.

1. Choose the **Networking** tab from the instance management page, then complete the remaining steps in the appropriate section for the type of firewall that you want to use. For IPv4, complete the steps in the **IPv4 Firewall** section. For IPv6, complete the steps in the **IPv6 Firewall** section.

   1. From the **Application** dropdown menu, choose **Ping (ICMP)**.

   1. Select the **Restrict to IP address** box to allow a connection from your local source IP address or range, then enter your source IP address. (Optional) You can leave the box unselected to allow a connection from any IP address. We recommend that you use this option in a test environment only.

   1. Choose **Create** to apply the new rule to your instance.

## Test reachability to your instance
<a name="ipv6-reachability-test"></a>

Complete the following procedure to test IPv4 or IPv6 reachability from your local computer or network to your Lightsail instance. You need the instance's public IPv4 and IPv6 addresses that you noted in [Step 5](#step_copy_ip).

### From a Linux, Unix, or macOS device
<a name="test-linux-unix-macos-ipv6"></a>

1. Open a terminal window on your local device.

1. Enter one of the following commands to ping your Lightsail instance. Replace the example *IP address* that's in the command with the public IPv4 or IPv6 address of your instance.

   To test over IPv4

   ```
   ping 192.0.2.0
   ```

   To test over IPv6

   ```
   ping6 2001:db8::
   ```

1. After the command returns a few replies, enter `ctrl+z` on your device's keyboard to stop the command.

The ping command returns successful replies from your instance’s IPv4 address if it’s successful. The result should look like the following example.

![\[Successful IPv4 ping command.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/lightsail-reachability-test-linux-ipv4-success.png)


The ping6 command returns successful replies from your instance’s IPv6 address if it’s successful. The result should look like the following example.

![\[Successful IPv6 ping command.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/lightsail-reachability-test-linux-ipv6-success.png)


Both commands return **Request timeout** if your instance can't be reached.

### From a Windows device
<a name="test-windows-ipv6"></a>

1. Open a command prompt.

1. Enter one of the following commands to ping your Lightsail instance. Replace the example *IP address* that's in the command with the public IPv4 or IPv6 address of your instance.

   To test over IPv4

   ```
   ping 192.0.2.0
   ```

   To test over IPv6

   ```
   ping 2001:db8::
   ```

1. After the command returns a few replies, enter `ctrl+z` on your device's keyboard to stop the command.

The ping command returns successful replies from your instance’s IPv4 address if it’s successful. The result should look like the following example.

![\[Successful IPv4 ping command.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/lightsail-reachability-test-windows-ipv4-success.png)


The ping command returns successful replies from your instance’s IPv6 address if it’s successful. The result should look like the following example.

![\[Successful IPv6 ping command.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/lightsail-reachability-test-windows-ipv6-success.png)


Both commands return **Request timeout** if your instance can't be reached.

# Resolve insufficient instance capacity errors in Lightsail
<a name="amazon-lightsail-instance-capacity"></a>

You might get an insufficient error when you try to launch an instance or restart a stopped instance. This means that AWS doesn’t have the available instance capacity to fulfill your request at the current time. Following is an example of the insufficient instance capacity error:

*InsufficientInstanceCapacity: There is not enough capacity to fulfill your instance request. Reduce the number of instances in your request, or wait for additional capacity to become available. You can also try launching an instance by selecting a smaller Lightsail plan (which you can resize at a later stage).”*

In this guide, you will learn about the actions you can take if you get an insufficient instance capacity error.

**Contents**
+ [Insufficient capacity when launching a new instance](#insufficient-capacity-new-instance)
+ [Insufficient capacity when starting a stopped instance](#insufficient-capacity-stopped-instance)
+ [Related information](#insufficient-capacity-related-info)

## Insufficient capacity when launching a new instance
<a name="insufficient-capacity-new-instance"></a>

Use the following options if you get an insufficient instance capacity error when launching a new instance. You can complete each option in order, or choose an option that works for you.

1. Wait a few minutes and then submit your request again. Instance capacity can shift frequently. Continue to option 2 if you are unable to create your instance after waiting a few minutes.

1. Select a different Availability Zone (AZ) when creating your instance. Each AWS Region contains three or more AZs, and each AZ maintains different instance capacities. By selecting a different AZ, you can take advantage of its current instance capacity. Continue to option 3 if you are unable to create an instance in a different AWS Region or AZ.

1. Reduce the number of instances in your request. If you’re creating multiple instances at the same time, reduce the number of instances and submit your request again. Continue to option 4 if reducing the number of instances doesn’t resolve the issue.

1. Choose a different instance plan when creating your instance. Choose a different instance plan if you are unable to create an instance in a different AZ or Region. You can resize the instance at a later stage. For more information about resizing your instance, see [Create an instance from a snapshot](lightsail-how-to-create-instance-from-snapshot.md).

## Insufficient capacity when starting a stopped instance
<a name="insufficient-capacity-stopped-instance"></a>

Use the following options if you get an insufficient instance capacity error when starting an existing instance that was previously stopped.

1. Wait a few minutes and then submit your request again. Instance capacity can shift frequently. Continue to option 2 if you are unable to create your instance after waiting a few minutes.

1. Create a new instance from a snapshot. Take a snapshot of the stopped instance. Then, use the snapshot to create a new instance in an AZ that’s different from the original instance. For example, if your instance is currently in us-east-2a (Zone A), select us-east-2c (Zone C) when you create the new instance. For more information, see [Create an instance from a snapshot](lightsail-how-to-create-instance-from-snapshot.md).

1. You can also choose a different instance plan when creating a new instance from a snapshot. This action is optional. 

**Important**  
After the new instance is running, verify you have access to the new instance and everything is working properly. For example, if your instance was running an application, make sure that the application is working as expected. If so, you can delete the earlier instance.

## Related information
<a name="insufficient-capacity-related-info"></a>

[Frequently asked questions](amazon-lightsail-faq-instances.md)

[Resilience in Lightsail](disaster-recovery-resiliency.md)

# Troubleshoot Lightsail load balancer issues
<a name="troubleshooting-lightsail-load-balancer-issues"></a>

You might encounter errors with your Lightsail load balancers. This topic identifies common issues and workarounds for those errors.

## General load balancer errors
<a name="general-load-balancer-errors"></a>

Choose the issue below that best describes your problem, and follow the links to fix the issue. If you encounter an issue that's not in the list, use the **Questions? Comments?** link at the bottom of this page to submit feedback or contact AWS Customer Support.

**I can't create a certificate.**  
There is a quota to the number of certificates you can create in an AWS account. For more information, see [Quotas](http://docs.aws.amazon.com/acm/latest/userguide/acm-limits.html) in the AWS Certificate Manager User Guide. The same quota apply to Lightsail certificates for load balancers.  
*Actual error message:*  **Sorry, you've requested too many certificates for your account.**

**I can't attach any more instances to my load balancer.**  
You can attach as many Lightsail instances as you like to your load balancer, as long as you stay within the quota of 20 total Lightsail instances per AWS account.  
*Actual error message:*  **Sorry, you've reached the maximum number of instances you can attach to this load balancer.**

**I can't attach a specific instance to my load balancer.**  
First, check to make sure your Lightsail instance is running. If it is stopped, you can start it from the instance management page. Lightsail instances must be running to be successfully attached to a load balancer.  
It could be that you have attached the same instance to too many load balancers.  
*Actual error message:*  **Sorry, you've reached the maximum number of times an instance can be registered with a load balancer.**

**Lightsail can't find the instance I'm trying to attach to my load balancer**  
You might be trying to attach an instance that no longer exists or is not in the same VPC as the target group.  
*Actual error message:*  **Sorry, the instance you specified doesn't exist, isn't in the same VPC as the target group, or has an unsupported instance type.**

# Troubleshoot notification delivery in Lightsail
<a name="amazon-lightsail-troubleshooting-notifications"></a>

If don't receive notifications when you expect to be notified, then there are a few things you should check to confirm that your notification contacts are configured correctly. To learn more about notifications, see [Notifications](amazon-lightsail-notifications.md).

The following list describes common notification contact issues that you may experience, along with what causes them, and how to resolve them. If you encounter an issue that's not in the list, use the **Questions? Comments?** link at the bottom of this page to submit feedback or contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).

**I added my email address as a notification contact but I'm not receiving email notifications**  
When you add an email address as a notification contact in Lightsail, a verification request is sent to that address. The verification request email contains a link that the recipient must click to confirm that they want to receive Lightsail notifications. Notifications are not sent to the email address until after it is verified. The verification comes from *AWS Notifications <no-reply@sns.amazonaws.com>*, with a subject of *AWS Notification - Subscription Confirmation*. SMS messaging does not require verification.  
Check the mailbox's spam and junk folders if the verification request is not in the inbox folder. If the verification request got lost, or was deleted, choose **Resend verification** in the notification banner that is displayed in the Lightsail console, and in the **Account** page.  

![\[Resend email verification in the Lightsail console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-email-verification-banner-resend.png)


**I see **null** listed as my email notification contact.**  
Email addresses must be verified within 24 hours after they are added. If you fail to verify an email within 24 hours, that email is automatically given a status of `invalid` and it is removed from Lightsail. That is why you might see a value of **null** for one or more of your email notification contacts.  

![\[Null email notification contact in the Lightsail console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-null-email-notification-contact.png)

To fix this issue, remove the **null** email notification contact, and add the correct email address again. Ensure that you verify the email address immediately after adding it to Lightsail. For more information, see [Notifications](amazon-lightsail-notifications.md).

**I have not received SMS text message notifications, or I stopped receiving them recently**  
You may have opted out of receiving SMS text message notifications. You can opt out by responding to an SMS text message notification with `ARRET` (French), `CANCEL`, `END`, `OPT-OUT`, `OPTOUT`, `QUIT`, `REMOVE`, `STOP`, `TD`, or `UNSUBSCRIBE`. If you opt out a mobile phone number, you must wait 30 days before you are able to add that mobile phone number again as a notification contact in Lightsail.

# Troubleshoot SSL/TLS certificates in Lightsail
<a name="troubleshooting-tls-ssl-certificate-issues"></a>

You might encounter errors with your Lightsail load balancers. This topic identifies common issues and workarounds for those errors.

Choose the issue below that best describes your problem, and follow the links to fix the issue. If you encounter an issue that's not in the list, use the **Questions? Comments?** link at the bottom of this page to submit feedback or contact AWS Customer Support.

**I can't create a certificate.**  
There is a quota to the number of certificates you can create in an AWS account. For more information, see [Quotas](http://docs.aws.amazon.com/acm/latest/userguide/acm-limits.html) in the AWS Certificate Manager User Guide. The same quotas apply to Lightsail certificates for load balancers.  
*Actual error message:*  **Sorry, you've requested too many certificates for your account.**

**My certificate request failed.**  
If your certificate request failed, you can **Retry** on the **Inbound traffic** tab of the load balancer management page.  
If you still can't figure out what went wrong, contact AWS Customer Support.

**My domain showed as invalid.**  
If you're having trouble verifying that you control a domain, check to see that you have access to the DNS management. If you do and you followed [these instructions](understanding-tls-ssl-certificates-in-lightsail-https.md) but still can't validate, contact AWS Customer Support.