cert-manager: Issue certificate using dns01 via route53 stuck on SelfCheck status

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug

/kind feature

What happened: Trying to configure dns01 route53 provider and it works using staging letsencrypt ClusterIssuer. When changing ClusterIssuer to live, it stuck on status

  Normal  PrepareCertificate  15m   cert-manager-controller  Preparing certificate with issuer
  Normal  PresentChallenge    15m   cert-manager-controller  Presenting dns-01 challenge for domain auth-service-trunk.gel.net
  Normal  PresentChallenge    15m   cert-manager-controller  Presenting dns-01 challenge for domain auth.test.gel.tech
  Normal  SelfCheck           14m   cert-manager-controller  Performing self-check for domain auth-service-trunk.gel.net
  Normal  SelfCheck           14m   cert-manager-controller  Performing self-check for domain auth.test.geo.tech

I’ve checked route 53 and I see there _acme-challenge. TXT records for both domains. Same live ClusterIssuer works as expected with http01 provider. In log no errors. How to understand what wrong? Can I enable debug mode in some way?

What you expected to happen: Successfully issued certificate

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:

• Kubernetes version (use kubectl version): Server Version: version.Info{Major:“1”, Minor:“8”, GitVersion:“v1.8.8”, GitCommit:“2f73858c9e6ede659d6828fe5a1862a48034a0fd”, GitTreeState:“clean”, BuildDate:“2018-02-09T21:23:25Z”, GoVersion:“go1.8.3”, Compiler:“gc”, Platform:“linux/amd64”}

• Cloud provider or hardware configuration**: AWS

• Install tools: Installed via helm from https://github.com/kubernetes/charts/tree/master/stable/cert-manager

• Others: