Skip to content
This repository has been archived by the owner on Mar 3, 2023. It is now read-only.

letsencrypt wildcard domain support #16

Open
jacksnodgrass opened this issue Apr 13, 2018 · 2 comments
Open

letsencrypt wildcard domain support #16

jacksnodgrass opened this issue Apr 13, 2018 · 2 comments

Comments

@jacksnodgrass
Copy link

Not sure where the fault lies... I think it's certbot....

This works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains www.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"

and this works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"

but this:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"

does not.

the log shows:
2018-04-13 09:55:04,653:INFO:certbot.auth_handler:Cleaning up challenges
2018-04-13 09:55:06,353:INFO:certbot.hooks:Output from certbot-route53.sh:
1

2018-04-13 09:55:06,353:ERROR:certbot.hooks:Error output from certbot-route53.sh:

An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: Tried to delete resource record set [name='_acme-challenge.mylinuxguy.org.', type='TXT'] but the values provided do not match the current values

Waiter ResourceRecordSetsChanged failed:

2018-04-13 09:56:08,311:INFO:certbot.hooks:Output from certbot-route53.sh:
1

I think that wildcard domain stuff uses the same name as the non-wildcard domain.. so
*.mylinuxguy.org and mylinuxguy.org use the same name for:
_acme-challenge.mylinuxguy.org
and that causes the aws route53 servers issues.

Just wanted to see if anyone else has tried this and gotten it to work.

  • jack
@noonespecial2
Copy link

I can confirm that using

--server "https://acme-v02.api.letsencrypt.org/directory"

does the job at poking the right acme server for initiating the challenge!

@Jaco-Pretorius
Copy link

I had the same issue. As far as I can tell the problem is when you specify 2 'subdomains' (*.mylinuxguy.org and mylinuxguy.org) the auth hook is invoked twice. That means you need to create 2 TXT records for _acme-challenge.mylinuxguy.org.

However, the script uses the route53 change-resource-record-sets command with an UPSERT (which is correct), but it means the second hook overrides the first.

The way I fixed it is to no-op on the first hook but to write the certbot validation value to a file. Then on the second request I write both values to the TXT record using route53 change-resource-record-sets

That means your JSON change needs to look something like

      {
        "Changes":[
          {
            "Action":"${ACTION}",
            "ResourceRecordSet":{
              "ResourceRecords":[
                {
                  "Value": "\"$PREVIOUS_CERTBOT_VALIDATION\""
                },
                {
                  "Value": "\"$CERTBOT_VALIDATION\""
                }
              ],
              "Name":"_acme-challenge.${CERTBOT_DOMAIN}.",
              "Type":"TXT",
              "TTL":30
            }
          }
        ]
      }

This works for both the auth-hook and the auth-hook cleanup.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Jaco-Pretorius @jacksnodgrass @noonespecial2