You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2023. It is now read-only.
and this works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"
but this:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"
does not.
the log shows:
2018-04-13 09:55:04,653:INFO:certbot.auth_handler:Cleaning up challenges
2018-04-13 09:55:06,353:INFO:certbot.hooks:Output from certbot-route53.sh:
1
2018-04-13 09:55:06,353:ERROR:certbot.hooks:Error output from certbot-route53.sh:
An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: Tried to delete resource record set [name='_acme-challenge.mylinuxguy.org.', type='TXT'] but the values provided do not match the current values
Waiter ResourceRecordSetsChanged failed:
2018-04-13 09:56:08,311:INFO:certbot.hooks:Output from certbot-route53.sh:
1
I think that wildcard domain stuff uses the same name as the non-wildcard domain.. so
*.mylinuxguy.org and mylinuxguy.org use the same name for:
_acme-challenge.mylinuxguy.org
and that causes the aws route53 servers issues.
Just wanted to see if anyone else has tried this and gotten it to work.
jack
The text was updated successfully, but these errors were encountered:
I had the same issue. As far as I can tell the problem is when you specify 2 'subdomains' (*.mylinuxguy.org and mylinuxguy.org) the auth hook is invoked twice. That means you need to create 2 TXT records for _acme-challenge.mylinuxguy.org.
However, the script uses the route53 change-resource-record-sets command with an UPSERT (which is correct), but it means the second hook overrides the first.
The way I fixed it is to no-op on the first hook but to write the certbot validation value to a file. Then on the second request I write both values to the TXT record using route53 change-resource-record-sets
That means your JSON change needs to look something like
Not sure where the fault lies... I think it's certbot....
This works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains www.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"
and this works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"
but this:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"
does not.
the log shows:
2018-04-13 09:55:04,653:INFO:certbot.auth_handler:Cleaning up challenges
2018-04-13 09:55:06,353:INFO:certbot.hooks:Output from certbot-route53.sh:
1
2018-04-13 09:55:06,353:ERROR:certbot.hooks:Error output from certbot-route53.sh:
An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: Tried to delete resource record set [name='_acme-challenge.mylinuxguy.org.', type='TXT'] but the values provided do not match the current values
Waiter ResourceRecordSetsChanged failed:
2018-04-13 09:56:08,311:INFO:certbot.hooks:Output from certbot-route53.sh:
1
I think that wildcard domain stuff uses the same name as the non-wildcard domain.. so
*.mylinuxguy.org and mylinuxguy.org use the same name for:
_acme-challenge.mylinuxguy.org
and that causes the aws route53 servers issues.
Just wanted to see if anyone else has tried this and gotten it to work.
The text was updated successfully, but these errors were encountered: