Comments (20)
@jimmycuadra Looks like you built from the master branch. The fix is not in there. Please built from this branch and report back: https://github.com/xenolf/lego/tree/route53-literal-quotes
from lego.
Ah, my mistake! Using that branch:
lego --email="[email protected]" --domains="example.com" --dns="route53" --exclude="http-01" --exclude="tls-sni-01" run
2016/02/02 19:03:28 [INFO][example.com] acme: Obtaining bundled SAN certificate
2016/02/02 19:03:28 [INFO][example.com] acme: Could not find solver for: tls-sni-01
2016/02/02 19:03:28 [INFO][example.com] acme: Could not find solver for: http-01
2016/02/02 19:03:28 [INFO][example.com] acme: Trying to solve DNS-01
2016/02/02 19:03:31 Error cleaning up example.com Request failed, got status code: 400. Response: <?xml version="1.0"?>
<ErrorResponse xmlns="https://route53.amazonaws.com/doc/2013-04-01/"><Error><Type>Sender</Type><Code>InvalidChangeBatch</Code><Message>Tried to delete resource record set [name='_acme-challenge.example.com.', type='TXT'] but the values provided do not match the current values</Message></Error><RequestId>f0faa104-ca11-11e5-9e8d-7f32ca71d356</RequestId></ErrorResponse>
2016/02/02 19:03:31 [example.com] Could not obtain certificates
acme: Error 0 - urn:acme:error:unauthorized - Correct value not found for DNS challenge
Error Detail:
Looks like two problems:
- It's using the wrong value when it tries to delete the DNS TXT record (probably the same issue, needs literal quotes)
- The value it puts there is not actually correct. No idea why. Let me know what other info I can provide to help debug.
from lego.
Thanks for the feedback. I think this should be fixed by using raw string literals. Could you build and run from this patch branch: https://github.com/janeczku/lego/tree/route53-raw-string-literals ?
Thanks again and sorry for the trouble!
from lego.
Hi @janeczku!
I tried your branch but still failed because ChangeResourceRecordSets is not completed yet at returning from the function.
So we should probably add the following code to after ChangeResourceRecordSets.
diff --git a/acme/dns_challenge_route53.go b/acme/dns_challenge_route53.go
index 88c0033..7cd8f16 100644
--- a/acme/dns_challenge_route53.go
+++ b/acme/dns_challenge_route53.go
@@ -62,8 +62,30 @@ func (r *DNSProviderRoute53) changeRecord(action, fqdn, value string, ttl int) e
update := route53.Change{action, recordSet}
changes := []route53.Change{update}
req := route53.ChangeResourceRecordSetsRequest{Comment: "Created by Lego", Changes: changes}
- _, err = r.client.ChangeResourceRecordSets(hostedZoneID, &req)
- return err
+ crrsr, err := r.client.ChangeResourceRecordSets(hostedZoneID, &req)
+ if err != nil {
+ return err
+ }
+ if crrsr.ChangeInfo.Status != "PENDING" {
+ return fmt.Errorf("status is not PENDING: %q", crrsr.ChangeInfo.Status)
+ }
+
+ var success bool
+ for tries := 0; tries < 10; tries++ {
+ time.Sleep(10 * time.Second)
+ gcr, err := r.client.GetChange(crrsr.ChangeInfo.ID)
+ if err != nil {
+ return err
+ }
+ if gcr == "INSYNC" {
+ success = true
+ break
+ }
+ }
+ if !success {
+ return fmt.Errorf("could not complete")
+ }
+ return nil
}
from lego.
Care to share the log output when you run from my branch? I don't have AWS credentials at hand right now to test myself. @oov
from lego.
Ok.
$ lego --email="[email protected]" --domains="oov.ch" --domains="wl2.oov.ch" --domains="sub.oov.ch" --dns="route53" --exclude="http-01" --exclude="tls-sni-01" renew
2016/02/04 03:36:55 [INFO][oov.ch] acme: Trying renewal with 2157 hours remaining
2016/02/04 03:36:55 [INFO][oov.ch, sub.oov.ch, wl2.oov.ch] acme: Obtaining bundled SAN certificate
2016/02/04 03:36:56 [INFO][oov.ch] acme: Trying to solve DNS-01
2016/02/04 03:37:01 Error cleaning up oov.ch Request failed, got status code: 400. Response: <?xml version="1.0"?>
<ErrorResponse xmlns="https://route53.amazonaws.com/doc/2013-04-01/"><Error><Type>Sender</Type><Code>InvalidChangeBatch</Code><Message>Tried to delete resource record set [name='_acme-challenge.oov.ch.', type='TXT'] but the values provided do not match the current values</Message></Error><RequestId>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(modified by hand)</RequestId></ErrorResponse>
2016/02/04 03:37:01 [INFO][sub.oov.ch] acme: Trying to solve DNS-01
2016/02/04 03:37:06 Error cleaning up sub.oov.ch Request failed, got status code: 400. Response: <?xml version="1.0"?>
<ErrorResponse xmlns="https://route53.amazonaws.com/doc/2013-04-01/"><Error><Type>Sender</Type><Code>InvalidChangeBatch</Code><Message>Tried to delete resource record set [name='_acme-challenge.sub.oov.ch.', type='TXT'] but the values provided do not match the current values</Message></Error><RequestId>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(modified by hand)</RequestId></ErrorResponse>
2016/02/04 03:37:06 [INFO][wl2.oov.ch] acme: Could not find solver for: tls-sni-01
2016/02/04 03:37:06 [INFO][wl2.oov.ch] acme: Trying to solve DNS-01
2016/02/04 03:37:11 Error cleaning up wl2.oov.ch Request failed, got status code: 400. Response: <?xml version="1.0"?>
<ErrorResponse xmlns="https://route53.amazonaws.com/doc/2013-04-01/"><Error><Type>Sender</Type><Code>InvalidChangeBatch</Code><Message>Tried to delete resource record set [name='_acme-challenge.wl2.oov.ch.', type='TXT'] but the values provided do not match the current values</Message></Error><RequestId>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(modified by hand)</RequestId></ErrorResponse>
2016/02/04 03:37:11 acme: Error 0 - urn:acme:error:unauthorized - Correct value not found for DNS challenge
Error Detail:
from lego.
Thanks! Are you sure you were actually building from my patch branch? There should be a log line with the recordSet
struct printed out! See: https://github.com/janeczku/lego/blob/8f3d6fd7ec1973ac7da5fe2863b247c04854a3ce/acme/dns_challenge_route53.go#L63
from lego.
You probably need to copy this file https://github.com/janeczku/lego/blob/route53-raw-string-literals/acme/dns_challenge_route53.go and overwrite the one in $GOPATH/src/ github.com/xenolf/lego/acme. And then build normally.
from lego.
Sorry I'm wrong, this is correct your branch's log.
$ lego --email="[email protected]" --domains="oov.ch" --domains="wl2.oov.ch" --domains="sub.oov.ch" --dns="route53" --exclude="http-01" --exclude="tls-sni-01" renew
2016/02/04 04:03:51 [INFO][oov.ch] acme: Trying renewal with 2158 hours remaining
2016/02/04 04:03:51 [INFO][oov.ch, sub.oov.ch, wl2.oov.ch] acme: Obtaining bundled SAN certificate
2016/02/04 04:03:52 [INFO][oov.ch] acme: Could not find solver for: tls-sni-01
2016/02/04 04:03:52 [INFO][oov.ch] acme: Trying to solve DNS-01
{Name:_acme-challenge.oov.ch. Type:TXT TTL:120 Records:["xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}{Name:_acme-challenge.oov.ch. Type:TXT TTL:120 Records:["xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:03:57 [INFO][sub.oov.ch] acme: Could not find solver for: http-01
2016/02/04 04:03:57 [INFO][sub.oov.ch] acme: Trying to solve DNS-01
{Name:_acme-challenge.sub.oov.ch. Type:TXT TTL:120 Records:["yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}{Name:_acme-challenge.sub.oov.ch. Type:TXT TTL:120 Records:["yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:04:02 [INFO][wl2.oov.ch] acme: Trying to solve DNS-01
{Name:_acme-challenge.wl2.oov.ch. Type:TXT TTL:120 Records:["zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}{Name:_acme-challenge.wl2.oov.ch. Type:TXT TTL:120 Records:["zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:04:07 acme: Error 0 - urn:acme:error:unauthorized - Correct value not found for DNS challenge
Error Detail:
from lego.
And, this is the log that applied my change to your branch.
$ lego --email="[email protected]" --domains="oov.ch" --domains="wl2.oov.ch" --domains="sub.oov.ch" --dns="route53" --exclude="http-01" --exclude="tls-sni-01" renew
2016/02/04 04:14:05 [INFO][oov.ch] acme: Trying renewal with 2158 hours remaining
2016/02/04 04:14:05 [INFO][oov.ch, sub.oov.ch, wl2.oov.ch] acme: Obtaining bundled SAN certificate
2016/02/04 04:14:06 [INFO][oov.ch] acme: Trying to solve DNS-01
{Name:_acme-challenge.oov.ch. Type:TXT TTL:120 Records:["xxxxxx"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:14:42 [INFO][oov.ch] The server validated our request
{Name:_acme-challenge.oov.ch. Type:TXT TTL:120 Records:["xxxxxx"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:15:17 [INFO][sub.oov.ch] acme: Could not find solver for: http-01
2016/02/04 04:15:17 [INFO][sub.oov.ch] acme: Trying to solve DNS-01
{Name:_acme-challenge.sub.oov.ch. Type:TXT TTL:120 Records:["yyyyyy"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:15:52 [INFO][sub.oov.ch] The server validated our request
{Name:_acme-challenge.sub.oov.ch. Type:TXT TTL:120 Records:["yyyyyy"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:16:26 [INFO][wl2.oov.ch] acme: Could not find solver for
: tls-sni-01
2016/02/04 04:16:26 [INFO][wl2.oov.ch] acme: Trying to solve DNS-01
{Name:_acme-challenge.wl2.oov.ch. Type:TXT TTL:120 Records:["zzzzzz"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:17:02 [INFO][wl2.oov.ch] The server validated our request
{Name:_acme-challenge.wl2.oov.ch. Type:TXT TTL:120 Records:["zzzzzz"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:17:37 [INFO][oov.ch, sub.oov.ch, wl2.oov.ch] acme: Validations succeeded; requesting certificates
2016/02/04 04:17:38 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
2016/02/04 04:17:38 [INFO][oov.ch] Server responded with a certificate.
from lego.
I tried your branch but still failed because ChangeResourceRecordSets is not completed yet at returning from the function.
But the error message from Lets Encrypt Correct value not found for DNS challenge
indicates that the record was in fact created, just that the value is incorrect. Strange...
from lego.
2016/02/04 04:16:26 [INFO][wl2.oov.ch] acme: Trying to solve DNS-01
2016/02/04 04:17:38 [INFO] acme: Requesting issuer cert from https://acme-
So it really takes more than 1 minute for the DNS record to be created and propagated? Thats unexpected. We better use that status check then...
To wrap up:
- The raw string literal patch https://github.com/janeczku/lego/tree/route53-raw-string-literals fixes the the issue at hand ("Invalid Resource Record").
- We should query the DNS record status before returning as proposed by @oov. Also see if the other DNS providers provide a similar API to check record health.
/cc @xenolf
from lego.
But the error message from Lets Encrypt Correct value not found for DNS challenge indicates that the record was in fact created, just that the value is incorrect. Strange...
This message is correct because this incorrect values is trash of the previous request.
2016/02/04 03:37:01 Error cleaning up oov.ch Request failed, got status code: 400
Sorry to confuse you.
So it really takes more than 1 minute for the DNS record to be created and propagated? Thats unexpected. We better use that status check then...
Yes, it is pretty slow.
from lego.
I found a related topic: saltstack/salt#18720 (comment)
from lego.
FWIW, when I was using letsencrypt.sh, I had to add a sleep of about 10 seconds to the DNS challenge hook script before calling back to Let's Encrypt to tell it to check the record. That would support oov's observations.
from lego.
Yeah, i did not expect DNS propagation time to be that substantial with the big cloud providers. We obviously need to check and wait until every single authoritative NS for the domain has been synced with our record before sending off the challenge to Let's Encrypt. Otherwise the challenge validation might fail with NXDOMAIN errors.
With Route53 we just need to wait until the status of our request changes to INSYNC
.
INSYNC indicates that the changes have replicated to all Amazon Route 53 DNS servers.
And for the other providers #96 will improve things, though it doesn't (yet) check all available authoritative server in the NS record.
from lego.
@oov @jimmycuadra I would appreciate if you could give PR #97 a test run and report back. Thanks! 😃
from lego.
#97 worked for me! I had to update my IAM policy to allow route53:GetChange on all change resources. Here is the final version of the policy that was required (this should go in lego's docs for using the AWS DNS challenge):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1454129920000",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/<INSERT_YOUR_HOSTED_ZONE_ID_HERE>"
]
},
{
"Sid": "Stmt1454547904",
"Effect": "Allow",
"Action": [
"route53:GetChange"
],
"Resource": [
"arn:aws:route53:::change/*"
]
},
{
"Sid": "Stmt1454129944000",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones"
],
"Resource": [
"*"
]
}
]
}
from lego.
this should go in lego's docs for using the AWS DNS challenge
Absolutely. You wanna open a PR for adding this to the docs?
And thanks again for verifying the patch 👍
from lego.
Sure, I'll do the docs once your patch is in.
from lego.
Related Issues (20)
- desec: increase default `DESEC_PROPAGATION_TIMEOUT` by 60s HOT 4
- directadmin plugin HOT 1
- AutoDNS - mandatory credentials listed as additional HOT 2
- ionos: DNS records not removed HOT 12
- IONOS DNS Cleanup does not work HOT 1
- Misleading log output
- Enable option to use single command to create or renew cert HOT 1
- support several DNS providers at once HOT 3
- Support for provider: Abion
- Provider "do.de" not working, API call invalid HOT 3
- TransIP verification fails because of token error HOT 18
- Error during automated certificate renewal wildcard letsencrypt HOT 3
- Support for provider: shellrent HOT 3
- Support for provider: Gravity HOT 2
- pdns: API endpoint not at URL root resulting in incorrect URL queried and thus failing with error code 404 HOT 2
- azure: find zones via serviceDiscovery (or allow multiple values for AZURE_RESOURCE_GROUP) HOT 4
- Scaleway DNS Challenge credentials not correct HOT 1
- ERROR acme: error: 500 :: POST renewing with v4.16.0 --- v4.15.0 is OK HOT 7
- External accound binding fails with error "invalid key size for algorithm" HOT 6
- on armv7I-32 CPU: this CPU has no VFPv3 floating point hardware HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lego.