Continued from my comments in <a class="issue-link js-issue-link" data-error-text="Fai

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Ah, my mistake! Using that branch: <div class="snippet-clipboard-content notransla

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

Ok. <div class="snippet-clipboard-content notranslate position-relative overflow-a

You probably need to copy this file <a href="https://github.com/janeczku/lego/blob/rou

Sorry I'm wrong, this is correct your branch's log. <div class="snippet-clipboard-

And, this is the log that applied my change to your branch. <div class="snippet-cl

DNS challenge with Route 53 fails with "InvalidTXTRDATA encountered" about lego HOT 20 CLOSED

go-acme commented on May 13, 2024

DNS challenge with Route 53 fails with "InvalidTXTRDATA encountered"

from lego.

Comments (20)

janeczku commented on May 13, 2024

@jimmycuadra Looks like you built from the master branch. The fix is not in there. Please built from this branch and report back: https://github.com/xenolf/lego/tree/route53-literal-quotes

from lego.

jimmycuadra commented on May 13, 2024

Ah, my mistake! Using that branch:

lego --email="[email protected]" --domains="example.com" --dns="route53" --exclude="http-01" --exclude="tls-sni-01" run
2016/02/02 19:03:28 [INFO][example.com] acme: Obtaining bundled SAN certificate
2016/02/02 19:03:28 [INFO][example.com] acme: Could not find solver for: tls-sni-01
2016/02/02 19:03:28 [INFO][example.com] acme: Could not find solver for: http-01
2016/02/02 19:03:28 [INFO][example.com] acme: Trying to solve DNS-01
2016/02/02 19:03:31 Error cleaning up example.com Request failed, got status code: 400. Response: <?xml version="1.0"?>
<ErrorResponse xmlns="https://route53.amazonaws.com/doc/2013-04-01/"><Error><Type>Sender</Type><Code>InvalidChangeBatch</Code><Message>Tried to delete resource record set [name='_acme-challenge.example.com.', type='TXT'] but the values provided do not match the current values</Message></Error><RequestId>f0faa104-ca11-11e5-9e8d-7f32ca71d356</RequestId></ErrorResponse>
2016/02/02 19:03:31 [example.com] Could not obtain certificates
    acme: Error 0 - urn:acme:error:unauthorized - Correct value not found for DNS challenge
Error Detail:

Looks like two problems:

It's using the wrong value when it tries to delete the DNS TXT record (probably the same issue, needs literal quotes)
The value it puts there is not actually correct. No idea why. Let me know what other info I can provide to help debug.

from lego.

janeczku commented on May 13, 2024

Thanks for the feedback. I think this should be fixed by using raw string literals. Could you build and run from this patch branch: https://github.com/janeczku/lego/tree/route53-raw-string-literals ?
Thanks again and sorry for the trouble!

from lego.

oov commented on May 13, 2024

Hi @janeczku!
I tried your branch but still failed because ChangeResourceRecordSets is not completed yet at returning from the function.
So we should probably add the following code to after ChangeResourceRecordSets.

diff --git a/acme/dns_challenge_route53.go b/acme/dns_challenge_route53.go
index 88c0033..7cd8f16 100644
--- a/acme/dns_challenge_route53.go
+++ b/acme/dns_challenge_route53.go
@@ -62,8 +62,30 @@ func (r *DNSProviderRoute53) changeRecord(action, fqdn, value string, ttl int) e
        update := route53.Change{action, recordSet}
        changes := []route53.Change{update}
        req := route53.ChangeResourceRecordSetsRequest{Comment: "Created by Lego", Changes: changes}
-       _, err = r.client.ChangeResourceRecordSets(hostedZoneID, &req)
-       return err
+       crrsr, err := r.client.ChangeResourceRecordSets(hostedZoneID, &req)
+       if err != nil {
+               return err
+       }
+       if crrsr.ChangeInfo.Status != "PENDING" {
+               return fmt.Errorf("status is not PENDING: %q", crrsr.ChangeInfo.Status)
+       }
+
+       var success bool
+       for tries := 0; tries < 10; tries++ {
+               time.Sleep(10 * time.Second)
+               gcr, err := r.client.GetChange(crrsr.ChangeInfo.ID)
+               if err != nil {
+                       return err
+               }
+               if gcr == "INSYNC" {
+                       success = true
+                       break
+               }
+       }
+       if !success {
+               return fmt.Errorf("could not complete")
+       }
+       return nil
 }

from lego.

janeczku commented on May 13, 2024

Care to share the log output when you run from my branch? I don't have AWS credentials at hand right now to test myself. @oov

from lego.

oov commented on May 13, 2024

Ok.

$ lego --email="[email protected]" --domains="oov.ch" --domains="wl2.oov.ch" --domains="sub.oov.ch" --dns="route53" --exclude="http-01" --exclude="tls-sni-01" renew
2016/02/04 03:36:55 [INFO][oov.ch] acme: Trying renewal with 2157 hours remaining
2016/02/04 03:36:55 [INFO][oov.ch, sub.oov.ch, wl2.oov.ch] acme: Obtaining bundled SAN certificate
2016/02/04 03:36:56 [INFO][oov.ch] acme: Trying to solve DNS-01
2016/02/04 03:37:01 Error cleaning up oov.ch Request failed, got status code: 400. Response: <?xml version="1.0"?>
<ErrorResponse xmlns="https://route53.amazonaws.com/doc/2013-04-01/"><Error><Type>Sender</Type><Code>InvalidChangeBatch</Code><Message>Tried to delete resource record set [name='_acme-challenge.oov.ch.', type='TXT'] but the values provided do not match the current values</Message></Error><RequestId>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(modified by hand)</RequestId></ErrorResponse> 
2016/02/04 03:37:01 [INFO][sub.oov.ch] acme: Trying to solve DNS-01
2016/02/04 03:37:06 Error cleaning up sub.oov.ch Request failed, got status code: 400. Response: <?xml version="1.0"?>
<ErrorResponse xmlns="https://route53.amazonaws.com/doc/2013-04-01/"><Error><Type>Sender</Type><Code>InvalidChangeBatch</Code><Message>Tried to delete resource record set [name='_acme-challenge.sub.oov.ch.', type='TXT'] but the values provided do not match the current values</Message></Error><RequestId>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(modified by hand)</RequestId></ErrorResponse> 
2016/02/04 03:37:06 [INFO][wl2.oov.ch] acme: Could not find solver for: tls-sni-01
2016/02/04 03:37:06 [INFO][wl2.oov.ch] acme: Trying to solve DNS-01
2016/02/04 03:37:11 Error cleaning up wl2.oov.ch Request failed, got status code: 400. Response: <?xml version="1.0"?>
<ErrorResponse xmlns="https://route53.amazonaws.com/doc/2013-04-01/"><Error><Type>Sender</Type><Code>InvalidChangeBatch</Code><Message>Tried to delete resource record set [name='_acme-challenge.wl2.oov.ch.', type='TXT'] but the values provided do not match the current values</Message></Error><RequestId>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(modified by hand)</RequestId></ErrorResponse> 
2016/02/04 03:37:11 acme: Error 0 - urn:acme:error:unauthorized - Correct value not found for DNS challenge
Error Detail:

from lego.

janeczku commented on May 13, 2024

Thanks! Are you sure you were actually building from my patch branch? There should be a log line with the recordSet struct printed out! See: https://github.com/janeczku/lego/blob/8f3d6fd7ec1973ac7da5fe2863b247c04854a3ce/acme/dns_challenge_route53.go#L63

from lego.

janeczku commented on May 13, 2024

You probably need to copy this file https://github.com/janeczku/lego/blob/route53-raw-string-literals/acme/dns_challenge_route53.go and overwrite the one in $GOPATH/src/ github.com/xenolf/lego/acme. And then build normally.

from lego.

oov commented on May 13, 2024

Sorry I'm wrong, this is correct your branch's log.

$ lego --email="[email protected]" --domains="oov.ch" --domains="wl2.oov.ch" --domains="sub.oov.ch" --dns="route53" --exclude="http-01" --exclude="tls-sni-01" renew
2016/02/04 04:03:51 [INFO][oov.ch] acme: Trying renewal with 2158 hours remaining
2016/02/04 04:03:51 [INFO][oov.ch, sub.oov.ch, wl2.oov.ch] acme: Obtaining bundled SAN certificate
2016/02/04 04:03:52 [INFO][oov.ch] acme: Could not find solver for: tls-sni-01
2016/02/04 04:03:52 [INFO][oov.ch] acme: Trying to solve DNS-01
{Name:_acme-challenge.oov.ch. Type:TXT TTL:120 Records:["xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}{Name:_acme-challenge.oov.ch. Type:TXT TTL:120 Records:["xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:03:57 [INFO][sub.oov.ch] acme: Could not find solver for: http-01
2016/02/04 04:03:57 [INFO][sub.oov.ch] acme: Trying to solve DNS-01
{Name:_acme-challenge.sub.oov.ch. Type:TXT TTL:120 Records:["yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}{Name:_acme-challenge.sub.oov.ch. Type:TXT TTL:120 Records:["yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:04:02 [INFO][wl2.oov.ch] acme: Trying to solve DNS-01
{Name:_acme-challenge.wl2.oov.ch. Type:TXT TTL:120 Records:["zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}{Name:_acme-challenge.wl2.oov.ch. Type:TXT TTL:120 Records:["zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:04:07 acme: Error 0 - urn:acme:error:unauthorized - Correct value not found for DNS challenge
Error Detail:

from lego.

oov commented on May 13, 2024

And, this is the log that applied my change to your branch.

$ lego --email="[email protected]" --domains="oov.ch" --domains="wl2.oov.ch" --domains="sub.oov.ch" --dns="route53" --exclude="http-01" --exclude="tls-sni-01" renew
2016/02/04 04:14:05 [INFO][oov.ch] acme: Trying renewal with 2158 hours remaining
2016/02/04 04:14:05 [INFO][oov.ch, sub.oov.ch, wl2.oov.ch] acme: Obtaining bundled SAN certificate
2016/02/04 04:14:06 [INFO][oov.ch] acme: Trying to solve DNS-01
{Name:_acme-challenge.oov.ch. Type:TXT TTL:120 Records:["xxxxxx"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:14:42 [INFO][oov.ch] The server validated our request
{Name:_acme-challenge.oov.ch. Type:TXT TTL:120 Records:["xxxxxx"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:15:17 [INFO][sub.oov.ch] acme: Could not find solver for: http-01
2016/02/04 04:15:17 [INFO][sub.oov.ch] acme: Trying to solve DNS-01
{Name:_acme-challenge.sub.oov.ch. Type:TXT TTL:120 Records:["yyyyyy"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:15:52 [INFO][sub.oov.ch] The server validated our request
{Name:_acme-challenge.sub.oov.ch. Type:TXT TTL:120 Records:["yyyyyy"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:16:26 [INFO][wl2.oov.ch] acme: Could not find solver for
: tls-sni-01
2016/02/04 04:16:26 [INFO][wl2.oov.ch] acme: Trying to solve DNS-01
{Name:_acme-challenge.wl2.oov.ch. Type:TXT TTL:120 Records:["zzzzzz"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:17:02 [INFO][wl2.oov.ch] The server validated our request
{Name:_acme-challenge.wl2.oov.ch. Type:TXT TTL:120 Records:["zzzzzz"] SetIdentifier: Weight:0 HealthCheckId: Region: Failover: AliasTarget:<nil> RecordsXML:}2016/02/04 04:17:37 [INFO][oov.ch, sub.oov.ch, wl2.oov.ch] acme: Validations succeeded; requesting certificates
2016/02/04 04:17:38 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
2016/02/04 04:17:38 [INFO][oov.ch] Server responded with a certificate.

from lego.

janeczku commented on May 13, 2024

I tried your branch but still failed because ChangeResourceRecordSets is not completed yet at returning from the function.

But the error message from Lets Encrypt Correct value not found for DNS challenge indicates that the record was in fact created, just that the value is incorrect. Strange...

from lego.

janeczku commented on May 13, 2024

2016/02/04 04:16:26 [INFO][wl2.oov.ch] acme: Trying to solve DNS-01
2016/02/04 04:17:38 [INFO] acme: Requesting issuer cert from https://acme-

So it really takes more than 1 minute for the DNS record to be created and propagated? Thats unexpected. We better use that status check then...

To wrap up:

The raw string literal patch https://github.com/janeczku/lego/tree/route53-raw-string-literals fixes the the issue at hand ("Invalid Resource Record").
We should query the DNS record status before returning as proposed by @oov. Also see if the other DNS providers provide a similar API to check record health.

/cc @xenolf

from lego.

oov commented on May 13, 2024

But the error message from Lets Encrypt Correct value not found for DNS challenge indicates that the record was in fact created, just that the value is incorrect. Strange...

This message is correct because this incorrect values is trash of the previous request.

2016/02/04 03:37:01 Error cleaning up oov.ch Request failed, got status code: 400

Sorry to confuse you.

So it really takes more than 1 minute for the DNS record to be created and propagated? Thats unexpected. We better use that status check then...

Yes, it is pretty slow.

from lego.

oov commented on May 13, 2024

I found a related topic: saltstack/salt#18720 (comment)

from lego.

jimmycuadra commented on May 13, 2024

FWIW, when I was using letsencrypt.sh, I had to add a sleep of about 10 seconds to the DNS challenge hook script before calling back to Let's Encrypt to tell it to check the record. That would support oov's observations.

from lego.

janeczku commented on May 13, 2024

Yeah, i did not expect DNS propagation time to be that substantial with the big cloud providers. We obviously need to check and wait until every single authoritative NS for the domain has been synced with our record before sending off the challenge to Let's Encrypt. Otherwise the challenge validation might fail with NXDOMAIN errors.
With Route53 we just need to wait until the status of our request changes to INSYNC.

INSYNC indicates that the changes have replicated to all Amazon Route 53 DNS servers.

And for the other providers #96 will improve things, though it doesn't (yet) check all available authoritative server in the NS record.

from lego.

janeczku commented on May 13, 2024

@oov @jimmycuadra I would appreciate if you could give PR #97 a test run and report back. Thanks! 😃

from lego.

jimmycuadra commented on May 13, 2024

#97 worked for me! I had to update my IAM policy to allow route53:GetChange on all change resources. Here is the final version of the policy that was required (this should go in lego's docs for using the AWS DNS challenge):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1454129920000",
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/<INSERT_YOUR_HOSTED_ZONE_ID_HERE>"
            ]
        },
        {
            "Sid": "Stmt1454547904",
            "Effect": "Allow",
            "Action": [
                "route53:GetChange"
            ],
            "Resource": [
                "arn:aws:route53:::change/*"
            ]
        },
        {
            "Sid": "Stmt1454129944000",
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

from lego.

janeczku commented on May 13, 2024

this should go in lego's docs for using the AWS DNS challenge

Absolutely. You wanna open a PR for adding this to the docs?

And thanks again for verifying the patch 👍

from lego.

jimmycuadra commented on May 13, 2024

Sure, I'll do the docs once your patch is in.

from lego.

DNS challenge with Route 53 fails with "InvalidTXTRDATA encountered" about lego HOT 20 CLOSED

Comments (20)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent