'R53UseIAMRole=true' not working with IMDSv2 Tokens set to 'Required' about posh-acme HOT 6 CLOSED

The Dev version of the plugin tested fine.

I followed the instructions to install the dev build and ran Import-Module Posh-ACME -Force
After running the Publish-Challenge command, I checked the Route53 _acme-challenge entry was there and that it was removed after the Unpublish-Challenge command.

from posh-acme.

Hey @Alan111S, thanks for reaching out. I had no idea IMDSv2 was even a thing but apparently it's been live since late 2019. The initial docs I'm reading make it seem like a fairly painless change to use v2 by default. And if I'm reading things correctly, there should be no cases where only v1 works. So I'll probably just upgrade the code to always use v2.

Until I can get a new release out with the fix, you should also be able to work around the problem by having a 2020 or later version of the AWS.Tools.Route53 module and its dependencies installed along with Posh-ACME. If the plugin finds the official module, it will use that instead of its own raw REST implementation.

from posh-acme.

Hi @rmbolger, thanks for your quick update.

I've installed:-

Install-Module -Name AWS.Tools.Route53

I had to add -AllowClobber to get it to install.

I've performed another 'New-PACertificate' with the Instance using IMDSv2 Tokens set to 'Required' and it's working fine using the AWS.Tools.Route53 module.

Do you want me to close this issue or leave open until an update is published ?

from posh-acme.

You can leave it open. I'll use it to track the code update. Thanks for verifying the workaround too!

from posh-acme.

I just committed a change that should update the plugin to use IMDSv2. Could you try testing it after uninstalling the AWS.Tools.Route53 module? You can either download the raw plugin file and overwrite your local copy or follow the instructions in the readme to install the dev build. Either way, make sure you're either running in a fresh PowerShell instance or forcefully re-import the module by running Import-Module Posh-ACME -Force.

You shouldn't need to go through a whole new cert request process. You can test just the plugin by publishing and unpublishing a fake token value to one of your DNS zones like this:

$pArgs = @{R53UseIAMRole=$true}
Publish-Challenge example.com (Get-PAAccount) faketoken Route53 $pArgs -Verbose
Unpublish-Challenge example.com (Get-PAAccount) faketoken Route53 $pArgs -Verbose

from posh-acme.

This is now live in 4.19.0.

from posh-acme.