letsencrypt wildcard domain support
jacksnodgrass opened this issue · 2 comments
Not sure where the fault lies... I think it's certbot....
This works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains www.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"
and this works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"
but this:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"
does not.
the log shows:
2018-04-13 09:55:04,653:INFO:certbot.auth_handler:Cleaning up challenges
2018-04-13 09:55:06,353:INFO:certbot.hooks:Output from certbot-route53.sh:
1
2018-04-13 09:55:06,353:ERROR:certbot.hooks:Error output from certbot-route53.sh:
An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: Tried to delete resource record set [name='_acme-challenge.mylinuxguy.org.', type='TXT'] but the values provided do not match the current values
Waiter ResourceRecordSetsChanged failed:
2018-04-13 09:56:08,311:INFO:certbot.hooks:Output from certbot-route53.sh:
1
I think that wildcard domain stuff uses the same name as the non-wildcard domain.. so
*.mylinuxguy.org and mylinuxguy.org use the same name for:
_acme-challenge.mylinuxguy.org
and that causes the aws route53 servers issues.
Just wanted to see if anyone else has tried this and gotten it to work.
- jack
I can confirm that using
--server "https://acme-v02.api.letsencrypt.org/directory"
does the job at poking the right acme server for initiating the challenge!
I had the same issue. As far as I can tell the problem is when you specify 2 'subdomains' (*.mylinuxguy.org and mylinuxguy.org) the auth hook is invoked twice. That means you need to create 2 TXT records for _acme-challenge.mylinuxguy.org.
However, the script uses the route53 change-resource-record-sets
command with an UPSERT
(which is correct), but it means the second hook overrides the first.
The way I fixed it is to no-op on the first hook but to write the certbot validation value to a file. Then on the second request I write both values to the TXT record using route53 change-resource-record-sets
That means your JSON change needs to look something like
{
"Changes":[
{
"Action":"${ACTION}",
"ResourceRecordSet":{
"ResourceRecords":[
{
"Value": "\"$PREVIOUS_CERTBOT_VALIDATION\""
},
{
"Value": "\"$CERTBOT_VALIDATION\""
}
],
"Name":"_acme-challenge.${CERTBOT_DOMAIN}.",
"Type":"TXT",
"TTL":30
}
}
]
}
This works for both the auth-hook and the auth-hook cleanup.