jed/certbot-route53

letsencrypt wildcard domain support

jacksnodgrass opened this issue · 2 comments

jacksnodgrass commented

Not sure where the fault lies... I think it's certbot....

This works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains www.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"

and this works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"

but this:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"

does not.

the log shows:
2018-04-13 09:55:04,653:INFO:certbot.auth_handler:Cleaning up challenges
2018-04-13 09:55:06,353:INFO:certbot.hooks:Output from certbot-route53.sh:
1

2018-04-13 09:55:06,353:ERROR:certbot.hooks:Error output from certbot-route53.sh:

An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: Tried to delete resource record set [name='_acme-challenge.mylinuxguy.org.', type='TXT'] but the values provided do not match the current values

Waiter ResourceRecordSetsChanged failed:

2018-04-13 09:56:08,311:INFO:certbot.hooks:Output from certbot-route53.sh:
1

I think that wildcard domain stuff uses the same name as the non-wildcard domain.. so
*.mylinuxguy.org and mylinuxguy.org use the same name for:
_acme-challenge.mylinuxguy.org
and that causes the aws route53 servers issues.

Just wanted to see if anyone else has tried this and gotten it to work.

  • jack
noonespecial2 commented

I can confirm that using

--server "https://acme-v02.api.letsencrypt.org/directory"

does the job at poking the right acme server for initiating the challenge!

Jaco-Pretorius commented

I had the same issue. As far as I can tell the problem is when you specify 2 'subdomains' (*.mylinuxguy.org and mylinuxguy.org) the auth hook is invoked twice. That means you need to create 2 TXT records for _acme-challenge.mylinuxguy.org.

However, the script uses the route53 change-resource-record-sets command with an UPSERT (which is correct), but it means the second hook overrides the first.

The way I fixed it is to no-op on the first hook but to write the certbot validation value to a file. Then on the second request I write both values to the TXT record using route53 change-resource-record-sets

That means your JSON change needs to look something like

      {
        "Changes":[
          {
            "Action":"${ACTION}",
            "ResourceRecordSet":{
              "ResourceRecords":[
                {
                  "Value": "\"$PREVIOUS_CERTBOT_VALIDATION\""
                },
                {
                  "Value": "\"$CERTBOT_VALIDATION\""
                }
              ],
              "Name":"_acme-challenge.${CERTBOT_DOMAIN}.",
              "Type":"TXT",
              "TTL":30
            }
          }
        ]
      }

This works for both the auth-hook and the auth-hook cleanup.