lexicon icon indicating copy to clipboard operation
lexicon copied to clipboard

Published 20 hours ago verified publisher icon AnalogJ

Letsencrypt for Route 53 root domain and wildcard

Open themsaid opened this issue 5 years ago • 8 comments

If I generate a certificate for root domain only or wildcard only it works, but if I generate a certificate for both I get this error.

screen shot 2018-08-29 at 7 38 06 pm

themsaid avatar Aug 29 '18 17:08 themsaid

From your image its a bit difficult to determine exactly what the cause is.

There are a couple of lexicon providers that need to be changed to support record sets, but all of the Certbot integrated providers should work out of the box. You may need to bring up this issue with Certbot or the ACME client that you use.

Which DNS provider are you attempting to communicate with? And which ACME/letsencrypt client are you using?

AnalogJ avatar Aug 29 '18 17:08 AnalogJ

I'm using Route53 as the DNS provider and dehydrated as the acme client, here's the hook registered: https://raw.githubusercontent.com/AnalogJ/lexicon/master/examples/dehydrated.default.sh

themsaid avatar Aug 30 '18 07:08 themsaid

A little more info on what we are seeing:

screen shot 2018-08-30 at 12 18 57 pm

The TXT record never seems to be updated from the first challenge value... it just always stays at this value until the script finishes with invalid challenge results...

screen shot 2018-08-30 at 12 16 23 pm

taylorotwell avatar Aug 30 '18 10:08 taylorotwell

The issue seems to be Route 53 doesn't like multiple TXT values with the same domain. I can't even do it manually in the Route 53 web console... even though I can do it in other providers like Cloudflare.

So, that seems to be the problem.

taylorotwell avatar Aug 30 '18 11:08 taylorotwell

This SO issue seems to indicate the values have to all be added at the same time:

https://serverfault.com/questions/616407/tried-to-create-2-record-set-type-txt-in-route53

🤷‍♂️

taylorotwell avatar Aug 30 '18 11:08 taylorotwell

Yeah, currently the Route53 provider does not support record sets, theres an open issue for it: https://github.com/AnalogJ/lexicon/issues/262

I don't use Route53 with lexicon so it's a bit hard for me to test changes. If you'd be willing to open a PR there's an existing record-set test suite that you can use to verify your work.

We tracked some of the providers that have record-set support in https://github.com/AnalogJ/lexicon/pull/190 so you can use those providers as examples if you do end up writing a PR.

AnalogJ avatar Sep 14 '18 07:09 AnalogJ

@AnalogJ Route 53 does support record sets. Take a look at bellow of value field, you will see a note "IPv4 address. Enter multiple addresses on separate lines.". However lexicon doesn't do it the same way.

baochungit avatar Oct 02 '18 07:10 baochungit

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ResourceRecordTypes.html#TXTFormat Could lexicon support this soon?

baochungit avatar Oct 02 '18 10:10 baochungit