acme.sh icon indicating copy to clipboard operation
acme.sh copied to clipboard
verified publisher icon acmesh-official

Aws dns imdsv2

Open derytim opened this issue 1 year ago • 5 comments

This uses IMDSv2 on EC2 instances, if available. (I don't think you can launch an instance that ONLY supports IMDSv1. If you had an instance running for years, maybe it doesn't support IMDSv2).

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html https://aws.amazon.com/blogs/security/get-the-full-benefits-of-imdsv2-and-disable-imdsv1-across-your-aws-infrastructure/

Tested this on an EC2 instance using just IMDSv2, using both, and using both (but forcing it to use IMDSv1).

https://github.com/acmesh-official/acme.sh/issues/4960

derytim avatar Jan 31 '24 23:01 derytim

Welcome Please make sure you've read our DNS API Dev Guide and DNS-API-Test. Then reply on this message, otherwise, your code will not be reviewed or merged. We look forward to reviewing your Pull request shortly ✨ 注意: 必须通过了 DNS-API-Test 才会被 review. 无论是修改, 还是新加的 dns api, 都必须确保通过这个测试.

github-actions[bot] avatar Jan 31 '24 23:01 github-actions[bot]

Welcome Please make sure you've read our DNS API Dev Guide and DNS-API-Test. Then reply on this message, otherwise, your code will not be reviewed or merged. We look forward to reviewing your Pull request shortly ✨ 注意: 必须通过了 DNS-API-Test 才会被 review. 无论是修改, 还是新加的 dns api, 都必须确保通过这个测试.

I've read the docs. This isn't a new DNS API integration, just an addition to an already-existing integration. EDIT: working out the DNS API testing

derytim avatar Feb 01 '24 00:02 derytim

The OpenBSD tests are failing. Relevant output is:

  [Thu Feb  1 22:48:32 UTC 2024] Found domain api file: /root/.acme.sh/dnsapi/***.sh
  [Thu Feb  1 22:48:32 UTC 2024] Load file /root/.acme.sh/dnsapi/***.sh error. Please check your api file and try again.
  [Thu Feb  1 22:48:32 UTC 2024] _on_issue_err
  [Thu Feb  1 22:48:32 UTC 2024] Please check log file for more details: le_test_dnsapi.log

In one of my re-runs, it looked like it did actually complete:

  [Thu Feb  1 22:48:33 UTC 2024] _ACME_SERVER_HOST='acme-staging-v02.api.letsencrypt.org'
  [Thu Feb  1 22:48:33 UTC 2024] _ACME_SERVER_PATH='directory'
  [Thu Feb  1 22:48:33 UTC 2024] Uninstalling alias from: '/root/.profile'
  [Thu Feb  1 22:48:33 UTC 2024] Uninstalling alias from: '/root/.cshrc'
  [Thu Feb  1 22:48:33 UTC 2024] The keys and certs are in "/root/.acme.sh", you can remove them by yourself.

The tests have passed on Docker, MacOS, Windows, and FreeBSD. Can you point me in a next direction?

derytim avatar Feb 01 '24 23:02 derytim

https://github.com/derytim/acme.sh/actions/runs/7734909136

derytim avatar Feb 10 '24 00:02 derytim

you can get a openbad vm here to debug: https://github.com/vmactions/shell-openbsd

Neilpang avatar Feb 10 '24 12:02 Neilpang

I ran the tests against the bare fork (without my changes), and the OpenBSD automated tests appear to have failed in the same way - output looks like cert was generated, but the test still fails. https://github.com/derytim/acme.sh/actions/runs/7924505475/job/21638722100 I think the test is bad, or something else is broken unrelated to my changes.

derytim avatar Feb 20 '24 18:02 derytim

_use_metadata() is broken on OpenBSD, I don't think many DNS APIs were originally tested at all under OpenBSD (ksh).

j-c-m avatar Mar 09 '24 17:03 j-c-m

https://github.com/j-c-m/acme.sh/commit/e2de58aa8fb14f91aa94b8626916c5a0b6f3f482

That might fix it? I don't have any test environment available for route53/aws.

j-c-m avatar Mar 09 '24 17:03 j-c-m

j-c-m@e2de58a

That might fix it? I don't have any test environment available for route53/aws.

Thanks @j-c-m , that change did get me past the OpenBSD tests.

It then failed on NetBSD tests :(

Run onInitialized in VM
  exec shell: bash run.sh onInitialized
  /usr/bin/bash
  Config file: netbsd-9.3.conf
Run 'prepare' in VM
  Running prepare: pkg_add curl socat
  
  exec ssh: pkg_add curl socat
  /usr/bin/bash /home/runner/work/_actions/vmactions/netbsd-vm/v1/run.sh execSSHSH
  Config file: netbsd-9.3.conf
  sh: pkg_add: not found
  Error: The process '/usr/bin/bash' failed with exit code 127

derytim avatar Mar 11 '24 23:03 derytim

That looks like an error in the vm setup, from the actions just re-run the failed jobs, should pass.

On Mar 11, 2024, at 5:19 PM, derytim @.***> wrote:

@.*** https://github.com/j-c-m/acme.sh/commit/e2de58aa8fb14f91aa94b8626916c5a0b6f3f482 That might fix it? I don't have any test environment available for route53/aws. Thanks @j-c-m https://github.com/j-c-m , that change did get me past the OpenBSD tests.

It then failed on NetBSD tests :(

exec shell: bash run.sh onInitialized /usr/bin/bash Config file: netbsd-9.3.conf Run 'prepare' in VM Running prepare: pkg_add curl socat

exec ssh: pkg_add curl socat /usr/bin/bash /home/runner/work/_actions/vmactions/netbsd-vm/v1/run.sh execSSHSH Config file: netbsd-9.3.conf sh: pkg_add: not found Error: The process '/usr/bin/bash' failed with exit code 127 ``` — Reply to this email directly, view it on GitHub https://github.com/acmesh-official/acme.sh/pull/4979#issuecomment-1989625361, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABLFTFYAYMEVKTK4B3LGUUDYXZC2NAVCNFSM6AAAAABCT56POSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBZGYZDKMZWGE. You are receiving this because you were mentioned.

j-c-m avatar Mar 11 '24 23:03 j-c-m

No dice, same error. Setup can't find pkg_add. It's called in the tests here https://github.com/acmesh-official/acmetest/blob/master/.github/workflows/NetBSD.yml#L47 From the error I'm guessing it isn't at /usr/sbin/pkg_add, but I'm not familiar with BSD so that's just a guess.

derytim avatar Mar 13 '24 17:03 derytim

rebase your code to the latest dev branch first.

Neilpang avatar Mar 13 '24 17:03 Neilpang

Yep that’s it, his feature branch is missing b79c3f5

On Mar 13, 2024, at 11:58 AM, neil @.***> wrote:

rebase your code to the latest dev branch first.

— Reply to this email directly, view it on GitHub https://github.com/acmesh-official/acme.sh/pull/4979#issuecomment-1995193314, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABLFTF7IL7OVJZQBFFVTN6TYYCHVFAVCNFSM6AAAAABCT56POSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOJVGE4TGMZRGQ. You are receiving this because you were mentioned.

j-c-m avatar Mar 13 '24 18:03 j-c-m

Thanks, that seemed to do it.

derytim avatar Mar 13 '24 21:03 derytim

do you need to update the usage here? https://github.com/acmesh-official/acme.sh/wiki/dnsapi#10-use-amazon-route53-domain-api

Neilpang avatar Mar 18 '24 20:03 Neilpang

Hi, I upgraded acme.sh and try rerun --renew command but no luck. I'm getting this error:

[Wed Apr 10 11:27:27 UTC 2024] Response error:<?xml version="1.0"?>
<ErrorResponse xmlns="https://route53.amazonaws.com/doc/2013-04-01/"><Error><Type>Sender</Type><Code>InvalidClientTokenId</Code><Message>The security token included in the request is invalid.</Message></Error><RequestId>3e91a42b-8398-4a6b-96e6-f3105b08eb21</RequestId></ErrorResponse>

When I try to get role credentials manually from metadata service it works but using acme.sh

pipozzz avatar Apr 10 '24 11:04 pipozzz