Do wildcard domains and Amazons Route53 DNS server work? I am running something like:
/opt/certbot/certbot-auto --server https://acme-v02.api.letsencrypt.org/directory
–cert-name mylinuxguy.org
-d mylinuxguy.org
-d *.mylinuxguy.org
–manual
–preferred-challenges dns-01
–keep-until-expiring
–reinstall
–update
–agree-tos
–manual-public-ip-logging-ok
–manual-auth-hook "./get_letsencrypt_cert.php dnsauth "
–manual-cleanup-hook "./get_letsencrypt_cert.php dnsclean "
certonly
where "./get_letsencrypt_cert.php dnsauth " updates my route53 stuff with the requested TXT record and
"./get_letsencrypt_cert.php dnsclean " deletes the requested TXT record.
I can run this without the
–manual-auth-hook "./get_letsencrypt_cert.php dnsauth "
–manual-cleanup-hook "./get_letsencrypt_cert.php dnsclean "
options and manually do the TXT records when instructed but when I let the automation fully kick in I get an error.
It appears that the --manual-auth-hook "./get_letsencrypt_cert.php dnsauth " is called 2 times… before the
–manual-cleanup-hook "./get_letsencrypt_cert.php dnsclean " and Amazons Route53 won’t let you have 2 TXT records with the same name.
The 2nd time the add txt record call fires off, I get:
Error: InvalidChangeBatch: Tried to create resource record set [name=’_acme-challenge.mylinuxguy.org.’, type=‘TXT’] but it already exists
status code: 400, request id: d1e535b4-3dd8-11e8-bd57-8d70af6798a7
which is true… ont godaddy dns servers… you can have two _acme-challenge.mylinuxguy.org TXT records… on route53 you apparently can not have two records with the same name.
IF the system did a --manual-auth-hook followed by a --manual-cleanup-hook and then did the 2nd batch of
–manual-auth-hook followed by a --manual-cleanup-hook I think it wold be fine… that’s when I do when I run the command without the hooks and manually create and remove the TXT records.
Anyway… is it just me or am I doing something wrong?
I have opened an issue with: [jed/certbot-route53] letsencrypt wildcard domain support (#16) on github.
I think that it’s a certbot issue though.
So before anyone says something like " you need to read the documentation" I really want to know if anyone has gotten it to actually work… not just work in theory?
I can use:
certbot-route53.sh from [jed/certbot-route53] to do
so… before anyone gives any ‘theory’ responses… certbot with the manual options actually work with *.domain.com and domain.com and aws route53 servers?
I can get certbot manual stuff to work with Godaddy’s DNS server but they allows TXT records with the same name.
Amazon Route53 DNS servers do NOT allow TXT records with the same name.
So WHO has actually gotten certbot, route53 and *.domain.com and domain.com type domains to work?
$ sudo certbot certonly --dns-route53 -d '*.mydomain.cf' -d 'mydomain.cf' --staging
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found credentials in shared credentials file: ~/.aws/credentials
Plugins selected: Authenticator dns-route53, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomain.cf
dns-01 challenge for mydomain.cf
Starting new HTTPS connection (1): route53.amazonaws.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges