Certbot not create CNAME _acme-challenge in route53

pilcha · June 28, 2022, 8:19pm

Hi everyone, i am creating a certificate for a domain but CNAME "_acme-challenge.domain" is not added in my dns zone on route53.

I use this:

certbot certonly -d testing2-certbot.domain.com --dns-route53 --logs-dir /home/ec2-user/letsencrypt/log/ --config-dir /home/ec2-user/let
sencrypt/config/ --work-dir /home/ec2-user/letsencrypt/work/ -m [redacted]@live.com.ar --agree-tos --non-interactive --server https://acme-v02.api.letsencrypt.or
g/directory

I have installed the python2-certbot-dns-route53.noarch package

Does certbot support this functionality?

Here the log:

2022-06-28 20:17:38,528:INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
2022-06-28 20:17:38,530:DEBUG:botocore.loaders:Loading JSON file: /home/ec2-user/.local/lib/python2.7/site-packages/botocore/data/endpoints.json
2022-06-28 20:17:38,596:DEBUG:botocore.hooks:Event choose-service-name: calling handler <function handle_service_name_alias at 0x7f6886390550>
2022-06-28 20:17:38,604:DEBUG:botocore.loaders:Loading JSON file: /home/ec2-user/.local/lib/python2.7/site-packages/botocore/data/route53/2013-04-01/service-2.json
2022-06-28 20:17:38,632:DEBUG:botocore.hooks:Event creating-client-class.route-53: calling handler <function add_generate_presigned_url at 0x7f6886421350>
2022-06-28 20:17:38,632:DEBUG:botocore.regions:Using partition endpoint for route53, us-west-2: aws-global
2022-06-28 20:17:38,634:DEBUG:botocore.endpoint:Setting route53 timeout as (60, 60)
2022-06-28 20:17:38,635:DEBUG:botocore.loaders:Loading JSON file: /home/ec2-user/.local/lib/python2.7/site-packages/botocore/data/_retry.json
2022-06-28 20:17:38,637:DEBUG:botocore.client:Registering retry handlers for service: route53
2022-06-28 20:17:38,638:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-route53
Description: Obtain certificates using a DNS TXT record (if you are using AWS Route53 for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-route53 = certbot_dns_route53._internal.dns_route53:Authenticator
Initialized: <certbot_dns_route53._internal.dns_route53.Authenticator object at 0x7f6887122b90>
Prep: True
2022-06-28 20:17:38,639:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_route53._internal.dns_route53.Authenticator object at 0x7f6887122
b90> and installer None
2022-06-28 20:17:38,639:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-route53, Installer None
2022-06-28 20:17:38,642:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreeme
nt=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/609320336', new_authzr_u
ri=None, terms_of_service=None), e999f5ca944dca774ef23d379b69e677, Meta(creation_host=u'ip-10-54-130-208.us-west-2.compute.internal', register_to_eff=None, creation_dt
=datetime.datetime(2022, 6, 28, 19, 9, 6, tzinfo=)))>
2022-06-28 20:17:38,643:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-06-28 20:17:38,646:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-06-28 20:17:38,807:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2022-06-28 20:17:38,808:DEBUG:acme.client:Received response:

petercooperjr · June 28, 2022, 9:24pm

I'm a little confused about what you're asking.

The ACME protocol uses TXT records, not CNAME. It is possible to CNAME the entry to some other domain, and the validation would then follow the CNAME like any other DNS record. But certbot doesn't support having the automatic TXT record created in a different domain than the one you're trying to validate by using a CNAME, so if that's what you're trying to do then you'll need to use a different client.

The other reason I'm confused is the snippet of the log you've posted looks like it's loading the Route 53 plugin and loading your credentials file fine. What problem are you having? I think you just didn't copy the entire log here. The easiest way to format it is to put three backticks on their own line before and after it:

```
content here
```

pilcha · June 28, 2022, 9:47pm

I have created a certificate through certbot.

Today they have expired and I had a serious problem, so I need to automate the renewal, but I have found a process that I have not been able to solve.

I use renewal by DNS but when certbot certonly --manual --email email@email --server https://acme-v02.api.letsencrypt.org/directy --agree-tos --manual-public-ip-logging-ok -d *.domain.com

I come across a request for confirmation.

Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for domain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.domain.com with the following value:

Un9yLvUqZwmHExxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

my idea was to use the --dns-route53 option to update the _acme-challenge record but I think I’m confused.
My English is not so good, sorry.

petercooperjr · June 28, 2022, 10:56pm

If your DNS is hosted in Route 53, then yes you should be able to automate the whole process by using Certbot and the Route 53 plugin as you're trying to do.

So what problem are you having when you try?

pilcha · June 28, 2022, 11:37pm

Once the certificate expires, I recreate it by running the following

certonly --manual --email email@domain.com --server https://acme-v02.api.letsencrypt.org/directy --agree-tos --manual-public-ip-logging-ok -d *.domain.com

When I run the command I see the following, it shows me what is the new code I should add in the dns zone and I do it manually.

Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for domain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.domain.com with the following value:

Un9yLvUqZwmHExxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

Is there a way to automatically create the _acme-challenge.domain.com record?

My problem occurs when using the parameter "-dns-route53" the record _acme-challenge.domain.com is not created in the dns zone in route53.I understand it should be created, maybe I’m wrong.

In case I’m wrong, is there any way to avoid getting the TXT record without pressing the enter key to proceed? (Press Enter to Continue)

MikeMcQ · June 29, 2022, 12:23am

Yes, you have the right idea with the Route53 plug-in as shown in your first post. It is hard for us to know what might be wrong for a couple reasons. One, you are not showing your domain name. And, two, you did not show the entire log file in your first post.

And, you did not describe what version of certbot you use. But, you could try adding --debug-challenges to the command in your first post. That should pause to allow you to check whether the TXT record (not CNAME record) was created as expected.

If that doesn't help you debug the problem then upload the entire log file using the upload button on the format menu. You can redact your domain name in the log if you must but we can be more helpful if you show the domain name.

If you have not yet, review the docs for Route53 plug-in
https://certbot-dns-route53.readthedocs.io/en/stable/

webprofusion · June 29, 2022, 1:08am

Check you don't have conflicting _acme-challenge records (e.g. make sure you don't have both a CNAME and a TXT record, if you do, delete the CNAME and continue with the TXT record).

It helps a lot of you provide your domain, then nobody has to guess, your certificate is public anyway.

pilcha · June 29, 2022, 1:01pm

Hi good morning, thans for helps to everyone.
In the main domain we create a certificate for *.kiusys.com to perform tests I’m using the
subdomain called certbot-testing.kiusys.com.

Here the log letsencrypt.log:

https://pastecode.io/s/av2w8ixf

Thanks for the help!!

MikeMcQ · June 29, 2022, 1:32pm

Um, that certbot command worked. The log is clean and I see the cert issued. Note the timestamp in the cert is 1H before your runtime on purpose (LE pre-dates an hour to tolerate time diffs better).

What was the problem again?

pilcha · June 29, 2022, 1:40pm

I understand that a CNAME record called _acme-challenge. certbot-testing.kius.com should be created automatically in route53 or am I wrong?

thanks for your patience, I still don’t handle a good level of English.

MikeMcQ · June 29, 2022, 1:44pm

No, Let's Encrypt uses a TXT record to validate the DNS challenge. Your log showed a TXT record being created, the challenge was successful, and the TXT record was removed. Every DNS challenge has a new TXT record and value so it is deleted once it was successful.

And, I showed the link where you can see the cert that was created.

Note that your Route53 DNS still has a TXT record in it for that name. But, it must have been an old request and you can delete this one:

_acme-challenge.certbot-testing.kiusys.com. 300 IN TXT "r2v71ly2st46p6vmpdwn2yl4w0010j01"

system · July 29, 2022, 1:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.