Hi Team, I am Solutions Architect in AWS China.
I'm using Lambda and Certbot to automate getting certificates and uploading them to the AWS IAM certificate store in AWS China Region. We made it into a solution and released it: https://www.amazonaws.cn/en/getting-started/tutorials/create-ssl-with-cloudfront/?nc1=h_ls
However, after some customer feedback and testing, we found that there is a probability that the certificate could not be obtained and got some errors because of slow DNS propagation.
Also, we found that dns-route53-propagation-seconds has been deprecated.
So we may need some good way to be able to ensure that we get a certificate after a successful propagation. Or provide something like dns-route53-propagation-seconds, max-retried, command parameter to solve it.
Some code example
certbot_args = [
'--config-dir', CERTBOT_DIR + "/config",
'--work-dir', CERTBOT_DIR + "/work",
'--logs-dir', CERTBOT_DIR + "/logs",
'--cert-name', "ssl",
# Obtain a cert but don't install it
'certonly',
# Run in non-interactive mode
'--non-interactive',
# Agree to the terms of service
'--agree-tos',
# Email of domain administrators
'--email', email,
# Use dns challenge with dns plugin
'--dns-route53',
# '--dns-route53-propagation-seconds', '720',
'--preferred-challenges', 'dns-01',
'--issuance-timeout', '900',
# Use this server instead of default acme-v01
# '--server', CERTBOT_SERVER,
# Domains to provision certs for (comma separated)
'--domains', domains
# '--dry-run'
]
cert_code = certbot.main.main(certbot_args)
Here is a Certbot log showing the issue (if available):
1713517500553,"Detail: During secondary validation: DNS problem: query timed out looking up TXT for _acme-challenge.xxxx.people.a2z.org.cn
1713517500553,"Detail: During secondary validation: DNS problem: query timed out looking up TXT for _acme-challenge.xxx.people.a2z.org.cn
"
1713517500553,"Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-route53. Ensure the above domains have their DNS hosted by AWS Route53.
1713517500554,"[DEBUG] 2024-04-19T09:05:00.554Z 5fc962e8-6c64-4dad-a4de-7e2aabc46111 Encountered exception:
"
1713517500554,"Traceback (most recent call last):
"
1713517500554,"File ""/var/task/certbot/_internal/auth_handler.py"", line 108, in handle_authorizations
"
1713517500554,"self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
"
1713517500554,"File ""/var/task/certbot/_internal/auth_handler.py"", line 212, in _poll_authorizations
"
1713517500554,"raise errors.AuthorizationError('Some challenges have failed.')
"
1713517500554,"certbot.errors.AuthorizationError: Some challenges have failed.
"
1713517500554,"[DEBUG] 2024-04-19T09:05:00.554Z 5fc962e8-6c64-4dad-a4de-7e2aabc46111 Calling registered functions
"
1713517500554,"[INFO] 2024-04-19T09:05:00.554Z 5fc962e8-6c64-4dad-a4de-7e2aabc46111 Cleaning up challenges
The operating system my web server runs on is (include version):
AWS Lambda /w python certbot==2.10.0 & certbot-dns-route53==2.10.0