Issue creating Wildcard domain

BubblesFW · March 31, 2023, 4:10pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I am following this AWS Lightsail doc to create a new wildcard certificate on my Bitnami Lightsail instance that is running Apache Wordpress stack.

[1] Install a wildcard SSL certificate in Lightsail Bitnami | AWS re:Post

I have created the required credentials and added to the correct directory and running the following command (email is removed)

My domain is: trevorwalsh.art, *.trevorwalsh.art

I ran this command:
sudo /opt/bitnami/letsencrypt/lego --email="user@email.com" --domains="trevorwalsh.art" --domains="*.trevorwalsh.art" --dns lightsail --path="/opt/bitnami/letsencrypt" run

It produced this output:

2023/03/31 15:36:29 [INFO] [trevorwalsh.art, *.trevorwalsh.art] acme: Obtaining bundled SAN certificate
2023/03/31 15:36:30 [INFO] [*.trevorwalsh.art] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/215474929147
2023/03/31 15:36:30 [INFO] [trevorwalsh.art] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/215549285827
2023/03/31 15:36:30 [INFO] [trevorwalsh.art] acme: authorization already valid; skipping challenge
2023/03/31 15:36:30 [INFO] [*.trevorwalsh.art] acme: use dns-01 solver
2023/03/31 15:36:30 [INFO] [*.trevorwalsh.art] acme: Preparing to solve DNS-01
2023/03/31 15:36:30 [INFO] [*.trevorwalsh.art] acme: Cleaning DNS-01 challenge
2023/03/31 15:36:31 [WARN] [*.trevorwalsh.art] acme: cleaning up failed: lightsail: InvalidInputException: These parameters are required: domainName
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "93f1c596-ed93-4b68-9222-5335cebf3d60"
  },
  Code_: "MissingParams",
  Message_: "These parameters are required: domainName"
} 
2023/03/31 15:36:31 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/215474929147
2023/03/31 15:36:31 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/215549285827
2023/03/31 15:36:31 Could not obtain certificates:
	error: one or more domains had a problem:
[*.trevorwalsh.art] [*.trevorwalsh.art] acme: error presenting token: lightsail: InvalidInputException: These parameters are required: domainName
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "2547efe0-4dad-4833-bc03-7ad51e5dc67a"
  },
  Code_: "MissingParams",
  Message_: "These parameters are required: domainName"
}

My web server is (include version):
Server version: Apache/2.4.55 (Unix)
Server built: Feb 20 2023 17:42:52

The operating system my web server runs on is (include version):
WordPress Multisite Certified by Bitnami and Automattic 6.1.1-43

My hosting provider, if applicable, is:
AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don't know):
I can log in as root user

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I am using Lego

Osiris · March 31, 2023, 4:25pm

Lego is an AMCE client. The question was which version your ACME client was. Certbot was just mentioned as an example.

Bruce5051 · March 31, 2023, 4:41pm

Here is a list of issued certificates crt.sh | trevorwalsh.art, they were issued for trevorwalsh.art & www.trevorwalsh.art.
How did you obtain them (I am guessing some method with the HTTP-01 challenge)?

BubblesFW · March 31, 2023, 4:49pm

Thanks for the reply. I am trying to find out how to verify the ACME version as requested.

I initially used the Bitnami 'bncert-tool' to auto configure those certificates for trevorwalsh.art and www.trevorwalsh.art. The command and Bitnami doc link are listed below:-

sudo /opt/bitnami/bncert-tool

[1] Auto-Configure A Let's Encrypt Certificate
https://docs.bitnami.com/general/faq/administration/generate-configure-certificate-letsencrypt/

However 'bncert-tool' does not support the creation of wildcard domains so I am now attempting to add one by following this AWS Lightsail doc:-

Osiris · March 31, 2023, 5:31pm

Have you seen the documentation of the lego ACME client for lightsail DNS:

https://go-acme.github.io/lego/dns/lightsail/

I'm not familiar with Lightsail and the documentation does mention something about "Amazon EC2 IAM role", but it might be necessary to specify AWS credentials as mentioned in the documentation.

MikeMcQ · March 31, 2023, 7:16pm

Are you sure your DNS provider is Lightsail rather than Route53?

I suppose I could look but you should know It looks like the credentials for each are specified slightly different in lego config

rg305 · March 31, 2023, 7:28pm

trevorwalsh.art nameserver = ns-1242.awsdns-27.org
trevorwalsh.art nameserver = ns-1679.awsdns-17.co.uk
trevorwalsh.art nameserver = ns-241.awsdns-30.com
trevorwalsh.art nameserver = ns-751.awsdns-29.net

I'm not familiar with Lightsail's DNS servers.

Bruce5051 · March 31, 2023, 7:35pm

A couple of links on Lightsail's DNS; for what it is worth.

MikeMcQ · March 31, 2023, 7:42pm

I vaguely recall they use same infrastructure as Route53 but with different API

BubblesFW · March 31, 2023, 8:54pm

Hey there and thanks to all who replied. I was offline/offgrid for a bit

I will reply to everyone here.

Osiris I am checking that doc now as I have not seen that. Thanks for providing it.

MikeMcQ Yep my trevorwalsh.art 'DNS Zone' is created in Lightsail in my 'Domains & DNS' account. And yes when I was checking which command to use, I was also thought that it would be the lego command with the '--dns route53' parameter. But because I used Lightsail to create the zone, I picked the lego command with '--dns lightsail' parameter. I have not checked the API but I am pretty sure that Lightsail DNS Zone is created in the R53 service as a public hosted zone. I have also verified that the name-servers have same naming format:-

--LightSail DNS Zone--
MBP ~ % dig trevorwalsh.art NS +short
ns-1679.awsdns-17.co.uk.
ns-241.awsdns-30.com.
ns-1242.awsdns-27.org.
ns-751.awsdns-29.net.

--Test R53 Public hosted zone--
MBP ~ % dig trevorwalshtest.art NS @ns-663.awsdns-18.net +short
ns-1049.awsdns-03.org.
ns-1947.awsdns-51.co.uk.
ns-280.awsdns-35.com.
ns-663.awsdns-18.net.

This confirms what rg305 added also. And thanks Bruce5051 for providing those links also.

I am going to check the docs provided and add check out that IAM "Amazon EC2 IAM role". But it is the error message that is asking for the 'domainName' parameter to be added which is strange.

Bubs

BubblesFW · March 31, 2023, 9:11pm

I don't think there is an issue with IAM permissions. The command error output included the following line:-
2023/03/31 15:36:30 [INFO] [trevorwalsh.art] acme: authorization already valid; skipping challenge

I have also given my IAM user 'AmazonEC2FullAccess' and 'AmazonRoute53FullAccess' managed IAM policies.

Osiris · March 31, 2023, 9:12pm

Yeah that's for the non-wildcard hostname. Might be just using the http-01 challenge maybe. It's your wildcard hostname requiring the dns-01 challenge that's failing.

With regard to "IAM permissions": absolutely no clue there.

MikeMcQ · March 31, 2023, 9:17pm

Do you need a wildcard cert?

Because I don't see a wildcard DNS entry. I see your apex and a www. subdomain (just by luck).

You should be able to get a wildcard cert even w/out a wildcard DNS. But, if you only have explicit domain names you just might not need to.

MikeMcQ · March 31, 2023, 9:18pm

What about these Lightsail policies described in the article you provided

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lightsail:DeleteDomainEntry",
        "lightsail:CreateDomainEntry"
      ],
      "Resource": "<Lightsail DNS zone ARN>"
    }
  ]
}

BubblesFW · March 31, 2023, 9:19pm

Ah ok thanks for that. I think the required: domainName is the key here. I just checked and Lightsail had added support for ACM SSL certs but they are configured with Lightsail load balancers and that is an additional cost I want to avoid

https://lightsail.aws.amazon.com/ls/docs/en_us/articles/understanding-tls-ssl-certificates-in-lightsail-https

BubblesFW · March 31, 2023, 9:28pm

Well yeah you are correct it might be overkill TBH but I was just trying to cover all bases at the start. At the moment I will just need subdomain for an online store (shop.trevorwalsh.art) so I could probably simply create another SSL cert that validates that host-header along with 'www' and possibly a few more. I was just being too techy about it probably

BubblesFW · March 31, 2023, 10:09pm

So I added the following policy to my IAM user for the LightSail service as described in the doc

------------
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lightsail:DeleteDomainEntry",
        "lightsail:CreateDomainEntry"
      ],
      "Resource": "arn:aws:lightsail:us-east-1:1234567890:Domain/cb31ef14-0978-4944-88e0-313df57df8fe"
    }
  ]
}
---------------------------------------------

I ran the command again and I see the same error message unfortunately

---------------------------------------------
**bitnami@ip-172-26-12-74**:**~**$ sudo /opt/bitnami/letsencrypt/lego --email="bubblesfwtech@gmail.com" --domains="trevorwalsh.art" --domains="*.trevorwalsh.art" --dns lightsail --path="/opt/bitnami/letsencrypt" run

2023/03/31 22:04:57 [INFO] [trevorwalsh.art, *.trevorwalsh.art] acme: Obtaining bundled SAN certificate
2023/03/31 22:04:58 [INFO] [*.trevorwalsh.art] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/215474929147
2023/03/31 22:04:58 [INFO] [trevorwalsh.art] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/215620594727
2023/03/31 22:04:58 [INFO] [trevorwalsh.art] acme: authorization already valid; skipping challenge
2023/03/31 22:04:58 [INFO] [*.trevorwalsh.art] acme: use dns-01 solver
2023/03/31 22:04:58 [INFO] [*.trevorwalsh.art] acme: Preparing to solve DNS-01
2023/03/31 22:04:59 [INFO] [*.trevorwalsh.art] acme: Cleaning DNS-01 challenge
2023/03/31 22:04:59 [WARN] [*.trevorwalsh.art] acme: cleaning up failed: lightsail: InvalidInputException: These parameters are required: domainName
{
RespMetadata: {
StatusCode: 400,
RequestID: "80791568-1c31-458e-aa7e-a14f2afb2611"
},
Code_: "MissingParams",
Message_: "These parameters are required: domainName"
}
2023/03/31 22:04:59 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/215474929147
2023/03/31 22:04:59 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/215620594727
2023/03/31 22:04:59 Could not obtain certificates:
error: one or more domains had a problem:
[*.trevorwalsh.art] [*.trevorwalsh.art] acme: error presenting token: lightsail: InvalidInputException: These parameters are required: domainName
{
RespMetadata: {
StatusCode: 400,
RequestID: "461b8fd5-0e6b-44d8-b7c5-5271f48d9680"
},
Code_: "MissingParams",
Message_: "These parameters are required: domainName"
}

BubblesFW · March 31, 2023, 10:13pm

I think I will just create another SSL cert that validates the root/apex and the subdomains that I will need. I would have liked to get to the bottom of this and I will probably keep checking into it but I do also need to push on with the dev.

Thanks for all contributions and your time. I appreciate all the input and guidance given and I also did learn from this thread which is very valuable indeed.

MikeMcQ · March 31, 2023, 10:32pm

That looks like an error from the Lightsail API displayed by the lego DNS code line #135 found here:
https://github.com/go-acme/lego/blob/master/providers/dns/lightsail/lightsail.go

I don't know why you'd get the error but asking on lego github might be useful. Or, search the error on google or aws:repost (or even aws docs)

These parameters are required: domainName

and maybe this too (I am not certain which is lego or which is Lightsail format)

InvalidInputException

BubblesFW · April 1, 2023, 10:21pm

So last night I used the bncert-tool to create the new 'shop' subdomain. I thought I would have to delete the existing SSL certs and all the links but I decided to do a test by simply running the tool again to create the root domain along with 'www' and 'shop' subdomains. And lo and behold, the tool added or updated the existing SSL details and all worked with no issues. So I can simply run the tool again if I have the need for another subdomain and the wildcard is not needed for my use-case.

However I still want to contact Lego Github like you advised @MikeMcQ to see if an answer to the issue can be provided to help people in the future.

Topic		Replies	Views
Help with wildcard SSL for AWS Lightsail shell timeout Help	16	2033	May 9, 2019
Addding subdomains to certificate Help	5	1085	February 11, 2020
Afther Encrypt SSL,Can't access my domain, aws, lightsail, wordpress Help	3	1303	March 3, 2020
AWS Lightsail SSL Installation problem Help	3	613	August 15, 2020
Lightsail Letsencrypt Error Cannot issue for "*.domain": Name does not end in a public suffix (.org) Help	14	6994	September 14, 2019

Issue creating Wildcard domain

Related topics