[SOLVED] Route53 dns challenge can't find hosted zone ID

dkebler · May 8, 2020, 4:09pm

I’m trying to migrate to CaddyV2 and trying to get the route53 dns challenge working.

There are four pieces (caddy2/lego/acme/aws) to this puzzle so asking around to see if I can get some help.

The error I am getting is

[git238.kebler.net] [git238.kebler.net] acme: error presenting token: route53: failed to determine hosted zone ID: zone net. not found for domain _acme-challenge.git238.kebler.net. (challenge=dns-01 remaining=[])

using lego I have supplied the 4 require env vars
https://go-acme.github.io/lego/dns/route53/

My AWS policy is correct per https://certbot-dns-route53.readthedocs.io/en/stable/

but I see https://github.com/containous/traefik/issues/2699#issuecomment-357393000
someone has a more extended list of permissions (that necessary?)

Just hoping if I post this here someone might be able to illuminate. Thx.

_az · May 7, 2020, 10:15pm

Why are you using the IAM policy for certbot-dns-route53? It is significantly different to the one lego asks for.

For example, lego needs route53:ListHostedZonesByName, but Certbot’s IAM policy only includes route53:ListHostedZones.

That could be the reason for your troubles. If you’re only working with a single zone, passing AWS_HOSTED_ZONE_ID might also simpify things.

jsha · May 7, 2020, 10:35pm

@mholt do you have any ideas what’s likely to cause this error?

Thanks,
Jacob

mholt · May 8, 2020, 6:07am

Alas, I was not involved in the development of that package, nor do I use route53, so your guess is as good as mine.

Searching the issues on the go-acme/lego repository, however, this seems similar: https://github.com/go-acme/lego/issues/1008

I would suggest either adding more information to that issue, or digging into the code and debugging to find the problem.

dkebler · May 8, 2020, 2:49pm

Yes I realized this b4 reading your post so used the policy here
https://go-acme.github.io/lego/dns/route53/

Then added AWS_HOSTED_ZONE_ID to env.

although according to docs that is not necessary as it’s supposed to find it based on FQDN and policy which allows that.

That got me the no zone same error but slightly different reason No credential providers Maybe that reason is more illuminating.

[git238.kebler.net] [git238.kebler.net] acme: error presenting token: route53: failed to determine hosted zone ID: NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerboseErrors

I don’t know how to enable the more verbose messaging (from caddy) or I would.
`

dkebler · May 8, 2020, 4:10pm

Well with so many moving pieces it was easy to lay blame. Turns out none were to blame (except sheepishly me)

In my case it turned out that I had bad DNS forwarding out of my network for my FQDN (using dnsmasq). This probably explains why it could not get/confirm the zone ID.

Once fixed all was good. It does take some time to get the cert but it does and work as expected even for subdomains with no public dns record which was the whole point of using the dns challenge instead of the automatic caddy cert grabber.

system · June 7, 2020, 4:09pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.