search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.41k stars 4.89k forks source link

dns_aws.sh issue with wildcard subdomain (e.g. test.mydomain.com) when you have two/separated hostedzone records #1823

Open xentie opened 6 years ago

xentie commented 6 years ago

Steps to reproduce

Route53 Info: mydomain.com and test.mydomain.com are separate Hosted Zones, issue is whenever I run the below-mention command, the script added TXT entries on mydomain.com hostedzone and not on test.mydomain.com hostedzone.

acme.sh --issue --dns dns_aws -d "test.mydomain.com" -d "*.test.mydomain.com" --test --log

note: actual domains replaced with: test.mydomain.com and *.test.mydomain.com actual AWS Access Key ID replaced with: AWS_ACCESS_KEY_ID

You can see at 02:52:44-45|02:55:03|02:55:13 timestamp, it is reading/writing to the wrong hostedzone and the domain is wrong, it should be:

/hostedzone/test.mydomain.com. instead of /hostedzone/mydomain.com. [Mon Sep 3 02:52:44 AEST 2018] hostedzone='/hostedzone/mydomain.com.D43CFBBA-BB31-12E0-BE4B-F2735C5C3B74false49' [Mon Sep 3 02:52:45 AEST 2018] _domain_id='/hostedzone/' [Mon Sep 3 02:52:45 AEST 2018] _sub_domain='_acme-challenge.staging' [Mon Sep 3 02:52:45 AEST 2018] _domain='mydomain.com' Debug log ----------------- ``` cat acme.sh.log cat acme.sh.log [Mon Sep 3 02:52:18 AEST 2018] _main_domain='test.mydomain.com' [Mon Sep 3 02:52:18 AEST 2018] _alt_domains='*.test.mydomain.com' [Mon Sep 3 02:52:18 AEST 2018] Using config home:/root/.acme.sh [Mon Sep 3 02:52:18 AEST 2018] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory [Mon Sep 3 02:52:18 AEST 2018] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory' [Mon Sep 3 02:52:18 AEST 2018] DOMAIN_PATH='/root/.acme.sh/test.mydomain.com' [Mon Sep 3 02:52:18 AEST 2018] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory [Mon Sep 3 02:52:18 AEST 2018] _init api for server: https://acme-staging-v02.api.letsencrypt.org/directory [Mon Sep 3 02:52:18 AEST 2018] GET [Mon Sep 3 02:52:18 AEST 2018] url='https://acme-staging-v02.api.letsencrypt.org/directory' [Mon Sep 3 02:52:18 AEST 2018] timeout= [Mon Sep 3 02:52:19 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.P8Cn5EuAQs -g ' [Mon Sep 3 02:52:20 AEST 2018] ret='0' [Mon Sep 3 02:52:20 AEST 2018] ACME_KEY_CHANGE='https://acme-staging-v02.api.letsencrypt.org/acme/key-change' [Mon Sep 3 02:52:20 AEST 2018] ACME_NEW_AUTHZ [Mon Sep 3 02:52:20 AEST 2018] ACME_NEW_ORDER='https://acme-staging-v02.api.letsencrypt.org/acme/new-order' [Mon Sep 3 02:52:20 AEST 2018] ACME_NEW_ACCOUNT='https://acme-staging-v02.api.letsencrypt.org/acme/new-acct' [Mon Sep 3 02:52:20 AEST 2018] ACME_REVOKE_CERT='https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert' [Mon Sep 3 02:52:20 AEST 2018] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf' [Mon Sep 3 02:52:20 AEST 2018] ACME_NEW_NONCE='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce' [Mon Sep 3 02:52:21 AEST 2018] ACME_VERSION='2' [Mon Sep 3 02:52:21 AEST 2018] Le_NextRenewTime [Mon Sep 3 02:52:21 AEST 2018] _on_before_issue [Mon Sep 3 02:52:21 AEST 2018] _chk_main_domain='test.mydomain.com' [Mon Sep 3 02:52:21 AEST 2018] _chk_alt_domains='*.test.mydomain.com' [Mon Sep 3 02:52:22 AEST 2018] Le_LocalAddress [Mon Sep 3 02:52:22 AEST 2018] d='test.mydomain.com' [Mon Sep 3 02:52:22 AEST 2018] Check for domain='test.mydomain.com' [Mon Sep 3 02:52:22 AEST 2018] _currentRoot='dns_aws' [Mon Sep 3 02:52:22 AEST 2018] d='*.test.mydomain.com' [Mon Sep 3 02:52:22 AEST 2018] Check for domain='*.test.mydomain.com' [Mon Sep 3 02:52:22 AEST 2018] _currentRoot='dns_aws' [Mon Sep 3 02:52:22 AEST 2018] d [Mon Sep 3 02:52:22 AEST 2018] _saved_account_key_hash is not changed, skip register account. [Mon Sep 3 02:52:23 AEST 2018] Read key length: [Mon Sep 3 02:52:23 AEST 2018] _createcsr [Mon Sep 3 02:52:23 AEST 2018] Multi domain='DNS:test.mydomain.com,DNS:*.test.mydomain.com' [Mon Sep 3 02:52:23 AEST 2018] Getting domain auth token for each domain [Mon Sep 3 02:52:23 AEST 2018] d='*.test.mydomain.com' [Mon Sep 3 02:52:23 AEST 2018] d [Mon Sep 3 02:52:23 AEST 2018] url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order' [Mon Sep 3 02:52:23 AEST 2018] payload='{"identifiers": [{"type":"dns","value":"test.mydomain.com"},{"type":"dns","value":"*.test.mydomain.com"}]}' [Mon Sep 3 02:52:23 AEST 2018] RSA key [Mon Sep 3 02:52:24 AEST 2018] HEAD [Mon Sep 3 02:52:24 AEST 2018] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce' [Mon Sep 3 02:52:24 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:52:24 AEST 2018] _ret='0' [Mon Sep 3 02:52:25 AEST 2018] POST [Mon Sep 3 02:52:25 AEST 2018] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order' [Mon Sep 3 02:52:25 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:52:26 AEST 2018] _ret='0' [Mon Sep 3 02:52:26 AEST 2018] code='201' [Mon Sep 3 02:52:26 AEST 2018] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/6853347/7030284' [Mon Sep 3 02:52:26 AEST 2018] GET [Mon Sep 3 02:52:26 AEST 2018] url='https://acme-staging-v02.api.letsencrypt.org/acme/authz/PC65EPrco8u2EJtsKDf0Ey6XMY_glNktoub-MQWJeQ0' [Mon Sep 3 02:52:26 AEST 2018] timeout= [Mon Sep 3 02:52:27 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:52:27 AEST 2018] ret='0' [Mon Sep 3 02:52:27 AEST 2018] GET [Mon Sep 3 02:52:27 AEST 2018] url='https://acme-staging-v02.api.letsencrypt.org/acme/authz/FmpjZeDgv1mQ_ToHrFwpL_fQRSUekKt-_qi3GbdDwyk' [Mon Sep 3 02:52:27 AEST 2018] timeout= [Mon Sep 3 02:52:28 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:52:28 AEST 2018] ret='0' [Mon Sep 3 02:52:28 AEST 2018] d='test.mydomain.com' [Mon Sep 3 02:52:28 AEST 2018] Getting webroot for domain='test.mydomain.com' [Mon Sep 3 02:52:28 AEST 2018] _w='dns_aws' [Mon Sep 3 02:52:28 AEST 2018] _currentRoot='dns_aws' [Mon Sep 3 02:52:29 AEST 2018] entry='"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/challenge/FmpjZeDgv1mQ_ToHrFwpL_fQRSUekKt-_qi3GbdDwyk/166832158","token":"4j9tXqUmiKzn1S2UhlXW6BLuqK7YXBkhX7XaRxOERR8"' [Mon Sep 3 02:52:29 AEST 2018] token='4j9tXqUmiKzn1S2UhlXW6BLuqK7YXBkhX7XaRxOERR8' [Mon Sep 3 02:52:29 AEST 2018] uri='https://acme-staging-v02.api.letsencrypt.org/acme/challenge/FmpjZeDgv1mQ_ToHrFwpL_fQRSUekKt-_qi3GbdDwyk/166832158' [Mon Sep 3 02:52:29 AEST 2018] keyauthorization='4j9tXqUmiKzn1S2UhlXW6BLuqK7YXBkhX7XaRxOERR8.UTqX84DT_nCV36GKZYmNO3W1uQJZdmH75QG9HJY_sW0' [Mon Sep 3 02:52:29 AEST 2018] dvlist='test.mydomain.com#4j9tXqUmiKzn1S2UhlXW6BLuqK7YXBkhX7XaRxOERR8.UTqX84DT_nCV36GKZYmNO3W1uQJZdmH75QG9HJY_sW0#https://acme-staging-v02.api.letsencrypt.org/acme/challenge/FmpjZeDgv1mQ_ToHrFwpL_fQRSUekKt-_qi3GbdDwyk/166832158#dns-01#dns_aws' [Mon Sep 3 02:52:29 AEST 2018] d='*.test.mydomain.com' [Mon Sep 3 02:52:29 AEST 2018] Getting webroot for domain='*.test.mydomain.com' [Mon Sep 3 02:52:29 AEST 2018] _w='dns_aws' [Mon Sep 3 02:52:29 AEST 2018] _currentRoot='dns_aws' [Mon Sep 3 02:52:30 AEST 2018] entry='"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/challenge/PC65EPrco8u2EJtsKDf0Ey6XMY_glNktoub-MQWJeQ0/166832155","token":"dd-7A2CaVpzTMstXkNy6UycBe5UfbqOKj70xLAuOWNU"' [Mon Sep 3 02:52:30 AEST 2018] token='dd-7A2CaVpzTMstXkNy6UycBe5UfbqOKj70xLAuOWNU' [Mon Sep 3 02:52:30 AEST 2018] uri='https://acme-staging-v02.api.letsencrypt.org/acme/challenge/PC65EPrco8u2EJtsKDf0Ey6XMY_glNktoub-MQWJeQ0/166832155' [Mon Sep 3 02:52:30 AEST 2018] keyauthorization='dd-7A2CaVpzTMstXkNy6UycBe5UfbqOKj70xLAuOWNU.UTqX84DT_nCV36GKZYmNO3W1uQJZdmH75QG9HJY_sW0' [Mon Sep 3 02:52:30 AEST 2018] dvlist='*.test.mydomain.com#dd-7A2CaVpzTMstXkNy6UycBe5UfbqOKj70xLAuOWNU.UTqX84DT_nCV36GKZYmNO3W1uQJZdmH75QG9HJY_sW0#https://acme-staging-v02.api.letsencrypt.org/acme/challenge/PC65EPrco8u2EJtsKDf0Ey6XMY_glNktoub-MQWJeQ0/166832155#dns-01#dns_aws' [Mon Sep 3 02:52:30 AEST 2018] d [Mon Sep 3 02:52:30 AEST 2018] vlist='test.mydomain.com#4j9tXqUmiKzn1S2UhlXW6BLuqK7YXBkhX7XaRxOERR8.UTqX84DT_nCV36GKZYmNO3W1uQJZdmH75QG9HJY_sW0#https://acme-staging-v02.api.letsencrypt.org/acme/challenge/FmpjZeDgv1mQ_ToHrFwpL_fQRSUekKt-_qi3GbdDwyk/166832158#dns-01#dns_aws,*.test.mydomain.com#dd-7A2CaVpzTMstXkNy6UycBe5UfbqOKj70xLAuOWNU.UTqX84DT_nCV36GKZYmNO3W1uQJZdmH75QG9HJY_sW0#https://acme-staging-v02.api.letsencrypt.org/acme/challenge/PC65EPrco8u2EJtsKDf0Ey6XMY_glNktoub-MQWJeQ0/166832155#dns-01#dns_aws,' [Mon Sep 3 02:52:30 AEST 2018] d='test.mydomain.com' [Mon Sep 3 02:52:30 AEST 2018] _d_alias [Mon Sep 3 02:52:31 AEST 2018] txtdomain='_acme-challenge.test.mydomain.com' [Mon Sep 3 02:52:31 AEST 2018] txt='XcqtjP1_Gvuwb8Y24uIs3CaQ9NsYxikBzYMdNq6slRg' [Mon Sep 3 02:52:31 AEST 2018] d_api='/root/.acme.sh/dnsapi/dns_aws.sh' [Mon Sep 3 02:52:31 AEST 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_aws.sh [Mon Sep 3 02:52:31 AEST 2018] First detect the root zone [Mon Sep 3 02:52:31 AEST 2018] mtd='GET' [Mon Sep 3 02:52:31 AEST 2018] ep='2013-04-01/hostedzone' [Mon Sep 3 02:52:31 AEST 2018] qsr [Mon Sep 3 02:52:31 AEST 2018] data [Mon Sep 3 02:52:32 AEST 2018] _H2='Authorization: AWS4-HMAC-SHA256 Credential=AWS_ACCESS_KEY_ID/20180902/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=e2b6808cf57fa1f0cef1678fb731ad7fb089e35bfe413c6bc95aa5e77e0396fd' [Mon Sep 3 02:52:32 AEST 2018] GET [Mon Sep 3 02:52:32 AEST 2018] url='https://route53.amazonaws.com/2013-04-01/hostedzone' [Mon Sep 3 02:52:32 AEST 2018] timeout= [Mon Sep 3 02:52:32 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:52:34 AEST 2018] ret='0' [Mon Sep 3 02:52:34 AEST 2018] hostedzone='/hostedzone/mydomain.com.D43CFBBA-BB31-12E0-BE4B-F2735C5C3B74false48' [Mon Sep 3 02:52:35 AEST 2018] _domain_id='/hostedzone/' [Mon Sep 3 02:52:35 AEST 2018] _sub_domain='_acme-challenge.staging' [Mon Sep 3 02:52:35 AEST 2018] _domain='mydomain.com' [Mon Sep 3 02:52:35 AEST 2018] Geting existing records for _acme-challenge.test.mydomain.com [Mon Sep 3 02:52:35 AEST 2018] mtd='GET' [Mon Sep 3 02:52:35 AEST 2018] ep='2013-04-01/hostedzone//rrset' [Mon Sep 3 02:52:35 AEST 2018] qsr='name=_acme-challenge.test.mydomain.com&type=TXT' [Mon Sep 3 02:52:35 AEST 2018] data [Mon Sep 3 02:52:36 AEST 2018] _H2='Authorization: AWS4-HMAC-SHA256 Credential=AWS_ACCESS_KEY_ID/20180902/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=efab937ce931cb17cee58adb15c5f5237acb7f633d50be20ed54ea549cb76a55' [Mon Sep 3 02:52:36 AEST 2018] GET [Mon Sep 3 02:52:36 AEST 2018] url='https://route53.amazonaws.com/2013-04-01/hostedzone//rrset?name=_acme-challenge.test.mydomain.com&type=TXT' [Mon Sep 3 02:52:36 AEST 2018] timeout= [Mon Sep 3 02:52:36 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:52:37 AEST 2018] ret='0' [Mon Sep 3 02:52:37 AEST 2018] single new add [Mon Sep 3 02:52:37 AEST 2018] Adding records [Mon Sep 3 02:52:37 AEST 2018] mtd='POST' [Mon Sep 3 02:52:37 AEST 2018] ep='2013-04-01/hostedzone//rrset/' [Mon Sep 3 02:52:37 AEST 2018] qsr [Mon Sep 3 02:52:37 AEST 2018] data='UPSERT_acme-challenge.test.mydomain.comTXT300"XcqtjP1_Gvuwb8Y24uIs3CaQ9NsYxikBzYMdNq6slRg"' [Mon Sep 3 02:52:38 AEST 2018] _H2='Authorization: AWS4-HMAC-SHA256 Credential=AWS_ACCESS_KEY_ID/20180902/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=a2b8c69bc309437d503204ee1dc2423404b49ab53cbdce75b7980d621fdc2e20' [Mon Sep 3 02:52:38 AEST 2018] POST [Mon Sep 3 02:52:38 AEST 2018] _post_url='https://route53.amazonaws.com/2013-04-01/hostedzone//rrset/' [Mon Sep 3 02:52:39 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:52:40 AEST 2018] _ret='0' [Mon Sep 3 02:52:40 AEST 2018] TXT record updated successfully. [Mon Sep 3 02:52:40 AEST 2018] d='*.test.mydomain.com' [Mon Sep 3 02:52:40 AEST 2018] _d_alias [Mon Sep 3 02:52:40 AEST 2018] txtdomain='_acme-challenge.test.mydomain.com' [Mon Sep 3 02:52:40 AEST 2018] txt='hgdXb20mKbNWeQpfJ-OhU_Ef_h5gbEng5-HAUntGn5g' [Mon Sep 3 02:52:40 AEST 2018] d_api='/root/.acme.sh/dnsapi/dns_aws.sh' [Mon Sep 3 02:52:41 AEST 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_aws.sh [Mon Sep 3 02:52:41 AEST 2018] First detect the root zone [Mon Sep 3 02:52:41 AEST 2018] mtd='GET' [Mon Sep 3 02:52:41 AEST 2018] ep='2013-04-01/hostedzone' [Mon Sep 3 02:52:41 AEST 2018] qsr [Mon Sep 3 02:52:41 AEST 2018] data [Mon Sep 3 02:52:42 AEST 2018] _H2='Authorization: AWS4-HMAC-SHA256 Credential=AWS_ACCESS_KEY_ID/20180902/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=102101641a29493eba206acca0678eaa2f0987a4bc9dd818c1402ae9eece7168' [Mon Sep 3 02:52:42 AEST 2018] GET [Mon Sep 3 02:52:42 AEST 2018] url='https://route53.amazonaws.com/2013-04-01/hostedzone' [Mon Sep 3 02:52:42 AEST 2018] timeout= [Mon Sep 3 02:52:43 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:52:44 AEST 2018] ret='0' [Mon Sep 3 02:52:44 AEST 2018] hostedzone='/hostedzone/mydomain.com.D43CFBBA-BB31-12E0-BE4B-F2735C5C3B74false49' [Mon Sep 3 02:52:45 AEST 2018] _domain_id='/hostedzone/' [Mon Sep 3 02:52:45 AEST 2018] _sub_domain='_acme-challenge.staging' [Mon Sep 3 02:52:45 AEST 2018] _domain='mydomain.com' [Mon Sep 3 02:52:45 AEST 2018] Geting existing records for _acme-challenge.test.mydomain.com [Mon Sep 3 02:52:45 AEST 2018] mtd='GET' [Mon Sep 3 02:52:45 AEST 2018] ep='2013-04-01/hostedzone//rrset' [Mon Sep 3 02:52:45 AEST 2018] qsr='name=_acme-challenge.test.mydomain.com&type=TXT' [Mon Sep 3 02:52:45 AEST 2018] data [Mon Sep 3 02:52:45 AEST 2018] _H2='Authorization: AWS4-HMAC-SHA256 Credential=AWS_ACCESS_KEY_ID/20180902/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=2831b22e4632404ecbe384b7af551f06caf52b5b4632eb4381cf566f2a9ce765' [Mon Sep 3 02:52:46 AEST 2018] GET [Mon Sep 3 02:52:46 AEST 2018] url='https://route53.amazonaws.com/2013-04-01/hostedzone//rrset?name=_acme-challenge.test.mydomain.com&type=TXT' [Mon Sep 3 02:52:46 AEST 2018] timeout= [Mon Sep 3 02:52:46 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:52:47 AEST 2018] ret='0' [Mon Sep 3 02:52:47 AEST 2018] _resource_record='"XcqtjP1_Gvuwb8Y24uIs3CaQ9NsYxikBzYMdNq6slRg"' [Mon Sep 3 02:52:47 AEST 2018] Adding records [Mon Sep 3 02:52:47 AEST 2018] mtd='POST' [Mon Sep 3 02:52:47 AEST 2018] ep='2013-04-01/hostedzone//rrset/' [Mon Sep 3 02:52:47 AEST 2018] qsr [Mon Sep 3 02:52:47 AEST 2018] data='UPSERT_acme-challenge.test.mydomain.comTXT300"XcqtjP1_Gvuwb8Y24uIs3CaQ9NsYxikBzYMdNq6slRg""hgdXb20mKbNWeQpfJ-OhU_Ef_h5gbEng5-HAUntGn5g"' [Mon Sep 3 02:52:49 AEST 2018] _H2='Authorization: AWS4-HMAC-SHA256 Credential=AWS_ACCESS_KEY_ID/20180902/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=fe5e100f75a51e6d762a0b39c9de47377c300bb5db160c778f6e5c1e8cbb555e' [Mon Sep 3 02:52:49 AEST 2018] POST [Mon Sep 3 02:52:49 AEST 2018] _post_url='https://route53.amazonaws.com/2013-04-01/hostedzone//rrset/' [Mon Sep 3 02:52:49 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:52:50 AEST 2018] _ret='0' [Mon Sep 3 02:52:50 AEST 2018] TXT record updated successfully. [Mon Sep 3 02:52:50 AEST 2018] Sleep 120 seconds for the txt records to take effect [Mon Sep 3 02:54:55 AEST 2018] ok, let's start to verify [Mon Sep 3 02:54:55 AEST 2018] Verifying:test.mydomain.com [Mon Sep 3 02:54:55 AEST 2018] d='test.mydomain.com' [Mon Sep 3 02:54:55 AEST 2018] keyauthorization='4j9tXqUmiKzn1S2UhlXW6BLuqK7YXBkhX7XaRxOERR8.UTqX84DT_nCV36GKZYmNO3W1uQJZdmH75QG9HJY_sW0' [Mon Sep 3 02:54:55 AEST 2018] uri='https://acme-staging-v02.api.letsencrypt.org/acme/challenge/FmpjZeDgv1mQ_ToHrFwpL_fQRSUekKt-_qi3GbdDwyk/166832158' [Mon Sep 3 02:54:55 AEST 2018] _currentRoot='dns_aws' [Mon Sep 3 02:54:55 AEST 2018] url='https://acme-staging-v02.api.letsencrypt.org/acme/challenge/FmpjZeDgv1mQ_ToHrFwpL_fQRSUekKt-_qi3GbdDwyk/166832158' [Mon Sep 3 02:54:55 AEST 2018] payload='{"keyAuthorization": "4j9tXqUmiKzn1S2UhlXW6BLuqK7YXBkhX7XaRxOERR8.UTqX84DT_nCV36GKZYmNO3W1uQJZdmH75QG9HJY_sW0"}' [Mon Sep 3 02:54:56 AEST 2018] POST [Mon Sep 3 02:54:56 AEST 2018] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/challenge/FmpjZeDgv1mQ_ToHrFwpL_fQRSUekKt-_qi3GbdDwyk/166832158' [Mon Sep 3 02:54:56 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:54:56 AEST 2018] _ret='0' [Mon Sep 3 02:54:56 AEST 2018] code='200' [Mon Sep 3 02:54:56 AEST 2018] trigger validation code: 200 [Mon Sep 3 02:54:57 AEST 2018] sleep 2 secs to verify [Mon Sep 3 02:54:59 AEST 2018] checking [Mon Sep 3 02:54:59 AEST 2018] GET [Mon Sep 3 02:54:59 AEST 2018] url='https://acme-staging-v02.api.letsencrypt.org/acme/challenge/FmpjZeDgv1mQ_ToHrFwpL_fQRSUekKt-_qi3GbdDwyk/166832158' [Mon Sep 3 02:54:59 AEST 2018] timeout= [Mon Sep 3 02:54:59 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:54:59 AEST 2018] ret='0' [Mon Sep 3 02:54:59 AEST 2018] test.mydomain.com:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.test.mydomain.com [Mon Sep 3 02:54:59 AEST 2018] Skip for removelevel: [Mon Sep 3 02:54:59 AEST 2018] pid [Mon Sep 3 02:54:59 AEST 2018] No need to restore nginx, skip. [Mon Sep 3 02:54:59 AEST 2018] _clearupdns [Mon Sep 3 02:54:59 AEST 2018] Removing DNS records. [Mon Sep 3 02:55:00 AEST 2018] txt='XcqtjP1_Gvuwb8Y24uIs3CaQ9NsYxikBzYMdNq6slRg' [Mon Sep 3 02:55:00 AEST 2018] d_api='/root/.acme.sh/dnsapi/dns_aws.sh' [Mon Sep 3 02:55:00 AEST 2018] _d_alias [Mon Sep 3 02:55:00 AEST 2018] First detect the root zone [Mon Sep 3 02:55:00 AEST 2018] mtd='GET' [Mon Sep 3 02:55:00 AEST 2018] ep='2013-04-01/hostedzone' [Mon Sep 3 02:55:00 AEST 2018] qsr [Mon Sep 3 02:55:00 AEST 2018] data [Mon Sep 3 02:55:01 AEST 2018] _H2='Authorization: AWS4-HMAC-SHA256 Credential=AWS_ACCESS_KEY_ID/20180902/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=92e2c459e38a1722e5a0b0d8cee1d3de18111fcf021d669a5b7b6ef267af783a' [Mon Sep 3 02:55:01 AEST 2018] GET [Mon Sep 3 02:55:01 AEST 2018] url='https://route53.amazonaws.com/2013-04-01/hostedzone' [Mon Sep 3 02:55:01 AEST 2018] timeout= [Mon Sep 3 02:55:01 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:55:03 AEST 2018] ret='0' [Mon Sep 3 02:55:03 AEST 2018] hostedzone='/hostedzone/mydomain.com.D43CFBBA-BB31-12E0-BE4B-F2735C5C3B74false49' [Mon Sep 3 02:55:03 AEST 2018] _domain_id='/hostedzone/' [Mon Sep 3 02:55:03 AEST 2018] _sub_domain='_acme-challenge.staging' [Mon Sep 3 02:55:03 AEST 2018] _domain='mydomain.com' [Mon Sep 3 02:55:03 AEST 2018] Getting existing records for _acme-challenge.test.mydomain.com [Mon Sep 3 02:55:04 AEST 2018] mtd='GET' [Mon Sep 3 02:55:04 AEST 2018] ep='2013-04-01/hostedzone//rrset' [Mon Sep 3 02:55:04 AEST 2018] qsr='name=_acme-challenge.test.mydomain.com&type=TXT' [Mon Sep 3 02:55:04 AEST 2018] data [Mon Sep 3 02:55:05 AEST 2018] _H2='Authorization: AWS4-HMAC-SHA256 Credential=AWS_ACCESS_KEY_ID/20180902/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=d871eb92c8b72581fd05908fefe775d8435f968b86ae4afe86362b7bcde28d8c' [Mon Sep 3 02:55:05 AEST 2018] GET [Mon Sep 3 02:55:05 AEST 2018] url='https://route53.amazonaws.com/2013-04-01/hostedzone//rrset?name=_acme-challenge.test.mydomain.com&type=TXT' [Mon Sep 3 02:55:05 AEST 2018] timeout= [Mon Sep 3 02:55:05 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:55:06 AEST 2018] ret='0' [Mon Sep 3 02:55:06 AEST 2018] _resource_record='"hgdXb20mKbNWeQpfJ-OhU_Ef_h5gbEng5-HAUntGn5g""XcqtjP1_Gvuwb8Y24uIs3CaQ9NsYxikBzYMdNq6slRg"' [Mon Sep 3 02:55:06 AEST 2018] mtd='POST' [Mon Sep 3 02:55:06 AEST 2018] ep='2013-04-01/hostedzone//rrset/' [Mon Sep 3 02:55:06 AEST 2018] qsr [Mon Sep 3 02:55:06 AEST 2018] data='DELETE"hgdXb20mKbNWeQpfJ-OhU_Ef_h5gbEng5-HAUntGn5g""XcqtjP1_Gvuwb8Y24uIs3CaQ9NsYxikBzYMdNq6slRg"_acme-challenge.test.mydomain.com.TXT300' [Mon Sep 3 02:55:08 AEST 2018] _H2='Authorization: AWS4-HMAC-SHA256 Credential=AWS_ACCESS_KEY_ID/20180902/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=d53d3e2ddd874ff44fa235c5b231a1baa1ca6aef12b37a4d581f96b4a46840c4' [Mon Sep 3 02:55:08 AEST 2018] POST [Mon Sep 3 02:55:08 AEST 2018] _post_url='https://route53.amazonaws.com/2013-04-01/hostedzone//rrset/' [Mon Sep 3 02:55:08 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:55:09 AEST 2018] _ret='0' [Mon Sep 3 02:55:09 AEST 2018] TXT record deleted successfully. [Mon Sep 3 02:55:09 AEST 2018] txt='hgdXb20mKbNWeQpfJ-OhU_Ef_h5gbEng5-HAUntGn5g' [Mon Sep 3 02:55:10 AEST 2018] d_api='/root/.acme.sh/dnsapi/dns_aws.sh' [Mon Sep 3 02:55:10 AEST 2018] _d_alias [Mon Sep 3 02:55:10 AEST 2018] First detect the root zone [Mon Sep 3 02:55:10 AEST 2018] mtd='GET' [Mon Sep 3 02:55:10 AEST 2018] ep='2013-04-01/hostedzone' [Mon Sep 3 02:55:10 AEST 2018] qsr [Mon Sep 3 02:55:10 AEST 2018] data [Mon Sep 3 02:55:11 AEST 2018] _H2='Authorization: AWS4-HMAC-SHA256 Credential=AWS_ACCESS_KEY_ID/20180902/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=855381bb016997559c7a9c1fc38d69923ad7142a5026de5a68d948f66de87044' [Mon Sep 3 02:55:11 AEST 2018] GET [Mon Sep 3 02:55:11 AEST 2018] url='https://route53.amazonaws.com/2013-04-01/hostedzone' [Mon Sep 3 02:55:11 AEST 2018] timeout= [Mon Sep 3 02:55:11 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:55:13 AEST 2018] ret='0' [Mon Sep 3 02:55:13 AEST 2018] hostedzone='/hostedzone/mydomain.com.D43CFBBA-BB31-12E0-BE4B-F2735C5C3B74false48' [Mon Sep 3 02:55:13 AEST 2018] _domain_id='/hostedzone/' [Mon Sep 3 02:55:13 AEST 2018] _sub_domain='_acme-challenge.staging' [Mon Sep 3 02:55:13 AEST 2018] _domain='mydomain.com' [Mon Sep 3 02:55:13 AEST 2018] Getting existing records for _acme-challenge.test.mydomain.com [Mon Sep 3 02:55:13 AEST 2018] mtd='GET' [Mon Sep 3 02:55:13 AEST 2018] ep='2013-04-01/hostedzone//rrset' [Mon Sep 3 02:55:13 AEST 2018] qsr='name=_acme-challenge.test.mydomain.com&type=TXT' [Mon Sep 3 02:55:13 AEST 2018] data [Mon Sep 3 02:55:14 AEST 2018] _H2='Authorization: AWS4-HMAC-SHA256 Credential=AWS_ACCESS_KEY_ID/20180902/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=34943a275c4d06b615e155f22be9d1e5e1c36ee9598c91c22c59d13d1d3a8ee9' [Mon Sep 3 02:55:14 AEST 2018] GET [Mon Sep 3 02:55:14 AEST 2018] url='https://route53.amazonaws.com/2013-04-01/hostedzone//rrset?name=_acme-challenge.test.mydomain.com&type=TXT' [Mon Sep 3 02:55:15 AEST 2018] timeout= [Mon Sep 3 02:55:15 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:55:16 AEST 2018] ret='0' [Mon Sep 3 02:55:16 AEST 2018] no records exist, skip [Mon Sep 3 02:55:16 AEST 2018] _on_issue_err [Mon Sep 3 02:55:16 AEST 2018] Please check log file for more details: /root/.acme.sh/acme.sh.log [Mon Sep 3 02:55:16 AEST 2018] url='https://acme-staging-v02.api.letsencrypt.org/acme/challenge/FmpjZeDgv1mQ_ToHrFwpL_fQRSUekKt-_qi3GbdDwyk/166832158' [Mon Sep 3 02:55:16 AEST 2018] payload='{"keyAuthorization": "4j9tXqUmiKzn1S2UhlXW6BLuqK7YXBkhX7XaRxOERR8.UTqX84DT_nCV36GKZYmNO3W1uQJZdmH75QG9HJY_sW0"}' [Mon Sep 3 02:55:17 AEST 2018] POST [Mon Sep 3 02:55:17 AEST 2018] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/challenge/FmpjZeDgv1mQ_ToHrFwpL_fQRSUekKt-_qi3GbdDwyk/166832158' [Mon Sep 3 02:55:17 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:55:18 AEST 2018] _ret='0' [Mon Sep 3 02:55:18 AEST 2018] code='400' [Mon Sep 3 02:55:18 AEST 2018] url='https://acme-staging-v02.api.letsencrypt.org/acme/challenge/PC65EPrco8u2EJtsKDf0Ey6XMY_glNktoub-MQWJeQ0/166832155' [Mon Sep 3 02:55:18 AEST 2018] payload='{"keyAuthorization": "dd-7A2CaVpzTMstXkNy6UycBe5UfbqOKj70xLAuOWNU.UTqX84DT_nCV36GKZYmNO3W1uQJZdmH75QG9HJY_sW0"}' [Mon Sep 3 02:55:19 AEST 2018] POST [Mon Sep 3 02:55:19 AEST 2018] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/challenge/PC65EPrco8u2EJtsKDf0Ey6XMY_glNktoub-MQWJeQ0/166832155' [Mon Sep 3 02:55:19 AEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.HKf2tH7K6c -g ' [Mon Sep 3 02:55:19 AEST 2018] _ret='0' [Mon Sep 3 02:55:20 AEST 2018] code='200' [Mon Sep 3 02:55:20 AEST 2018] Diagnosis versions: openssl:openssl OpenSSL 1.0.1f 6 Jan 2014 apache: apache doesn't exists. nginx: nginx doesn't exists. socat: socat by Gerhard Rieger - see www.dest-unreach.org Usage: socat [options] options: -V print version and feature information to stdout, and exit -h|-? print a help text describing command line options and addresses -hh like -h, plus a list of all common address option names -hhh like -hh, plus a list of all available address option names -d increase verbosity (use up to 4 times; 2 are recommended) -D analyze file descriptors before loop -ly[facility] log to syslog, using facility (default is daemon) -lf log to file -ls log to stderr (default if no other log) -lm[facility] mixed log mode (stderr during initialization, then syslog) -lp set the program name used for logging -lu use microseconds for logging timestamps -lh add hostname to log messages -v verbose data traffic, text -x verbose data traffic, hexadecimal -b set data buffer size (8192) -s sloppy (continue on error) -t wait seconds before closing second channel -T total inactivity timeout in seconds -u unidirectional mode (left to right) -U unidirectional mode (right to left) -g do not check option groups -L try to obtain lock, or fail -W try to obtain lock, or wait -4 prefer IPv4 if version is not explicitly specified -6 prefer IPv6 if version is not explicitly specified bi-address: pipe[,] groups=FD,FIFO !! single-address: [,] address-head: abstract-client: groups=FD,SOCKET,RETRY,UNIX abstract-connect: groups=FD,SOCKET,RETRY,UNIX abstract-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,UNIX abstract-recv: groups=FD,SOCKET,RETRY,UNIX abstract-recvfrom: groups=FD,SOCKET,CHILD,RETRY,UNIX abstract-sendto: groups=FD,SOCKET,RETRY,UNIX create: groups=FD,REG,NAMED exec: groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX fd: groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP gopen: groups=FD,FIFO,CHR,BLK,REG,SOCKET,NAMED,OPEN,TERMIOS,UNIX interface: groups=FD,SOCKET ip-datagram:: groups=FD,SOCKET,RANGE,IP4,IP6 ip-recv: groups=FD,SOCKET,RANGE,IP4,IP6 ip-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP4,IP6 ip-sendto:: groups=FD,SOCKET,IP4,IP6 ip4-datagram:: groups=FD,SOCKET,RANGE,IP4 ip4-recv: groups=FD,SOCKET,RANGE,IP4 ip4-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP4 ip4-sendto:: groups=FD,SOCKET,IP4 ip6-datagram:: groups=FD,SOCKET,RANGE,IP6 ip6-recv: groups=FD,SOCKET,RANGE,IP6 ip6-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP6 ip6-sendto:: groups=FD,SOCKET,IP6 open: groups=FD,FIFO,CHR,BLK,REG,NAMED,OPEN,TERMIOS openssl:: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,OPENSSL openssl-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP,OPENSSL pipe: groups=FD,FIFO,NAMED,OPEN proxy::: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,HTTP pty groups=FD,NAMED,TERMIOS,PTY sctp-connect:: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,SCTP sctp-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,SCTP sctp4-connect:: groups=FD,SOCKET,CHILD,RETRY,IP4,SCTP sctp4-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,SCTP sctp6-connect:: groups=FD,SOCKET,CHILD,RETRY,IP6,SCTP sctp6-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,SCTP socket-connect::: groups=FD,SOCKET,CHILD,RETRY socket-datagram:::: groups=FD,SOCKET,RANGE socket-listen::: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE socket-recv:::: groups=FD,SOCKET,RANGE socket-recvfrom:::: groups=FD,SOCKET,CHILD,RANGE socket-sendto:::: groups=FD,SOCKET socks4::: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4 socks4a::: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4 stderr groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP stdin groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP stdio groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP stdout groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP system: groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX tcp-connect:: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP tcp-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP tcp4-connect:: groups=FD,SOCKET,CHILD,RETRY,IP4,TCP tcp4-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,TCP tcp6-connect:: groups=FD,SOCKET,CHILD,RETRY,IP6,TCP tcp6-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,TCP tun[:/] groups=FD,CHR,NAMED,OPEN,INTERFACE udp-connect:: groups=FD,SOCKET,IP4,IP6,UDP udp-datagram:: groups=FD,SOCKET,RANGE,IP4,IP6,UDP udp-listen: groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,UDP udp-recv: groups=FD,SOCKET,RANGE,IP4,IP6,UDP udp-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP4,IP6,UDP udp-sendto:: groups=FD,SOCKET,IP4,IP6,UDP udp4-connect:: groups=FD,SOCKET,IP4,UDP udp4-datagram:: groups=FD,SOCKET,RANGE,IP4,UDP udp4-listen: groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,UDP udp4-recv: groups=FD,SOCKET,RANGE,IP4,UDP udp4-recvfrom:: groups=FD,SOCKET,CHILD,RANGE,IP4,UDP udp4-sendto:: groups=FD,SOCKET,IP4,UDP udp6-connect:: groups=FD,SOCKET,IP6,UDP udp6-datagram:: groups=FD,SOCKET,RANGE,IP6,UDP udp6-listen: groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP6,UDP udp6-recv: groups=FD,SOCKET,RANGE,IP6,UDP udp6-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP6,UDP udp6-sendto:: groups=FD,SOCKET,IP6,UDP unix-client: groups=FD,SOCKET,NAMED,RETRY,UNIX unix-connect: groups=FD,SOCKET,NAMED,RETRY,UNIX unix-listen: groups=FD,SOCKET,NAMED,LISTEN,CHILD,RETRY,UNIX unix-recv: groups=FD,SOCKET,NAMED,RETRY,UNIX unix-recvfrom: groups=FD,SOCKET,NAMED,CHILD,RETRY,UNIX unix-sendto: groups=FD,SOCKET,NAMED,RETRY,UNIX ```
xentie commented 6 years ago

updated with the new logfile

wkulhanek commented 5 years ago

@Neilpang I seem to have the same issue. My AWS account has access to a ton of DNS zones.

I am trying to get certs for '*.apps.cluster-e954.e954.ocp4.opentlc.com' and 'cluster-e954-api.e954.ocp4.opentlc.com' it writes the TXT entries into the 'ocp4.opentlc.com' zone (as _acme-challenge.apps.cluster-e954.e954 .ocp4.opentlc.com.) rather than into the zone that Let's Encrypt then validates. Which is e954.ocp4.opentlc.com.

Is there a way to specify the hosted zone ID? If so I think I can work around this.