search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.43k stars 4.89k forks source link

Support for AWS Route 53? #65

Closed mbentley closed 7 years ago

mbentley commented 8 years ago

I wanted to check to see what your thoughts are in regards to the dnsapi plugins. I wrote a AWS Route 53 API plugin but it uses the python awscli tool and jq to parse JSON and I wasn't sure if you had strict requirements for using only bash or if 3rd party libraries could be a requirement. This probably needs some additional error checking but it's worked decently for me so far: https://gist.github.com/mbentley/d5da0bf962f050dd07ec

Neilpang commented 8 years ago

yes, I'd like to keep it bash only. no more dependencies, like python, perl etc.

If you can fix that, I'd be happy to merge your code.

mbentley commented 8 years ago

OK, thanks for the quick response. I'll see what I can do.

theit8514 commented 8 years ago

If anyone is interested, I wrote an API for AWS Route53. It still depends on AWSCLI and Python, but doesn't need a JSON library for parsing the results.

https://gist.github.com/theit8514/2368a2030c8c31efacdd

Neilpang commented 8 years ago

Thanks @theit8514 , Can you make it a separate repository ? So that I can update the doc to refer to your code.

Thanks.

theit8514 commented 8 years ago

Moved code to repository and added some docs on what is required. https://github.com/theit8514/dnsapi-route53-python

colegatron commented 8 years ago

I've wrote a different AWS Route53 dns api. The difference with the @mbentley one, which it is based on, is that my one supports multiple domains and arbitrary long subdomain names. You can issue or renew LE certs for my.com, your.com, their.com, this.is.my.domain.co.uk in a single certificate and in one single step. Only limitation is all domains should be hosted on AWS.

I've forked Neilpang/le and added my api inside (I don't want to maintain a repo for a single file); you can find it at https://github.com/colegatron/le

oscar-b commented 8 years ago

What's the status of the pure bash implementation for Route53?

Neilpang commented 8 years ago

Hi @oscar-b , I don't have a AWS account to test. So, please use the script from @colegatron .

colegatron commented 8 years ago

The dns-aws script is ready for production.

At least I have it running in the production deployment pipeline issuing and renewing automatically the certificates.

Iván González Systems Developer - AWS Certified Developer - IT Manager El 25 mar. 2016 12:35 a. m., "Oscar Bolmsten" notifications@github.com escribió:

What's the status of the pure bash implementation for Route53?

— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/Neilpang/le/issues/65#issuecomment-201073872

oscar-b commented 8 years ago

But it still have external dependencies on other scripts and Python?

colegatron commented 8 years ago

My own script is not part of Neil development and it is not tied to his repo restrictions.

I try to keep things simple, easy and functional, but write pure-whatever-language is never part of my requirements.

Feel free to use it as is or modify it as per your needs. El 25 mar. 2016 6:49 p. m., "Oscar Bolmsten" notifications@github.com escribió:

But it still have external dependencies on other scripts and Python?

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/Neilpang/le/issues/65#issuecomment-201383962

oscar-b commented 8 years ago

The requirement is due to the fact that this is for an embedded system, and disk space is a bit limited. I will see if it's feasible to install the aws cli. Thanks!

colegatron commented 8 years ago

The dns-aws api depends on jq aside aws cli, but there are only a couple of calls to jq. For sure you can remove the jq dependency using the --output text argument on the aws cli call and some greps and seds.

Maybe even the 3 call to the aws can be replaced with some curl call.

2016-03-25 20:04 GMT+01:00 Oscar Bolmsten notifications@github.com:

The requirement is due to the fact that this is for an embedded system, and disk space is a bit limited. I will see if it's feasible to install the aws cli. Thanks!

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/Neilpang/le/issues/65#issuecomment-201431830

centminmod commented 8 years ago

@Neilpang any movement for this request ?

revisiting this request for Route53 as it's what i use for my main domains

with regards to bash only and @colegatron jq maybe acme.sh can just check if /usr/bin/jq exists (for centos 6 and centos 7 it's in EPEL repo) and enable or disable the aws plugin according. So if the jq binary doesn't exist disable aws plugin from being triggered.

centminmod commented 7 years ago

@Neilpang @colegatron any plans to revisit Route53 support ?

awscli is easy to install

wget https://s3.amazonaws.com/aws-cli/awscli-bundle.zip
unzip awscli-bundle.zip
./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
chmod +x /usr/local/bin/aws
aws --version

jq for centos/rhel

yum -y install jq

and as per previous reply

jq maybe acme.sh can just check if /usr/bin/jq exists (for centos 6 and centos 7 it's in EPEL repo) and enable or disable the aws plugin according. So if the jq binary doesn't exist disable aws plugin from being triggered. Same with /usr/local/bin/aws if exists or not and auto disable aws plugin if not. This won't affect acme.sh usage for normal folks unless jq and aws binaries exist

FernandoMiguel commented 7 years ago

+1 on native Route53 support!!

Neilpang commented 7 years ago

@centminmod @FernandoMiguel

Reopen, I will move the implementation to acme.sh, I think it's ok to use jq and aws-cli in this wrapper.

But I have not aws to test, if you guys have, please let me know.

Thanks.

FernandoMiguel commented 7 years ago

Let me know of a way to privately contact you and what domain you want on route53 and I'll send you API keys Monday morning

Neilpang commented 7 years ago

@FernandoMiguel Contact me: info@acme.sh

oscar-b commented 7 years ago

Using the aws-cli isn't feasible on smaller systems such as routers, it's huge (almost 100mb installed if I remember correctly). Should be possible to to without external dependencies.

FernandoMiguel commented 7 years ago

@oscar-b I'm guessing most of our use cases it to have it running from aws instances itself, where those packages are usually available

Neilpang commented 7 years ago

@oscar-b

I agree with @FernandoMiguel , most cases would be in the aws instances, so it's not a big problem.

yes, I will also try to write a sh version without any dependencies after this awscli version, as long as I have a testing domain there.

Neilpang commented 7 years ago

@FernandoMiguel Hi, I received your email, and the ns server is changed.

Please write to me the api key. My mail server has a temp issue that I can only receive email, can not send email now.

FernandoMiguel commented 7 years ago

@Neilpang that email had the key attached. would you prefer inline?

Neilpang commented 7 years ago

@FernandoMiguel

yes, I see. Thanks.

Neilpang commented 7 years ago

@FernandoMiguel

I need to call ListHostedZones

But I got error:

An error occurred (AccessDenied) when calling the ListHostedZones operation: User: arn:aws:iam::800596930647:user/info@acme.sh is not authorized to perform: route53:ListHostedZones
FernandoMiguel commented 7 years ago

humm you have it in the policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "route53:GetHostedZone", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:GetHostedZoneCount", "route53:ChangeResourceRecordSets", "route53:ListResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/Z309C9U7RMOAW1" } ] }

let me move it out

FernandoMiguel commented 7 years ago

try now!

Neilpang commented 7 years ago

@FernandoMiguel

Same error.

FernandoMiguel commented 7 years ago

ok, let me debug it on my side.

FernandoMiguel commented 7 years ago

should work now.

Neilpang commented 7 years ago

@FernandoMiguel yes

centminmod commented 7 years ago

@FernandoMiguel was it case of ListHostedZone needing to be unrestricted to specific ZONE ? https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/r53-api-permissions-ref.html

Required Permissions for Actions on Public Hosted Zones

ListHostedZones route53:ListHostedZones arn:aws:route53:::hostedzone/*

Neilpang commented 7 years ago

Hi @centminmod @mbentley @theit8514 @FernandoMiguel @oscar-b @colegatron

Everybody, I just supported AWS Route53 api, pure shell, no dependency to awscli.

see:

https://github.com/Neilpang/acme.sh/tree/dev/dnsapi#10-use-amazon-route53-domain-api

And @FernandoMiguel

Can you please edit this page: https://github.com/Neilpang/acme.sh/wiki/How-to-use-Amazon-Route53-API , and write how to get the api key secret/id and how to configure the api permissions ?

Thank you.

FernandoMiguel commented 7 years ago

Great work mate. I was wondering how progress on this was going. I'll give it a quick test tomorrow and add the requested information/guides

FernandoMiguel commented 7 years ago

i'm having issues with this from my mac. havent tested from EC2 yet

./acme.sh --issue --dns dns_aws -d test.awsroute53.acme.sh --test --debug 2 [Mon 21 Nov 2016 19:16:41 GMT] Lets find script dir. [Mon 21 Nov 2016 19:16:41 GMT] SCRIPT='./acme.sh' [Mon 21 Nov 2016 19:16:41 GMT] _script='/Users/fernando/.acme.sh/acme.sh' [Mon 21 Nov 2016 19:16:41 GMT] _script_home='/Users/fernando/.acme.sh' [Mon 21 Nov 2016 19:16:41 GMT] It seems that acme.sh is already installed in /Users/fernando/.acme.sh [Mon 21 Nov 2016 19:16:41 GMT] 15:AUTO_UPGRADE='1' [Mon 21 Nov 2016 19:16:41 GMT] LE_WORKING_DIR='/Users/fernando/.acme.sh' https://github.com/Neilpang/acme.sh v2.6.5 [Mon 21 Nov 2016 19:16:41 GMT] Using api: [Mon 21 Nov 2016 19:16:41 GMT] Using stage api:https://acme-staging.api.letsencrypt.org [Mon 21 Nov 2016 19:16:41 GMT] DOMAIN_PATH='/Users/fernando/.acme.sh/test.awsroute53.acme.sh' [Mon 21 Nov 2016 19:16:41 GMT] Le_NextRenewTime [Mon 21 Nov 2016 19:16:41 GMT] 1:Le_Domain='test.awsroute53.acme.sh' [Mon 21 Nov 2016 19:16:41 GMT] 2:Le_Alt='no' [Mon 21 Nov 2016 19:16:41 GMT] 3:Le_Webroot='dns_aws' [Mon 21 Nov 2016 19:16:41 GMT] 4:Le_PreHook='' [Mon 21 Nov 2016 19:16:41 GMT] 5:Le_PostHook='' [Mon 21 Nov 2016 19:16:41 GMT] 6:Le_RenewHook='' [Mon 21 Nov 2016 19:16:41 GMT] 7:Le_API='https://acme-staging.api.letsencrypt.org' [Mon 21 Nov 2016 19:16:41 GMT] _on_before_issue [Mon 21 Nov 2016 19:16:41 GMT] 'dns_aws' does not contain 'no' [Mon 21 Nov 2016 19:16:41 GMT] Le_LocalAddress [Mon 21 Nov 2016 19:16:41 GMT] Check for domain='test.awsroute53.acme.sh' [Mon 21 Nov 2016 19:16:41 GMT] _currentRoot='dns_aws' [Mon 21 Nov 2016 19:16:41 GMT] 'dns_aws' does not contain 'apache' [Mon 21 Nov 2016 19:16:41 GMT] _saved_account_key_hash='XXXX' [Mon 21 Nov 2016 19:16:41 GMT] _saved_account_key_hash is not changed, skip register account. [Mon 21 Nov 2016 19:16:41 GMT] Read key length: [Mon 21 Nov 2016 19:16:41 GMT] _createcsr [Mon 21 Nov 2016 19:16:41 GMT] domain='test.awsroute53.acme.sh' [Mon 21 Nov 2016 19:16:41 GMT] domainlist [Mon 21 Nov 2016 19:16:41 GMT] csrkey='/Users/fernando/.acme.sh/test.awsroute53.acme.sh/test.awsroute53.acme.sh.key' [Mon 21 Nov 2016 19:16:41 GMT] csr='/Users/fernando/.acme.sh/test.awsroute53.acme.sh/test.awsroute53.acme.sh.csr' [Mon 21 Nov 2016 19:16:41 GMT] csrconf='/Users/fernando/.acme.sh/test.awsroute53.acme.sh/test.awsroute53.acme.sh.csr.conf' [Mon 21 Nov 2016 19:16:41 GMT] Single domain='test.awsroute53.acme.sh' [Mon 21 Nov 2016 19:16:41 GMT] _is_idn_d='test.awsroute53.acme.sh' [Mon 21 Nov 2016 19:16:41 GMT] _idn_temp [Mon 21 Nov 2016 19:16:41 GMT] _csr_cn='test.awsroute53.acme.sh' [Mon 21 Nov 2016 19:16:41 GMT] 8:Le_Keylength='' [Mon 21 Nov 2016 19:16:41 GMT] Getting domain auth token for each domain [Mon 21 Nov 2016 19:16:41 GMT] Getting webroot for domain='test.awsroute53.acme.sh' [Mon 21 Nov 2016 19:16:41 GMT] _w='dns_aws' [Mon 21 Nov 2016 19:16:41 GMT] _currentRoot='dns_aws' [Mon 21 Nov 2016 19:16:41 GMT] Getting new-authz for domain='test.awsroute53.acme.sh' [Mon 21 Nov 2016 19:16:41 GMT] Try new-authz for the 0 time. [Mon 21 Nov 2016 19:16:41 GMT] _is_idn_d='test.awsroute53.acme.sh' [Mon 21 Nov 2016 19:16:41 GMT] _idn_temp [Mon 21 Nov 2016 19:16:41 GMT] url='https://acme-staging.api.letsencrypt.org/acme/new-authz' [Mon 21 Nov 2016 19:16:41 GMT] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "test.awsroute53.acme.sh"}}' [Mon 21 Nov 2016 19:16:41 GMT] RSA key [Mon 21 Nov 2016 19:16:43 GMT] Get nonce. [Mon 21 Nov 2016 19:16:43 GMT] GET [Mon 21 Nov 2016 19:16:43 GMT] url='https://acme-staging.api.letsencrypt.org/directory' [Mon 21 Nov 2016 19:16:43 GMT] timeout [Mon 21 Nov 2016 19:16:43 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header --trace-ascii /var/folders/b4/y3_m1qtd4p34v1_kwpgg3vrc0000gn/T/tmp.ByzrDNSh ' [Mon 21 Nov 2016 19:16:43 GMT] ret='0' [Mon 21 Nov 2016 19:16:43 GMT] _headers='HTTP/1.1 200 OK Server: nginx Content-Type: application/json Content-Length: 372 Boulder-Request-Id: XXX Replay-Nonce: XXX X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 Expires: Mon, 21 Nov 2016 19:16:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 21 Nov 2016 19:16:43 GMT Connection: keep-alive ' [Mon 21 Nov 2016 19:16:43 GMT] _CACHED_NONCE='XXX' [Mon 21 Nov 2016 19:16:43 GMT] nonce='XXX' [Mon 21 Nov 2016 19:16:43 GMT] POST [Mon 21 Nov 2016 19:16:43 GMT] url='https://acme-staging.api.letsencrypt.org/acme/new-authz' [Mon 21 Nov 2016 19:16:43 GMT] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XX-XX-MRmd-3Yfp8NEyBl8Vg0po_GypSGzFTC8x4CIRl_HFZlRlTwnI9aKx3FGIMVtMm2w"}}, "protected": "XX", "payload": "XX", "signature": "XX-ayTcFVuA"}' [Mon 21 Nov 2016 19:16:43 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header --trace-ascii /var/folders/b4/y3_m1qtd4p34v1_kwpgg3vrc0000gn/T/tmp.VtlyTDI8 ' [Mon 21 Nov 2016 19:16:44 GMT] _ret='0' [Mon 21 Nov 2016 19:16:44 GMT] original='{ "identifier": { "type": "dns", "value": "test.awsroute53.acme.sh" }, "status": "pending", "expires": "2016-11-28T19:16:44.695898977Z", "challenges": [ { "type": "http-01", "status": "pending", "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/J-XX-XX/17091245", "token": "XX-bjRNIXu8" }, { "type": "tls-sni-01", "status": "pending", "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/J-XX-XX/17091246", "token": "XX-" }, { "type": "dns-01", "status": "pending", "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/J-XXX-XX/17091247", "token": "XXX" } ], "combinations": [ [ 2 ], [ 1 ], [ 0 ] ] }' [Mon 21 Nov 2016 19:16:44 GMT] responseHeaders='HTTP/1.1 100 Continue Expires: Mon, 21 Nov 2016 19:16:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache

HTTP/1.1 201 Created Server: nginx Content-Type: application/json Content-Length: 1017 Boulder-Request-Id: XXX Boulder-Requester: 470416 Link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next" Location: https://acme-staging.api.letsencrypt.org/acme/authz/J-XX-XXX Replay-Nonce: Uh3IspfyWokMKKrcjdCcnTpmyETG0zicYY_OdzgazME X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 Expires: Mon, 21 Nov 2016 19:16:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 21 Nov 2016 19:16:44 GMT Connection: keep-alive ' [Mon 21 Nov 2016 19:16:44 GMT] response='{"identifier":{"type":"dns","value":"test.awsroute53.acme.sh"},"status":"pending","expires":"2016-11-28T19:16:44.695898977Z","challenges":[{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/J--p3XpLi3KeHOGOrdU_Jc20/17091245","token":"Ta74uqR6xr2IHSHsPMFe2t8p8__hNV7shN-bjRNIXu8"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/J--p3XpLi3KeHOGOrdU_Jc20/17091246","token":"-iUBouQ_iPp9uwx_BRVwbE0Z7pnk"},{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/J--/17091247","token":""}],"combinations":[[2],[1],[0]]}' [Mon 21 Nov 2016 19:16:44 GMT] code='201' [Mon 21 Nov 2016 19:16:44 GMT] The new-authz request is ok. [Mon 21 Nov 2016 19:16:44 GMT] entry='"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/J--XXX/17091247","token":""' [Mon 21 Nov 2016 19:16:44 GMT] token='' [Mon 21 Nov 2016 19:16:44 GMT] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/J--XXX/17091247' [Mon 21 Nov 2016 19:16:44 GMT] keyauthorization='.XXX' [Mon 21 Nov 2016 19:16:44 GMT] dvlist='test.awsroute53.acme.sh#.XXX#https://acme-staging.api.letsencrypt.org/acme/challenge/J--XX/17091247#dns-01#dns_aws' [Mon 21 Nov 2016 19:16:44 GMT] txtdomain='_acme-challenge.test.awsroute53.acme.sh' [Mon 21 Nov 2016 19:16:44 GMT] txt='T-XXX' [Mon 21 Nov 2016 19:16:45 GMT] d_api='/Users/fernando/.acme.sh/dnsapi/dns_aws.sh' [Mon 21 Nov 2016 19:16:45 GMT] Found domain api file: /Users/fernando/.acme.sh/dnsapi/dns_aws.sh [Mon 21 Nov 2016 19:16:45 GMT] 61:AWS_ACCESS_KEY_ID='XXX' [Mon 21 Nov 2016 19:16:45 GMT] 62:AWS_SECRET_ACCESS_KEY='XXX' [Mon 21 Nov 2016 19:16:45 GMT] First detect the root zone [Mon 21 Nov 2016 19:16:45 GMT] mtd='GET' [Mon 21 Nov 2016 19:16:45 GMT] ep='2013-04-01/hostedzone' [Mon 21 Nov 2016 19:16:45 GMT] qsr [Mon 21 Nov 2016 19:16:45 GMT] data [Mon 21 Nov 2016 19:16:45 GMT] CanonicalURI='/2013-04-01/hostedzone' [Mon 21 Nov 2016 19:16:45 GMT] CanonicalQueryString [Mon 21 Nov 2016 19:16:45 GMT] RequestDate='20161121T191645Z' [Mon 21 Nov 2016 19:16:45 GMT] CanonicalHeaders='host:route53.amazonaws.com x-amz-date:20161121T191645Z ' [Mon 21 Nov 2016 19:16:45 GMT] SignedHeaders='host;x-amz-date' [Mon 21 Nov 2016 19:16:45 GMT] RequestPayload [Mon 21 Nov 2016 19:16:45 GMT] CanonicalRequest='GET /2013-04-01/hostedzone

host:route53.amazonaws.com x-amz-date:20161121T191645Z

host;x-amz-date XXX' [Mon 21 Nov 2016 19:16:45 GMT] HashedCanonicalRequest='XXX' [Mon 21 Nov 2016 19:16:45 GMT] Algorithm='AWS4-HMAC-SHA256' [Mon 21 Nov 2016 19:16:45 GMT] RequestDateOnly='20161121' [Mon 21 Nov 2016 19:16:45 GMT] CredentialScope='20161121/us-east-1/route53/aws4_request' [Mon 21 Nov 2016 19:16:45 GMT] StringToSign='AWS4-HMAC-SHA256 20161121T191645Z 20161121/us-east-1/route53/aws4_request XXX' [Mon 21 Nov 2016 19:16:45 GMT] kSecret='XXX' [Mon 21 Nov 2016 19:16:45 GMT] kSecretH='XXX' unknown option '-mac' options are -c to output the digest with separating colons -d to output debug info -hex output as hex dump -binary output in binary form -sign file sign digest using private key in file -verify file verify a signature using public key in file -prverify file verify a signature using private key in file -keyform arg key file format (PEM or ENGINE) -signature file signature to verify -binary output in binary form -hmac key create hashed MAC with key -engine e use engine e, possibly a hardware device. -md5 to use the md5 message digest algorithm (default) -md4 to use the md4 message digest algorithm -md2 to use the md2 message digest algorithm -sha1 to use the sha1 message digest algorithm -sha to use the sha message digest algorithm -sha224 to use the sha224 message digest algorithm -sha256 to use the sha256 message digest algorithm -sha384 to use the sha384 message digest algorithm -sha512 to use the sha512 message digest algorithm -mdc2 to use the mdc2 message digest algorithm -ripemd160 to use the ripemd160 message digest algorithm [Mon 21 Nov 2016 19:16:45 GMT] kDateH Usage: _hmac hashalg secret [outputhex] [Mon 21 Nov 2016 19:16:45 GMT] kRegionH Usage: _hmac hashalg secret [outputhex] [Mon 21 Nov 2016 19:16:45 GMT] kServiceH Usage: _hmac hashalg secret [outputhex] [Mon 21 Nov 2016 19:16:45 GMT] kSigningH Usage: _hmac hashalg secret [outputhex] [Mon 21 Nov 2016 19:16:45 GMT] signature [Mon 21 Nov 2016 19:16:45 GMT] Authorization='AWS4-HMAC-SHA256 Credential=XXX/20161121/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=' [Mon 21 Nov 2016 19:16:45 GMT] _H3='Authorization: AWS4-HMAC-SHA256 Credential=XXX/20161121/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=' [Mon 21 Nov 2016 19:16:45 GMT] GET [Mon 21 Nov 2016 19:16:45 GMT] url='https://route53.amazonaws.com/2013-04-01/hostedzone' [Mon 21 Nov 2016 19:16:45 GMT] timeout [Mon 21 Nov 2016 19:16:45 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header --trace-ascii /var/folders/b4/T/tmp.T17pkfMx ' [Mon 21 Nov 2016 19:16:45 GMT] ret='0' [Mon 21 Nov 2016 19:16:45 GMT] Response error:<?xml version="1.0"?>

SenderIncompleteSignatureAuthorization header requires 'Signature' parameter. Authorization=AWS4-HMAC-SHA256 Credential=XXX/20161121/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=0b2c34e1-b01f-11e6-bb47-XXX

[Mon 21 Nov 2016 19:16:46 GMT] invalid domain [Mon 21 Nov 2016 19:16:46 GMT] Error add txt for domain:_acme-challenge.test.awsroute53.acme.sh [Mon 21 Nov 2016 19:16:46 GMT] pid [Mon 21 Nov 2016 19:16:46 GMT] _clearupdns [Mon 21 Nov 2016 19:16:46 GMT] Dns not added, skip. [Mon 21 Nov 2016 19:16:46 GMT] _on_issue_err [Mon 21 Nov 2016 19:16:46 GMT] Please add '--debug' or '--log' to check more details. [Mon 21 Nov 2016 19:16:46 GMT] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [Mon 21 Nov 2016 19:16:46 GMT] Diagnosis versions: openssl: OpenSSL 0.9.8zh 14 Jan 2016 apache: apache doesn't exists. nc: usage: nc [-46AacCDdEFhklMnOortUuvz] [-K tc] [-b boundif] [-i interval] [-p source_port] [--apple-delegate-pid pid] [--apple-delegate-uuid uuid] [-s source_ip_address] [-w timeout] [-X proxy_version] [-x proxy_address[:port]] [hostname] [port[s]] Command Summary: -4 Use IPv4 -6 Use IPv6 -A Set SO_RECV_ANYIF on socket -a Set SO_AWDL_UNRESTRICTED on socket -b ifbound Bind socket to interface -c Send CRLF as line-ending -C Don't use cellular connection -D Enable the debug socket option -d Detach from stdin -E Don't use expensive interfaces -F Do not use flow advisory (flow adv enabled by default) -G conntimo Connection timeout in seconds -h This help text -H keepidle Initial idle timeout in seconds -I keepintvl Interval for repeating idle timeouts in seconds -i secs Delay interval for lines sent, ports scanned -J keepcnt Number of times to repeat idle timeout -k Keep inbound sockets open for multiple connects -K tclass Specify traffic class -l Listen mode, for inbound connects -L num_probes Number of probes to send before generating a read timeout event -m Set SO_INTCOPROC_ALLOW on socket -n Suppress name/port resolutions -M Use MULTIPATH domain socket -N num_probes Number of probes to send before generating a write timeout event -O Use old-style connect instead of connectx -p port Specify local port for remote connects (cannot use with -l) -r Randomize remote ports -s addr Local source address -t Answer TELNET negotiation -U Use UNIX domain socket -u UDP mode -v Verbose -w secs Timeout for connects and final net reads -X proto Proxy protocol: "4", "5" (SOCKS) or "connect" -x addr[:port] Specify proxy address and port -z Zero-I/O mode [used for scanning] -o Issue socket options after connect/bind --apple-delegate-pid pid Set socket as delegate using pid Port numbers can be individual or ranges: lo-hi [inclusive]

Neilpang commented 7 years ago

@FernandoMiguel It seems that your openssl is too old, please upgrade your openssl first.

Any way, I will fix it to give a nice error message in this case.

Thanks.

FernandoMiguel commented 7 years ago

@Neilpang i've updated the AWS policy for your account to reflect some new changes. I did a quick test and it seemed to work. if you find that the new policy broke your access to Route53, please let me know so i can fix.

cheers

Neilpang commented 7 years ago

@FernandoMiguel
Got it, thank you.