Cannot get certificate with latest Rout53 plugin using docker

[hellrazorx64]

Hi, this problem started (iguess) on release 1.3

If I,m using a previous version of the plugin, it works. I get this error: "type":"urn:ietf:params:acme:error:malformed","status":405,"detail":"The request message was malformed"

I get this error from the logs: caddyaws2023 | {"level":"error","ts":1675007436.1783702,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"HOST.DOMAINEXEMPLE.com","issuer":"acme.zerossl.com-v2-DV90","error":"[HOST.DOMAINEXEMPLE.com] solving challenges: presenting for challenge: adding temporary record for zone \"DOMAINEXAMPLE.com.\": Error unquoting TXT/SPF record: invalid syntax (order=https://acme.zerossl.com/v2/DV90/order/dkpx3lDTGufoX8eT6p3Tvw) (ca=https://acme.zerossl.com/v2/DV90)"} Then, I let the whole configuration intact and just replace the custom caddy file for the older version and I get a Zerossl certificate. Still it seems it to fail getting the letsencrypt one but I still get a Zerossl cert at least.:

caddyaws2023  | {"level":"error","ts":1675008197.5518668,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"testicule.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.testicule.example.com - check that a DNS record exists for this domain"}
caddyaws2023  | {"level":"info","ts":1675008197.552192,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["testicule.example.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"caddy@zerossl.com"}
caddyaws2023  | {"level":"info","ts":1675008197.5522494,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["testicule.example.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"caddy@zerossl.com"}
caddyaws2023  | {"level":"info","ts":1675008212.2545922,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"testicule.example.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
caddyaws2023  | {"level":"info","ts":1675008236.4299083,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/A-Ipu8zXJvrtt8Tit59eNA"}
caddyaws2023  | {"level":"info","ts":1675008282.009358,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme.zerossl.com/v2/DV90/cert/ov2FO9h15NjWjCThsQBhkA"}
caddyaws2023  | {"level":"info","ts":1675008282.009628,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"testicule.example.com"}
caddyaws2023  | {"level":"info","ts":1675008282.0096378,"logger":"tls.obtain","msg":"releasing lock","identifier":"testicule.example.com"}

Example of caddyfile

{$DOMAIN}:443 {
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  tls {
    dns route53 {
      max_retries 10
      aws_profile {$aws_profile}
      access_key_id {$access_key_id}
      secret_access_key {$secret_access_key}

    }
  }
  reverse_proxy code-server:8443
}

May be am I missing a parameter for the new version? Also, I got some servers working with Letsencrypt certs with this exact config.. This time, it pumped a Zero ssl, I have no clue why this happens.

Thanks for any help

[hellrazorx64]

I just verified something even more interesting. If i'm using the latest version of the plugin. I can get certificates instantly on .info addresses.

But it seems to never work on .com adresses..

Same account, same api key same server.

May be this is only amazon speciality.

[hellrazorx64]

And counter verified the whole thing again...

Tried with a .com subdomain with latest version for about 30 minutes without sucess. Tried with a .com subdomain with former version fand worked immediately.

Same domain.. same config, but different caddyaws plugin

[mattvb91]

This has currently broken my system. Any updates on this?

Edit for anyone else: v1.2.1 works fine everything above is broken

[aymanbagabas]

Can you try this https://github.com/libdns/route53/pull/45?

[hellrazorx64]

I'd really like to but I'm really not sure how to do that.

On Tue., Apr. 11, 2023, 5:31 p.m. Ayman Bagabas, @.***> wrote:

Can you try this libdns/route53#45 https://github.com/libdns/route53/pull/45?

— Reply to this email directly, view it on GitHub https://github.com/caddy-dns/route53/issues/29#issuecomment-1504117574, or unsubscribe https://github.com/notifications/unsubscribe-auth/ATSSEBNUQOA5TODAS4M5TEDXAXEUNANCNFSM6AAAAAAUKKK62M . You are receiving this because you authored the thread.Message ID: @.***>

[aymanbagabas]

Following this guide, you can build caddy with a custom module using xcaddy build --with github.com/caddy-dns/REPOSITORY.

I've pushed a new branch that uses the libdns/route53 PR above. You can try this:

xcaddy build --with github.com/caddy-dns/route53@quote

[aymanbagabas]

I tested this manually and it appears to fix the issue not. Route53 treats TXT & SPF records in a weird way ref. If anyone could test the package one more time before I create a new release it would be appreciated.

[aleksil]

I can confirm that the master-branch is broken for me, but that the quote-branch works as intended

[aymanbagabas]

This is now fixed in https://github.com/caddy-dns/route53/releases/tag/v1.3.3