Open ozapotichnyi opened 1 month ago
Same issue here. I tried re-issuing my AWS keys, but AWS is reporting that they are "not used". I think for some reason it is not presenting the auth.
I am wondering if we just need to bump the caddy version since there were so many breaking changes
https://github.com/caddy-dns/route53/blob/8e49e7546771bf6846e1531dcaff4925af5ddcde/go.mod#L6
It looks like it is related to this issue: https://github.com/libdns/route53/issues/235#issue-2212746183
Which is related to this issue: https://github.com/aws/aws-sdk-go-v2/issues/2370#issuecomment-1953308268
Ran into the same issue with a single individual domain, not wildcard. The fix mentioned here that ryantiger685 mentions worked for me. Looks like PRs in that repository need to get merged to fix this officially.
Edit: Just tested wildcard and that's working with this fix as well.
Just ran into this as well after upgrading Caddy to v2.8.4.
Could you test this with the latest version and wait_for_propagation
enabled?
{
"module": "acme",
"challenges": {
"dns": {
"provider": {
"name": "route53",
"wait_for_propagation": true,
}
}
}
}
FWIW, I'm using a Dockerfile to build https://github.com/lucaslorentz/caddy-docker-proxy with this plugin, and simply rebuilding the container with the latest release of this plugin and Caddy 2.8.4 was enough to solve the DNS challenge problem described in this thread, although I am not using a wildcard domain. I did not need to use the wait_for_propagation
parameter.
Could you test this with the latest version and
wait_for_propagation
enabled?{ "module": "acme", "challenges": { "dns": { "provider": { "name": "route53", "wait_for_propagation": true, } } } }
Yes, this works! Just tested with a new domain. Feels good removing all the hacks :)
This may be unrelated but just to note, I did get a new error from Route 53: Invalid Configuration: Missing Region
I just added us-east-1
as the region value and the error went away and everything works! Just thought I'd mention that this parameter may be required now.
Ah sorry, I spoke too soon. The normal domain worked but the wildcard domain did not.
{
"level": "error",
"ts": 1719515037.2461495,
"logger": "tls.obtain",
"msg": "will retry",
"error": "[*.stage.foo.bar.com] Obtain: [*.stage.foo.bar.com] solving challenges: presenting for challenge: adding temporary record for zone \"foo.bar.com.\": exceeded max wait time for ResourceRecordSetsChanged waiter (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/152473533/17457386443) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)",
"attempt": 4,
"retrying_in": 300,
"elapsed": 546.902648806,
"max_duration": 2592000
}
Edit:
I manually deleted the TXT record from Route 53, restarted Caddy, and the wildcard domain works! Not sure what happened here the first time but might just have been something on my end.
I saw that these two are the first errors which led me to do the extra troubleshooting:
{
"level": "error",
"ts": 1719514555.4299963,
"logger": "tls.issuance.acme.acme_client",
"msg": "cleaning up solver",
"identifier": "stage.foo.bar.com",
"challenge_type": "dns-01",
"error": "deleting temporary record for name \"foo.bar.com.\" in zone {\"\" \"TXT\" \"_acme-challenge.stage\" \"wEz6Z5Ta1vy5Z9ebcVcfyZTmptaYdfc-QtYRA_wV6Bs\" \"0s\" '\\x00' '\\x00'}: exceeded max wait time for ResourceRecordSetsChanged waiter"
}
{
"level": "error",
"ts": 1719514643.3972101,
"logger": "tls.issuance.acme.acme_client",
"msg": "cleaning up solver",
"identifier": "*.stage.foo.bar.com",
"challenge_type": "dns-01",
"error": "deleting temporary record for name \"foo.bar.com.\" in zone {\"\" \"TXT\" \"_acme-challenge.stage\" \"JvKk2qrEWpbsgvZ06rU1GKc28NKvKAxP_gwc-j1IVGA\" \"0s\" '\\x00' '\\x00'}: operation error Route 53: ChangeResourceRecordSets, https response error StatusCode: 400, RequestID: d4277a4b-bef0-423b-bfef-8e68495ea501, InvalidInput: Invalid XML ; javax.xml.stream.XMLStreamException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 248; cvc-complex-type.2.4.b: The content of element 'ResourceRecords' is not complete. One of '{\"https://route53.amazonaws.com/doc/2013-04-01/\":ResourceRecord}' is expected."
}
I just added
us-east-1
as the region value and the error went away and everything works! Just thought I'd mention that this parameter may be required now.
fwiw, the plugin can take the value from the AWS_REGION
environment variable.
Wildcard DNS challenge stopped working after update to Caddy 2.8.
The minimum reproducible setup:
Caddy config:
Dockerfile:
Logs:
Everything pass fine with Caddy 2.7.6.
Any suggestions are appreciated.