I am trying to obtain an SSL certificate using CertMagic in Caddy with AWS Route 53 as the DNS provider for the dns-01 challenge. The goal is to automatically verify the domain and clean up the DNS TXT record (_acme-challenge) after the verification process.
What steps did you take?
Configured Caddy to use AWS Route 53 for the dns-01 challenge using an IAM user with sufficient permissions.
Started Caddy to request a certificate for the domain dero-api.redacted.cloud.
Observed the Caddy logs during the verification and cleanup phases.
What did you expect to happen, and what actually happened instead?
Expected:
Caddy should add a _acme-challenge TXT record to the Route 53 hosted zone.
After verifying the dns-01 challenge, Caddy should successfully delete the TXT record.
Actual:
Caddy successfully added the TXT record and completed the verification.
During the cleanup phase, Caddy failed to delete the TXT record.
The following error was logged:
{
"level": "error",
"ts": 1729720845.761746,
"logger": "tls.issuance.acme.acme_client",
"msg": "cleaning up solver",
"identifier": "dero-api.redacted.cloud",
"challenge_type": "dns-01",
"error": "deleting temporary record for name \"_acme-challenge.dero-api.redacted.cloud\" in zone \"redacted.cloud.\": operation error Route 53: ChangeResourceRecordSets, https response error StatusCode: 400, RequestID: ed2d1719-5b2b-4b75-b18f-61876d8f0070, InvalidInput: Invalid XML ; javax.xml.stream.XMLStreamException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 245; cvc-complex-type.2.4.b: The content of element 'ResourceRecords' is not complete. One of '{\"https://route53.amazonaws.com/doc/2013-04-01/\":ResourceRecord}' is expected."
}
How do you think this should be fixed?
It appears the XML payload sent to AWS Route 53 for deleting the TXT record is not properly formatted. Specifically, the ResourceRecords element is incomplete, leading to a 400 Bad Request response.
Investigate the XML generation code for the Route 53 API (ChangeResourceRecordSets) to ensure that all required fields are properly populated.
Confirm that all record deletion requests include the expected structure as documented by AWS Route 53 API.
Please link to any related issues, pull requests, and/or discussion
N/A at the moment, but similar XML-related issues with Route 53 could be relevant.
Bonus: What do you use CertMagic for, and do you find it useful?
I use CertMagic for automating SSL/TLS certificates for multiple domains managed by Caddy. I find it incredibly useful for simplifying the SSL certificate management process and ensuring the domains are always secure.
I don't see how this has anything to do with certmagic. See https://github.com/libdns/route53. Certmagic doesn't touch XML data at all, that's done entirely within the route53 plugin.
What version of the package are you using?
caddy v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=
github.com/caddy-dns/route53 v1.5.1 h1:enBEmvggN7bd3vTHu+9QXrdHmGCLyoiW8Kgj2+OTohE=
certmagic v0.21.3 h1:pqRRry3yuB4CWBVq9+cUqu+Y6E2z8TswbhNx1AZeYm0=
What are you trying to do?
I am trying to obtain an SSL certificate using CertMagic in Caddy with AWS Route 53 as the DNS provider for the
dns-01
challenge. The goal is to automatically verify the domain and clean up the DNS TXT record (_acme-challenge
) after the verification process.What steps did you take?
dns-01
challenge using an IAM user with sufficient permissions.dero-api.redacted.cloud
.What did you expect to happen, and what actually happened instead?
Expected:
_acme-challenge
TXT record to the Route 53 hosted zone.dns-01
challenge, Caddy should successfully delete the TXT record.Actual:
How do you think this should be fixed?
ResourceRecords
element is incomplete, leading to a400 Bad Request
response.ChangeResourceRecordSets
) to ensure that all required fields are properly populated.Please link to any related issues, pull requests, and/or discussion
N/A at the moment, but similar XML-related issues with Route 53 could be relevant.
Bonus: What do you use CertMagic for, and do you find it useful?
I use CertMagic for automating SSL/TLS certificates for multiple domains managed by Caddy. I find it incredibly useful for simplifying the SSL certificate management process and ensuring the domains are always secure.