Route 53 DNS Challenge Cleanup Fails Due to Invalid XML in ResourceRecordSets Deletion Request

[Hansen333]

What version of the package are you using?

caddy v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk= github.com/caddy-dns/route53 v1.5.1 h1:enBEmvggN7bd3vTHu+9QXrdHmGCLyoiW8Kgj2+OTohE= certmagic v0.21.3 h1:pqRRry3yuB4CWBVq9+cUqu+Y6E2z8TswbhNx1AZeYm0=

What are you trying to do?

I am trying to obtain an SSL certificate using CertMagic in Caddy with AWS Route 53 as the DNS provider for the dns-01 challenge. The goal is to automatically verify the domain and clean up the DNS TXT record (_acme-challenge) after the verification process.

What steps did you take?

1. Configured Caddy to use AWS Route 53 for the dns-01 challenge using an IAM user with sufficient permissions.
2. Started Caddy to request a certificate for the domain dero-api.redacted.cloud.
3. Observed the Caddy logs during the verification and cleanup phases.

What did you expect to happen, and what actually happened instead?

Expected:

• Caddy should add a _acme-challenge TXT record to the Route 53 hosted zone.
• After verifying the dns-01 challenge, Caddy should successfully delete the TXT record.

Actual:

• Caddy successfully added the TXT record and completed the verification.
• During the cleanup phase, Caddy failed to delete the TXT record.
• The following error was logged:

{
  "level": "error",
  "ts": 1729720845.761746,
  "logger": "tls.issuance.acme.acme_client",
  "msg": "cleaning up solver",
  "identifier": "dero-api.redacted.cloud",
  "challenge_type": "dns-01",
  "error": "deleting temporary record for name \"_acme-challenge.dero-api.redacted.cloud\" in zone \"redacted.cloud.\": operation error Route 53: ChangeResourceRecordSets, https response error StatusCode: 400, RequestID: ed2d1719-5b2b-4b75-b18f-61876d8f0070, InvalidInput: Invalid XML ; javax.xml.stream.XMLStreamException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 245; cvc-complex-type.2.4.b: The content of element 'ResourceRecords' is not complete. One of '{\"https://route53.amazonaws.com/doc/2013-04-01/\":ResourceRecord}' is expected."
}

How do you think this should be fixed?

• It appears the XML payload sent to AWS Route 53 for deleting the TXT record is not properly formatted. Specifically, the ResourceRecords element is incomplete, leading to a 400 Bad Request response.
• Investigate the XML generation code for the Route 53 API (ChangeResourceRecordSets) to ensure that all required fields are properly populated.
• Confirm that all record deletion requests include the expected structure as documented by AWS Route 53 API.

Please link to any related issues, pull requests, and/or discussion

N/A at the moment, but similar XML-related issues with Route 53 could be relevant.

Bonus: What do you use CertMagic for, and do you find it useful?

I use CertMagic for automating SSL/TLS certificates for multiple domains managed by Caddy. I find it incredibly useful for simplifying the SSL certificate management process and ensuring the domains are always secure.

[francislavoie]

I don't see how this has anything to do with certmagic. See https://github.com/libdns/route53. Certmagic doesn't touch XML data at all, that's done entirely within the route53 plugin.