search

einschmidt / addon-caddy-2

Caddy 2 is a powerful, open source web server with automatic HTTPS
MIT License
27 stars 8 forks source link

route53 credentials not accepted #196

Closed dkebler closed 5 months ago

dkebler commented 6 months ago

Anyone had issues with your addon/docker and route53 credentials?

Unless it's something I have done I'm guess your addon is not passing credentials on to route53 plugin correctly.

I have many other installs of route53 with caddy (including my own caddy docker) that work fine with the same aws credentials I am using here

- name: ACCESS_KEY
  value: redacted
- name: SECRET_KEY
  value: redacted

operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 278d1598-46eb-46a7-a47d-87c209f26733, api error InvalidClientTokenId: The security token included in the request is invalid. `

log looks good until that line. loads custom caddy binary loads credentials correctly 

(r53) {
  tls {
    dns route53 {
        max_retries 10
        access_key_id (env.ACCESS_KEY)
        secret_access_key (env.SECRET_KEY)
    }
  }
}

# HA server Server
https://home.redacted.net {
    import r53
    reverse_proxy http://ha.redacted.net:8123
    }

it uses this caddy plugin.

https://github.com/caddy-dns/route53

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service base-addon-banner: starting

-----------------------------------------------------------
 Add-on: Caddy 2
 Open source web and proxy server with automatic HTTPS
-----------------------------------------------------------
 Add-on version: 1.5.4
 You are running the latest version of this add-on.
 System: Home Assistant OS 11.2  (amd64 / generic-x86-64)
 Home Assistant Core: 2023.12.3
 Home Assistant Supervisor: 2023.12.0
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
s6-rc: info: service base-addon-banner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service base-addon-log-level: starting
s6-rc: info: service fix-attrs successfully started
Log level is set to DEBUG
s6-rc: info: service base-addon-log-level successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service caddy: starting
s6-rc: info: service caddy successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
INFO: Setting ACCESS_KEY to redacted
INFO: Setting SECRET_KEY to redacted
INFO: Setting REGION to us-west-2
INFO: Prepare Caddy...
INFO: Found custom Caddy at /share/caddy/caddy
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
INFO: Prepare Caddyfile...
INFO: Caddyfile found at /share/caddy/Caddyfile
INFO: Run Caddy...
DEBUG: '/share/caddy/caddy' run --config '/share/caddy/Caddyfile' ''
{"level":"info","ts":1703549352.5024166,"msg":"using provided configuration","config_file":"/share/caddy/Caddyfile","config_adapter":""}
{"level":"warn","ts":1703549352.5065053,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/share/caddy/Caddyfile","line":3}
{"level":"info","ts":1703549352.508861,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1703549352.5092607,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004b2400"}
{"level":"info","ts":1703549352.5094357,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1703549352.5094538,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1703549352.5105596,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1703549352.5107925,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1703549352.51085,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1703549352.510859,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["home.redacted.net"]}
{"level":"info","ts":1703549352.511308,"msg":"autosaved config (load with --resume flag)","file":"/data/caddy/autosave.json"}
{"level":"info","ts":1703549352.51132,"msg":"serving initial configuration"}
{"level":"info","ts":1703549352.511707,"logger":"tls.obtain","msg":"acquiring lock","identifier":"home.kebler.net"}
{"level":"warn","ts":1703549352.5121927,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/ssl/caddy","instance":"27bf782a-8edc-42ba-8f72-22c0c1700db8","try_again":1703635752.5121899,"try_again_in":86399.99999906}
{"level":"info","ts":1703549352.5122516,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1703549352.5135922,"logger":"tls.obtain","msg":"lock acquired","identifier":"home.redacted.net"}
{"level":"info","ts":1703549352.5137959,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"home.redacted.net"}
{"level":"info","ts":1703549352.514787,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["home.redacted.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1703549352.5148005,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["home.redacted.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1703549353.1835563,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"home.kebler.net","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1703549353.6961763,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"home.redacted.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.home.kebler.net\" (usually OK if presenting also failed)"}
{"level":"error","ts":1703549353.901954,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"home.redacted.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[home.redacted.net] solving challenges: presenting for challenge: adding temporary record for zone \"redacted.net.\": operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: dd176b84-7c5d-4147-9f4b-424662a0d891, api error InvalidClientTokenId: The security token included in the request is invalid. (order=https://acme-v02.api.letsencrypt.org/acme/order/1483719416/231882985226) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
github-actions[bot] commented 5 months ago

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!