Closed nickjmv closed 7 months ago
Hello,
I think this is an internal change in the SDK.
acme: error presenting token: route53: failed to determine hosted zone ID: operation error Route 53: ListHostedZonesByName, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded
The error comes from here.
I'm not a specialist in AWS, and the SDK migration guide is really weak.
I don't know if it's an expected behavior for the new SDK, a bug of the SDK, or something else.
I read on the AWS documentation that IMDs v1 and v2 should both work. So I'm kind of puzzled about why we are receiving the error.
Will you do some extra testing on this? Or what actions do you see next? I assume there are multiple users that encounter this.
I assume there are multiple users that encounter this.
As you can see it seems you are alone with this problem (no thumbs up, no other report)
what actions do you see next?
I don't know because based on the code I have no idea of the real root of the problem.
FWIW, I got here by discovering that my Traefik Let's Encrypt configuration, which had been running fine, has apparently picked up this same problem after upgrading to the lastest stableTraefik container tag 2.10.5, from 2.10.4. The initial error in the logs was that aws region was a required value. I provided the AWS_REGION environment variable through the docker compose file, and now the error I see is:
traefik | time="2023-11-12T00:19:12Z" level=error msg="Error renewing certificate from LE: {redacted.com []}" ACME CA="https://acme-v02.api.letsencrypt.org/directory" error="error: one or more domains had a problem:\n[redacted.com] [redacted.com] acme: error presenting token: route53: failed to determine hosted zone ID: operation error Route 53: ListHostedZonesByName, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded\n" providerName=letsencrypt.acme
None of my AWS IAM policies have changed, and this machine has been running untouched for years. The only difference is the bugfix version of the Traefik container being revved, which came with a rev of this lego lib.
Welcome
What did you expect to see?
A certificate is generated by using the AWS EC2 instance profile role.
What did you see instead?
An error message about the AWS EC2 IMDS.
How do you use lego?
Docker image
Reproduction steps
Renew an existing certificate by letting the docker image by making use of the instance profile of the AWS EC2 machine.
It works when using role assumption by passing a profile other than 'default' to the docker image. But using the attached instances profile role the error is generated. Another fix is using lego v4.13.2 which is still using the old AWS sdk.
Version of lego
Logs
Go environment (if applicable)