search

go-acme / lego

Let's Encrypt/ACME client and library written in Go
https://go-acme.github.io/lego/
MIT License
7.46k stars 986 forks source link

Route53 with delegated zone for dns acme detects wrong zone #2058

Closed BornToBeRoot closed 7 months ago

BornToBeRoot commented 7 months ago

Welcome

What did you expect to see?

Following setup:

Main zone (example.com) with CNAME records like: _acme-challenge.sub.example.com -->_acme-challenge.sub.acme.example.com

ACME zone (acme.example.com) where the EC2 instance has access to.

In the past this worked with LEGO_EXPERIMENTAL_CNAME_SUPPORT=true

I already add the AWS_REGION as reported here: https://github.com/traefik/traefik/issues/10195

What did you see instead?

Lego detects the wrong zone. The ZONE_ID of the hosted zone should be the acme.example.com but it is the ID from the main zone example.com. Therefore the Instance has no access to it.

Error message

traefik    | time="2023-12-05T13:31:53Z" level=error msg="Error renewing certificate from LE: {sub.example.com []}" providerName=route53.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" error="error: one or more domains had a problem:\n[sub.example.com] [sub.example.com] acme: error presenting token: route53: operation error Route 53: ListResourceRecordSets, https response error StatusCode: 403, RequestID: xxx-xxx-xxx, api error AccessDenied: User: arn:aws:sts::0123456789:assumed-role/dev-xxx-instance/i-xxxxxxxxxxxxxx is not authorized to perform: route53:ListResourceRecordSets on resource: arn:aws:route53:::hostedzone/<ZONE_ID> because no identity-based policy allows the route53:ListResourceRecordSets action\n"

How do you use lego?

Through Traefik

Reproduction steps

Use the setup as described above.

Upgrade to the latest traefik with new lego client.

Version of lego

4.14.0 (based on the traefik changelog)

Logs

see above

Go environment (if applicable)

-/-

ldez commented 7 months ago

Hello,

LEGO_EXPERIMENTAL_CNAME_SUPPORT has been removed there is 1 year (v4.9): #1718

Now CNAMEs are handled by default.

The code that handles the detection of the zone has not changed since 2017.

Based on the error message "... because no identity-based policy allows the ...", I recommend following this comment: https://github.com/traefik/traefik/issues/10195#issuecomment-1807113989

BornToBeRoot commented 7 months ago

Thanks @ldez

The certificates were renewed overnight (with the instance profile). The error in the logs came from a subdomain that no longer exists.