Closed BornToBeRoot closed 7 months ago
Hello,
LEGO_EXPERIMENTAL_CNAME_SUPPORT
has been removed there is 1 year (v4.9): #1718
Now CNAMEs are handled by default.
The code that handles the detection of the zone has not changed since 2017.
Based on the error message "... because no identity-based policy allows the ...", I recommend following this comment: https://github.com/traefik/traefik/issues/10195#issuecomment-1807113989
Thanks @ldez
The certificates were renewed overnight (with the instance profile). The error in the logs came from a subdomain that no longer exists.
Welcome
What did you expect to see?
Following setup:
Main zone (
example.com
) with CNAME records like:_acme-challenge.sub.example.com -->_acme-challenge.sub.acme.example.com
ACME zone (
acme.example.com
) where the EC2 instance has access to.In the past this worked with
LEGO_EXPERIMENTAL_CNAME_SUPPORT=true
I already add the
AWS_REGION
as reported here: https://github.com/traefik/traefik/issues/10195What did you see instead?
Lego detects the wrong zone. The ZONE_ID of the hosted zone should be the
acme.example.com
but it is the ID from the main zoneexample.com
. Therefore the Instance has no access to it.Error message
How do you use lego?
Through Traefik
Reproduction steps
Use the setup as described above.
Upgrade to the latest traefik with new lego client.
Version of lego
Logs
see above
Go environment (if applicable)
-/-