search

mprahl / ansible-role-lets-encrypt-route-53

An Ansible role that automates the generation of Let's Encrypt signed certificates with DNS challenges on Amazon's Route 53 (AWS)
36 stars 33 forks source link

Wildcards and sans issue #39

Open philrumble-fz opened 3 years ago

philrumble-fz commented 3 years ago

When i use a combination of a cert_common_name of "blank.com" and a sans of "*.blank.com" , I see that 2 dns challenges are created but with the same dns record name and thus the second overwrites the first. and the first check then fails.

Am I using an invalid combination?

vars:

TASK [mprahl.lets-encrypt-route-53 : create the DNS records for the challenge] *** changed: [test] => (item={'key': 'blank.com', 'value': {'tls-alpn-01': {'resource': 'blank.com', 'resource_original': 'dns:blank.com', 'resource_value': '8bJD3fa1JmzuoyEYpzVd9zDICsZru7k6bbtUDLdWafk='}, 'http-01': {'resource': '.well-known/acme-challenge/A75Pwn-cuUsELpeTfQaQ5D2datp8vQTwV5LHMoldFjw', 'resource_value': 'A75Pwn-cuUsELpeTfQaQ5D2datp8vQTwV5LHMoldFjw.t6KTBXo2h8CY2pO30DrU3B0dnCRJ5TBoESM1m4cXv_0'}, 'dns-01': {'resource': '_acme-challenge', 'resource_value': '8bJD3fa1JmzuoyEYpzVd9zDICsZru7k6bbtUDLdWafk', 'record': '_acme-challenge.blank.com'}}}) changed: [test] => (item={'key': '*.blank.com', 'value': {'dns-01': {'resource': '_acme-challenge', 'resource_value': 'zR5p-CLkvUvrQofnIv-yM7BXG388AScoK98kmJeeOlI', 'record': '_acme-challenge.blank.com'}}})

TASK [mprahl.lets-encrypt-route-53 : validate the Let's Encrypt challenge] *** fatal: [test]: FAILED! => changed=false msg: 'Authorization for dns:blank.com returned invalid: CHALLENGE: dns-01 DETAILS: Incorrect TXT record "zR5p-CLkvUvrQofnIv-yM7BXG388AScoK98kmJeeOlI" found at _acme-challenge.blank.com;' other: {}

LunaticZorr commented 3 years ago

I'm runnign into the same issue.

This is how I run it:

- name: Generate an SSL certificate
  hosts: all
  become: yes
  pre_tasks:
    - include_vars:
        dir: ../vars
        files_matching: vault.yml

  vars:
  - ler53_cert_common_name: "api.sub-{{ my_env }}.domain.cloud"
  - ler53_route_53_domain: "sub-{{ my_env }}.domain.cloud"
  - ler53_cert_sans : 
      - "*.api.sub-{{ my_env }}.domain.cloud"
  - ler53_cert_dir: "/etc/ssl/env-cert/"
  - ler53_key_file_name: "env-cert.key"
  - ler53_cert_file_name: "env-cert.crt"
  - ler53_csr_file_name: "env-cert.csr"
  - ler53_intermediate_file_name: "env-cert.intermediate.pem"
  - ler53_cert_and_intermediate_file_name: "env-cert.pem"
  - ler53_aws_access_key: "{{ aws_access_key_id }}"
  - ler53_aws_secret_key: "{{ aws_secret_access_key }}"
  - ler53_new_cert_when_csr_changes: true

  roles:
  - role: mprahl.lets-encrypt-route-53
    when: "'env-waf' in inventory_hostname"

And it fails with

TASK [mprahl.lets-encrypt-route-53 : validate the Let's Encrypt challenge] *****
task path: /tmp/awx_11145_hne_hd6s/project/playbooks/roles/mprahl.lets-encrypt-route-53/tasks/main.yml:175
fatal: [env-waf-1]: FAILED! => {"changed": false, "msg": "Authorization for dns:api.sub-dev.domain.cloud returned invalid:  CHALLENGE: dns-01 DETAILS: Incorrect TXT record \"B4_6F3rrXqWLDtsAOVzqqP97NLzh4di2VH_bgIqjDwc\" found at _acme-challenge.api.sub-dev.domain.cloud;", "other": {}}

Removing the following:

  - ler53_cert_sans : 
      - "*.api.sub-{{ my_env }}.domain.cloud"

Works. But we need the extra wildcar domain...