DNS challenge support

[shankar-bala]

Hi

I tried to run the plugin with provider flag as below

vault write acme/accounts/abc contact=abc@xyz.com terms_of_service_agreed=true provider=aws

Gave error as 
URL: PUT http://127.0.0.1:8200/v1/acme/accounts/abc
Code: 500. Errors:

* 1 error occurred:
    * get directory at '': Get : unsupported protocol scheme ""

Does this plugin support DNS challenge for cloud providers like AWS etc..? If yes., can we see a sample test commands to try ?

[remilapeyre]

Hi @shankar-bala, I think you are just missing the server_url parameter there, the documentation at https://github.com/remilapeyre/vault-acme/blob/master/website/source/docs/secrets/acme/index.html.md#setup should have everything you need to use the provider.

Please report anything you cannot find or anything unclear, I will improve the docs :)

[shankar-bala]

Thanks @remilapeyre for your quick response..I missed the readme in those underlying folders..

I tried testing the "route53 (AWS)" provider using the below steps., but getting the error.

# vault secrets enable acme
# vault write acme/accounts/awstest contact=abc@xyz.com server_url=https://acme-staging-v02.api.letsencrypt.org/directory     terms_of_service_agreed=true     provider=route53
# vault write acme/roles/awstestrole account=awstest allowed_domains=<route53 hosted domain > allow_bare_domains=false allow_subdomains=true
# vault write acme/certs/awstestrole common_name=acme-testing.<route53 domain name>

Running vault in debug level log, throw me the below error

2020-04-29T16:23:41.062-0700 [DEBUG] secrets.acme.acme_62219281.acme.acme: Validate names: names=[acme-testing.<route53 domain name>] role="map[Account:awstest AllowBareDomains:false AllowSubdomains:true AllowedDomains:[<route53 domain name>] CacheForRatio:70 DisableCache:false]" timestamp=2020-04-29T16:23:41.062-0700
2020-04-29T16:23:41.274-0700 [DEBUG] secrets.acme.acme_62219281.acme.acme: Requesting certificate from CA: timestamp=2020-04-29T16:23:41.274-0700
2020-04-29T16:23:43.040-0700 [DEBUG] secrets.acme.acme_62219281.acme.acme: Got response from CA: err="acme: Error -> One or more domains had a problem:
[acme-testing.<route53 domain name>] [acme-testing.<route53 domain name>] acme: error presenting token: route53: failed to determine hosted zone ID: zone <route53 domain name>. not found for domain _acme-challenge.acme-testing.<route53 domain name>.

AWS credentials have full access to Route53 operations and the aws cli works..I dont know why still cant get the hosted zone id..Tried explicitly setting the "AWS_HOSTED_ZONE_ID" but still same error..

All I am trying to do is generate ssl certficate for a domain hosted in AWS ...I tried it with "certbot-route53" and it was working without any issues., but I had to deal with storing certs into vault ..so thought this plugin would make that job easier.

Any help in this regard is appreciated..

[remilapeyre]

Hi @shankar-bala, the documentation for the route53 DNS provider is here: https://github.com/remilapeyre/vault-acme/blob/master/website/source/docs/secrets/acme/dns-providers.html.md#amazon-route-53

I tried and successfully got a certificate. How did you deploy Vault and set the AWS_HOSTED_ZONE_ID environment variable? The plugin will run as a child process of Vault so it's important the environment variable gets passed.

[remilapeyre]

Hi @shankar-bala, it seems like this s not an issue anymore so I will close this report. Please open it again if you are still having issues.