-
Notifications
You must be signed in to change notification settings - Fork 51
letsencrypt wildcard domain support #16
Comments
I can confirm that using --server "https://acme-v02.api.letsencrypt.org/directory" does the job at poking the right acme server for initiating the challenge! |
I had the same issue. As far as I can tell the problem is when you specify 2 'subdomains' (*.mylinuxguy.org and mylinuxguy.org) the auth hook is invoked twice. That means you need to create 2 TXT records for However, the script uses the The way I fixed it is to no-op on the first hook but to write the certbot validation value to a file. Then on the second request I write both values to the TXT record using That means your JSON change needs to look something like
This works for both the auth-hook and the auth-hook cleanup. |
Not sure where the fault lies... I think it's certbot....
This works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains www.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"
and this works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"
but this:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"
does not.
the log shows:
2018-04-13 09:55:04,653:INFO:certbot.auth_handler:Cleaning up challenges
2018-04-13 09:55:06,353:INFO:certbot.hooks:Output from certbot-route53.sh:
1
2018-04-13 09:55:06,353:ERROR:certbot.hooks:Error output from certbot-route53.sh:
An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: Tried to delete resource record set [name='_acme-challenge.mylinuxguy.org.', type='TXT'] but the values provided do not match the current values
Waiter ResourceRecordSetsChanged failed:
2018-04-13 09:56:08,311:INFO:certbot.hooks:Output from certbot-route53.sh:
1
I think that wildcard domain stuff uses the same name as the non-wildcard domain.. so
*.mylinuxguy.org and mylinuxguy.org use the same name for:
_acme-challenge.mylinuxguy.org
and that causes the aws route53 servers issues.
Just wanted to see if anyone else has tried this and gotten it to work.
The text was updated successfully, but these errors were encountered: