jed / certbot-route53 Goto Github PK
View Code? Open in Web Editor NEWHelping create Let's Encrypt certificates for AWS Route53
License: MIT License
Helping create Let's Encrypt certificates for AWS Route53
License: MIT License
FYI the -r
option is only available in the GNU version of sed, symptoms include:
sed: illegal option -- r
On macOS this can be corrected by running brew install gnu-sed
and changing the invocation of sed
to gsed
.
Please consider adding this to the documentation. Otherwise works like a charm!
Hi,
With the latest changes, I can't seem to request a certificate for a specific machine. I'm running the following:
# certbot-route53.sh --agree-tos --manual-public-ip-logging-ok --domains hostname.domain.com --email [email protected]
I am hosting my domain.com
on Route 53 and before today, this worked just fine and requested a certificate for the machine named hostname.domain.com
. Today, it no longer works because it tries to search for hostname.domain.com
on Route 53 and fails immediately.
If I use --domains domain.com
it works, but creates a certificate with CN=domain.com
which will fail validation if used for HTTPS on hostname.domain.com
.
Am I doing something wrong?
I've had problems in Ubuntu because the script begins with #!/bin/sh
but uses bash-specific syntax. I would like to recommend that the first line is instead changed to #!/usr/bin/env bash
as per https://stackoverflow.com/a/10383546/2482776.
Hi,
Thank you for the script.
I have been trying Certbot manually and using your script.
While it is running, Route 53 shows the TXT being created AND removed.
However, it seems that Route 53 will not allow queries for the TXT record.
The script produces this:
"Failed authorization procedure. nginx.remcam.io (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up TXT for _acme-challenge.nginx.remcam.io, remcam.io (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up TXT for _acme-challenge.remcam.io
"
Any idea what is going on?
txt record creates and disappears
but dns lookup to route53 fails
tried setting local dns server to 8.8.8.8
bash-3.2$ certbot -v certonly -d <domain> -d *.<domain> --dns-route53 --logs-dir /Users/username/letsencrypt/log/ --config-dir /Users/username/letsencrypt/config/ --work-dir /Users/username/letsencrypt/work/ -m <email> --agree-tos --non-interactive --server https://acme-v02.api.letsencrypt.org/directory --dns-route53-propagation-seconds 60
Saving debug log to /Users/username/letsencrypt/log/letsencrypt.log
Found credentials in shared credentials file: ~/.aws/credentials
Plugins selected: Authenticator dns-route53, Installer None
Requesting a certificate for <domain> and *.<domain>
Performing the following challenges:
dns-01 challenge for <domain>
dns-01 challenge for <domain>
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain <domain>
Challenge failed for domain <domain>
dns-01 challenge for <domain>
dns-01 challenge for <domain>
Certbot failed to authenticate some domains (authenticator: dns-route53). The Certificate Authority reported these problems:
Domain: <domain>
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.<domain> - the domain's nameservers may be malfunctioning
Domain: <domain>
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.<domain> - the domain's nameservers may be malfunctioning
Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-route53. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-route53-propagation-seconds (currently 60 seconds).
Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /Users/username/letsencrypt/log/letsencrypt.log or re-run Certbot with -v for more details.
Hi I try to install this package using PIP on Fedora 26 and get this:
...
Installing collected packages: setuptools, zope.interface, ConfigArgParse, six, configobj, pytz, pyrfc3339, idna, pycparser, cffi, ipaddress, cryptography, PyOpenSSL, zope.event, zope.component, urllib3, chardet, certifi, requests, funcsigs, pbr, mock, acme, future, parsedatetime, certbot, python-dateutil, jmespath, docutils, botocore, futures, s3transfer, boto3, certbot-dns-route53, certbot-route53
Found existing installation: setuptools 36.2.0
Uninstalling setuptools-36.2.0:
Successfully uninstalled setuptools-36.2.0
Rolling back uninstall of setuptools
Exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pip/basecommand.py", line 215, in main
status = self.run(options, args)
File "/usr/lib/python2.7/site-packages/pip/commands/install.py", line 365, in run
strip_file_prefix=options.strip_file_prefix,
File "/usr/lib/python2.7/site-packages/pip/req/req_set.py", line 784, in install
**kwargs
File "/usr/lib/python2.7/site-packages/pip/req/req_install.py", line 854, in install
strip_file_prefix=strip_file_prefix
File "/usr/lib/python2.7/site-packages/pip/req/req_install.py", line 1069, in move_wheel_files
strip_file_prefix=strip_file_prefix,
File "/usr/lib/python2.7/site-packages/pip/wheel.py", line 247, in move_wheel_files
prefix=prefix,
File "/usr/lib/python2.7/site-packages/pip/locations.py", line 140, in distutils_scheme
d = Distribution(dist_args)
File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 365, in init
self._finalize_requires()
File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 372, in _finalize_requires
if not self.install_requires:
AttributeError: Distribution instance has no attribute 'install_requires'
What am I doing wrong ?
Here is certbot53
, a script I wrote to use this project:
#!/bin/bash
#STAGING=--staging
CERT_DIR=/etc/pound/certbot
DOMAIN=scalacourses.com
MAIL_ADDR='[email protected]'
SCRIPT_NAME=certbot-route53.sh
if [ ! -d "$CERT_DIR/letsencrypt" ]; then sudo mkdir -p $CERT_DIR/letsencrypt; fi
sudo chmod 777 "$CERT_DIR/letsencrypt"
cd $CERT_DIR
if [ ! -f "$CERT_DIR/$SCRIPT_NAME" ]; then
sudo curl -sL https://git.io/vylLx -o $SCRIPT_NAME
sudo chmod a+x certbot-route53.sh
fi
./$SCRIPT_NAME \
--agree-tos \
--manual-public-ip-logging-ok \
--domains $DOMAIN,www.$DOMAIN \
--renew-by-default \
--email $MAIL_ADDR $STAGING
PRIV_KEY="$CERT_DIR/letsencrypt/live/$DOMAIN/privkey.pem"
FULL_CHAIN="$CERT_DIR/letsencrypt/live/$DOMAIN/fullchain.pem"
COMBINED="$CERT_DIR/combined-for-pound.pem"
cat "$PRIV_KEY" "$FULL_CHAIN" | sudo tee "$COMBINED" > /dev/null
I have a Route 53 public hosted zone called scalacourses.com.
and it defines entries for scalacourses.com and www.scalacourses.com. Following is output from running the script. I do not understand the error messages:
No hosted zone found that matches domain com or hostname scalacourses.com
No hosted zone found that matches domain scalacourses.com or hostname www.scalacourses.com
./$SCRIPT_NAME \
--agree-tos \
--manual-public-ip-logging-ok \
--domains $DOMAIN,www.$DOMAIN \
--renew-by-default \
--email $MAIL_ADDR $STAGING
+ ./certbot-route53.sh --agree-tos --manual-public-ip-logging-ok --domains scalacourses.com,www.scalacourses.com --renew-by-default --email [email protected] --staging
Saving debug log to /etc/pound/certbot/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for scalacourses.com
dns-01 challenge for www.scalacourses.com
Output from certbot-route53.sh:
No hosted zone found that matches domain com or hostname scalacourses.com
Hook command "/etc/pound/certbot/certbot-route53.sh" returned error code 1
Output from certbot-route53.sh:
No hosted zone found that matches domain scalacourses.com or hostname www.scalacourses.com
Hook command "/etc/pound/certbot/certbot-route53.sh" returned error code 1
Waiting for verification...
Cleaning up challenges
Output from certbot-route53.sh:
No hosted zone found that matches domain com or hostname scalacourses.com
Hook command "/etc/pound/certbot/certbot-route53.sh" returned error code 1
Output from certbot-route53.sh:
No hosted zone found that matches domain scalacourses.com or hostname www.scalacourses.com
Hook command "/etc/pound/certbot/certbot-route53.sh" returned error code 1
Failed authorization procedure. www.scalacourses.com (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.scalacourses.com, scalacourses.com (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.scalacourses.com
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.scalacourses.com
Type: connection
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.www.scalacourses.com
Domain: scalacourses.com
Type: connection
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.scalacourses.com
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I get the following error:
./certbot-route53.sh: 29: ./certbot-route53.sh: Syntax error: redirection unexpected
when trying to run:
sh certbot-route53.sh
--agree-tos
--manual-public-ip-logging-ok
--domains testing.ec-internal.com
--email [email protected]
Please help
When I execute for example this (like in the README):
./certbot-route53.sh \
--agree-tos \
--manual-public-ip-logging-ok \
--domains example.de,www.example.de \
--email [email protected]
I get this error:
++ aws route53 change-resource-record-sets --hosted-zone-id /hostedzone/XYZ --query ChangeInfo.Id --output text --change-batch '{
"Changes": [
"ResourceRecordSet": {
"Name": "_acme-challenge.www.example.de.",
"ResourceRecords": ["Value": "\"qnWBjfJe5sR0LmBzy0dAku0IVljLCTGp_jYMmBVzAy0\""}]
]
}'
Error parsing parameter '--change-batch': Invalid JSON: Expecting ',' delimiter: line 3 column 28 (char 48)
JSON received: {
"Changes": [
"ResourceRecordSet": {
"Name": "_acme-challenge.www.example.de.",
"ResourceRecords": ["Value": "\"qnWBjfJe5sR0LmBzy0dAku0IVljLCTGp_jYMmBVzAy0\""}]
]
}
Any ideas?
Thanks for this script, it is perfectly working ... but for creation only !
Il would be great if it can also work for renewal. I give a try replacing "certonly" verb by "renew", but it is not working well, as it only renew the first certificate of the list. Then it tries to delete an acme challenge for the second one, before even creating it.
Here is the output for the second execution :
Saving debug log to /home/kops/infra/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /home/kops/infra/letsencrypt/renewal/srv1.exemple.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
-------------------------------------------------------------------------------
Processing /home/kops/infra/letsencrypt/renewal/srv2.exemple.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for srv2.exemple.com
Output from certbot-route53-renew.sh:
1
Waiting for verification...
Cleaning up challenges
Output from certbot-route53-renew.sh:
1
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/home/kops/infra/letsencrypt/live/srv2.exemple.com/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Processing /home/kops/infra/letsencrypt/renewal/srv3.exemple.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for srv3.exemple.com
Output from certbot-route53-renew.sh:
1
Error output from certbot-route53-renew.sh:
An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: Tried to delete resource record set [name='_acme-challenge.srv3.exemple.com.', type='TXT'] but it was not found
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: argument --id: expected one argument
Waiting for verification...
Cleaning up challenges
Output from certbot-route53-renew.sh:
1
Error output from certbot-route53-renew.sh:
An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: Tried to delete resource record set [name='_acme-challenge.srv3.exemple.com.', type='TXT'] but it was not found
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: argument --id: expected one argument
Attempting to renew cert (srv3.exemple.com) from /home/kops/infra/letsencrypt/renewal/srv3.exemple.com.conf produced an unexpected error: Failed authorization procedure. srv3.exemple.com (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.srv3.exemple.com. Skipping.
The following certs could not be renewed:
/home/kops/infra/letsencrypt/live/srv3.exemple.com/fullchain.pem (failure)
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
/home/kops/infra/letsencrypt/live/srv1.exemple.com/fullchain.pem (skipped)
The following certs were successfully renewed:
/home/kops/infra/letsencrypt/live/srv2.exemple.com/fullchain.pem (success)
The following certs could not be renewed:
/home/kops/infra/letsencrypt/live/srv3.exemple.com/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: srv3.exemple.com
Type: connection
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.srv3.exemple.com
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.```
Description
certbot-route53.sh
has bash-specific features, see #2.
Per documentation:
3. Download the certbot-route53.sh script.
+++
chmod a+x certbot-route53.sh
4. Run the script with your (comma-separated) domain(s) and email address:
sh certbot-route53.sh \
+++
Error
sh certbot-route53.sh ...
would fail if sh
is not bash-compatible. (for example it's link to the minimalistic /bin/dash on Ubuntue 16.0.4 LTS)
Suggestion
sh
in step 4 -- the script is made executable(chmod a+x ...
) in step 3sh
with bash
in step 4: bash certbot-route53.sh ...
Thanks for this script. I realized that the internal sed command does not work when the host name is made up of more than three levels, for example: mail.external.example.com should return DOMAIN "example.com" but the value is "external.example. com "
# CERTBOT_DOMAIN is a hostname, not a domain (zone)
# We strip out the hostname part to leave only the domain
DOMAIN="$(sed -r 's/^[^.]+.(.*)$/\1/' <<< "${CERTBOT_DOMAIN}")"
Not sure where the fault lies... I think it's certbot....
This works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains www.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"
and this works:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"
but this:
sh ./certbot-route53.sh
--expand
--agree-tos
--manual-public-ip-logging-ok
--domains *.mylinuxguy.org,mylinuxguy.org
--cert-name mylinuxguy.org
--keep-until-expiring
--reinstall
--update
--server "https://acme-v02.api.letsencrypt.org/directory"
does not.
the log shows:
2018-04-13 09:55:04,653:INFO:certbot.auth_handler:Cleaning up challenges
2018-04-13 09:55:06,353:INFO:certbot.hooks:Output from certbot-route53.sh:
1
2018-04-13 09:55:06,353:ERROR:certbot.hooks:Error output from certbot-route53.sh:
An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: Tried to delete resource record set [name='_acme-challenge.mylinuxguy.org.', type='TXT'] but the values provided do not match the current values
Waiter ResourceRecordSetsChanged failed:
2018-04-13 09:56:08,311:INFO:certbot.hooks:Output from certbot-route53.sh:
1
I think that wildcard domain stuff uses the same name as the non-wildcard domain.. so
*.mylinuxguy.org and mylinuxguy.org use the same name for:
_acme-challenge.mylinuxguy.org
and that causes the aws route53 servers issues.
Just wanted to see if anyone else has tried this and gotten it to work.
Thank you for this great script! We placed our script in /usr/local/sbin/certbot-route53.sh and we use the Debian certbot package's default config location of /etc/letsencrypt/.
We had to replace $PWD with $SCRIPT and $CONFIG variables that held these paths for these reasons:
Other users might find it helpful to have similar variables near top of script, even if the default values for CONFIG and SCRIPT remain $PWD/letsencrypt and $PWD/$0 for now.
CONFIG=/etc/letsencrypt
SCRIPT=/usr/local/sbin/certbot-route53.sh
certbot certonly \
--non-interactive \
--manual \
--manual-auth-hook $SCRIPT \
--manual-cleanup-hook $SCRIPT \
--preferred-challenge dns \
--config-dir $CONFIG \
--work-dir $CONFIG \
--logs-dir $CONFIG \
$@
Thanks again for publishing this!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.