Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

route53 error when ordering cert with sub domain as common name and wildcard as alt name #31

Closed
cswilliams opened this issue May 18, 2018 · 5 comments
Closed

route53 error when ordering cert with sub domain as common name and wildcard as alt name #31

cswilliams opened this issue May 18, 2018 · 5 comments
Assignees
@sorah
Labels
bug

Comments

@cswilliams
Copy link

First off, many thanks for updating your gem to handle v2. I'm really excited to try out wildcard certificates.

I'm running into an issue on v2.0.2 of the gem when ordering a certificate. It seems like Route53 is throwing errors because acmesmith is trying to create the same txt record twice.

Essentially i'm trying to order a certificate with the christestnew.mycompany.com as the common name and a wildcard *.christestnew.mycompany.com as an alt name.

Here's the command that I ran and the output:

> acmesmith order christestnew.mycompany.com *.christestnew.mycompany.com
=> Ordering a certificate for the following identifiers:

 * christestnew.mycompany.com
 * *.christestnew.mycompany.com

=> Generating CSR
=> Placing an order
=> Looking for required domain authorizations

 * christestnew.mycompany.com
 * christestnew.mycompany.com

=> Responsing to the challenges for the following identifier:

 * Responder:   Acmesmith::ChallengeResponders::Route53
 * Identifiers:
     - christestnew.mycompany.com (dns-01)
     - christestnew.mycompany.com (dns-01)

=> Requesting RRSet change for challenge response

 * /hostedzone/XXXXXXXXXXXXXX:
   - UPSERT: _acme-challenge.christestnew.mycompany.com 5 TXT "u9b3NTcVRnDOJ9xIph6f4BWp7bYmzSF9eIsBR8HbSy4"
   - UPSERT: _acme-challenge.christestnew.mycompany.com 5 TXT "4XQBBIkJ2xm4oBh2QcLu47Y4demHBBnJ-FGmOAVN0jc"
   ... /usr/local/rvm/gems/ruby-2.3.5/gems/aws-sdk-core-3.13.0/lib/seahorse/client/plugins/raise_response_errors.rb:15:in `call': The request contains an invalid set of changes for a resource record set 'TXT _acme-challenge.christestnew.mycompany.com.' (Aws::Route53::Errors::InvalidChangeBatch)
@sorah
Copy link
Owner

sorah commented May 19, 2018

🤔 🤔 🤔 🤔

Looks like LE requests a user to validate ownership for the same identifier twice...

@cswilliams
Copy link
Author

yeah, i'm not sure what the right solution is.... I know some CA's automatically add the root domain as an alt name if you only request a wildcard, so I tried that... That worked and didn't give any Route53 errors, but the new LE certificate only included the wildcard hostname and not the root unfortunately.

@chiro
Copy link
Contributor

chiro commented May 19, 2018

According to https://community.letsencrypt.org/t/confusing-on-root-domain-with-wildcard-cert/56113/4, adding 2 TXT values is the expected workflow. Manual inserting 2 TXT records is supported by Route 53 at least. I don't know whether aws-sdk-route53 supports it or not though.

@cswilliams
Copy link
Author

Interesting, I know in the past I’ve been able to add multiple txt entries in a single record by putting them on separate lines.

https://serverfault.com/questions/616407/tried-to-create-2-record-set-type-txt-in-route53

@sorah sorah closed this as completed in 25bde4f May 19, 2018
@sorah
Copy link
Owner

sorah commented May 19, 2018

I thought so too (and it works!) so released v2.0.3.

@sorah sorah self-assigned this May 19, 2018
@sorah sorah added the bug label May 19, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sorah sorah

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cswilliams @sorah @chiro