Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No luck with ACME + Amazon Route53

    ACME
    1
    2
    924
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nrasmus
      last edited by

      Now that wildcards are available from LE, I'm renewing my efforts to get one going, and then integrate with an HA Proxy setup (not there yet).  We use Amazon Route 53 already, so that's the method of choice.  I've configured Amazon IAM credentials, and those are working in production for us for dynamic DNS.

      I'm having trouble though–even creating a subdomain certificate without the wildcard.  This is the relevant bit of the response (though I do have the full log too--seemed tougher to sanitize).  I have tried a number of increasingly more permissive access policies in IAM, to no avail.  The "invalid domain" thing is throwing me--if my pfsense is configured to use an internal DNS server (still on DNSMASQ on this box too for clients LAN-side) for the domain in question, could that be getting in the way somehow?

      Otherwise, maybe it is my IAM policy--but I've been trying just about everything to get it to work with now luck.  Or could there be a change in the amazon API?  My syntax for the policy still says it's using    "Version": "2012-10-17"

      I'm feeling somewhat stuck....

      Array
      (
      [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
      [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
      [AWS_ACCESS_KEY_ID] => {IAM_KEY_ID}
      [AWS_SECRET_ACCESS_KEY] => {IAM_SECRET_KEY}
      [Mon Apr 30 12:29:56 EDT 2018] Registering account
      [Mon Apr 30 12:29:57 EDT 2018] Already registered
      [Mon Apr 30 12:29:57 EDT 2018] ACCOUNT_THUMBPRINT='{THUMBPRINT}'
      [Mon Apr 30 12:29:57 EDT 2018] Single domain='schlowlibrary.org'
      [Mon Apr 30 12:29:57 EDT 2018] Getting domain auth token for each domain
      [Mon Apr 30 12:29:58 EDT 2018] Getting webroot for domain='DOMAIN.org'
      [Mon Apr 30 12:29:59 EDT 2018] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_aws.sh
      [Mon Apr 30 12:31:14 EDT 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 7
      [Mon Apr 30 12:31:14 EDT 2018] invalid domain
      [Mon Apr 30 12:31:14 EDT 2018] Error add txt for domain:_acme-challenge.DOMAIN.org
      [Mon Apr 30 12:31:14 EDT 2018] Please check log file for more details: /tmp/acme/DOMAIN.org/acme_issuecert.log

      1 Reply Last reply Reply Quote 0
      • N
        nrasmus
        last edited by

        After further diagnosis, this appears to be an upstream routing or firewall issue.  pfsense cannot ping route53.amazonaws.com and traceroute gets hung up 1 hop away with our ISP–working with them on that.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.