Wildcard Generation Error `Error rm webroot api for domain:dns_aws` Despite Success?

postables

Hello, I attempted to generate a wildcard certificate using ACMEv2, and Route53. It looks like the generation was successful, since I had the following log information (note, domain names and sensitive keys have been replaced with ...:

...
Renewing certificate
account: .....
server: letsencrypt-production-2


/usr/local/pkg/acme/acme.sh --issue -d '...' --dns 'dns_aws' -d '*....' --dns 'dns_aws' --home '/tmp/acme/.../' --accountconf '/tmp/acme/.../accountconf.conf' --force --reloadCmd '/tmp/acme/.../reloadcmd.sh' --log-level 3 --log '/tmp/acme/.../acme_issuecert.log'

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[AWS_ACCESS_KEY_ID] => ......
[AWS_SECRET_ACCESS_KEY] => .........
)
[Sun Mar 3 22:05:29 PST 2019] Multi domain='DNS:...,DNS:*....'
[Sun Mar 3 22:05:29 PST 2019] Getting domain auth token for each domain
[Sun Mar 3 22:05:32 PST 2019] Getting webroot for domain='...'
[Sun Mar 3 22:05:32 PST 2019] Getting webroot for domain='*....'
[Sun Mar 3 22:05:32 PST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_aws.sh
[Sun Mar 3 22:05:32 PST 2019] Geting existing records for _acme-challenge....
[Sun Mar 3 22:05:33 PST 2019] TXT record updated successfully.
[Sun Mar 3 22:05:33 PST 2019] Sleep 120 seconds for the txt records to take effect
[Sun Mar 3 22:07:33 PST 2019] Verifying: ...
[Sun Mar 3 22:07:37 PST 2019] Success
[Sun Mar 3 22:07:37 PST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_aws.sh
[Sun Mar 3 22:07:37 PST 2019] *.... is already verified, skip dns-01.
[Sun Mar 3 22:07:37 PST 2019] Removing DNS records.
[Sun Mar 3 22:07:38 PST 2019] Getting existing records for _acme-challenge....
[Sun Mar 3 22:07:39 PST 2019] TXT record deleted successfully.
[Sun Mar 3 22:07:39 PST 2019] Verify finished, start to sign.
[Sun Mar 3 22:07:41 PST 2019] Cert success.
-----BEGIN CERTIFICATE-----
........
-----END CERTIFICATE-----
[Sun Mar 3 22:07:41 PST 2019] Your cert is in /tmp/acme/...//.../....cer
[Sun Mar 3 22:07:41 PST 2019] Your cert key is in /tmp/acme/...//.../....key
[Sun Mar 3 22:07:41 PST 2019] The intermediate CA cert is in /tmp/acme/...//.../ca.cer
[Sun Mar 3 22:07:41 PST 2019] And the full chain certs is there: /tmp/acme/...//.../fullchain.cer
[Sun Mar 3 22:07:41 PST 2019] Run reload cmd: /tmp/acme/.../reloadcmd.sh

IMPORT CERT ..., /tmp/acme/.../.../....key, /tmp/acme/.../.../....cer
update cert![Sun Mar 3 22:07:42 PST 2019] Reload success
[Sun Mar 3 22:07:37 PST 2019] Invalid domain
[Sun Mar 3 22:07:37 PST 2019] invalid domain
[Sun Mar 3 22:07:37 PST 2019] Error rm webroot api for domain:dns_aws

I'm not quite sure if the generation was successful, given the last 3 lines of the log are:

[Sun Mar 3 22:07:37 PST 2019] Invalid domain
[Sun Mar 3 22:07:37 PST 2019] invalid domain
[Sun Mar 3 22:07:37 PST 2019] Error rm webroot api for domain:dns_aws

Gertjan

Hi,

You received the cert, so all is well.

The part that flags an error, is the "rm" (or ReMove) part of the AWS API.
The API added a TXT record to your domain zone, Letsenscrypt checks that entry, all is well, you obtained a certificate.
Then acme cleans up that TXT entry using nearly identical code, using the remove command instead of the add command, and that part fails.
Check your domain (DNS) zone yourself, you would find the TXT record, you can delete it manually. But I guess it's not needed.
This is - for me - clearly and issue with acme.sh => the dns_aws API plugin.

Use

--debug 2

to see more details in the log.

postables

Thanks for the response! It looks like the TXT records were deleted as well, so it must've been some superficial issue then. I'm able to use the certs successfully, so I would say this is a "non-issue"

Gertjan

@postables said in Wildcard Generation Error `Error rm webroot api for domain:dns_aws` Despite Success?:

[Sun Mar 3 22:07:37 PST 2019] Removing DNS records.

yep,

[Sun Mar 3 22:07:39 PST 2019] TXT record deleted successfully

Confirms what you're seeing.

luisenrique

Similary happens to me time ago with duckdns and wildcar certificate, i really no worry any more about it... i receive the certificate so all is well.. i will check on the next and last renew...