acme and amazon route 53 chooses wrong DNS zone


  • Hi folks,

    Thanks for having this nice ACME pkg included right in the pfSense GUI. Unfortunately I found that the ACME pkg unfortunately does a "bottom-up" or "right-to-left" search for Amazon zones when it should do a "top-down" or "left-to-right" search instead.

    And BTW it only does it in the wrong order for production in staging it get's the search order right.

    assume the following zones at amazon route53

    site.com zone abc1
    sub.site.com zone abc2
    level4.sub.site.com zone abc3
    _acme.challenge.level4.sub.site.com zone abc4

    So whilst trying to get an LE certificate for dns domain name 'level4.sub.site.com' it reports that the IAM restricted user does not have rights on zone abc1 when trying to issue a production certificate, when it should have checked rights for zone abc4 instead. But when using the staging LE servers it does properly check for rights on zone abc4.

    Can you please look into this behaviour and correct it, please?

    Thanks in advance.

    Please be in touch if I need to make some test domain(s) available for testing this and getting it fixed on amazon route 53.

    And if this is not the right place to report this, then please point me in the right direction.

    All the best and stay healthy.

  • Rebel Alliance Developer Netgate

    You would want to raise that issue with the acme.sh project directly, since we do not maintain the code which interacts with DNS providers, they do.

    https://github.com/acmesh-official/acme.sh/issues