You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Yes, I'm using a binary release within 2 latest releases.
Yes, I've searched similar issues on GitHub and didn't find any.
Yes, I've included all information below (version, config, etc).
What did you expect to see?
I'm using the library to issue a bundled multi-domain certificate with the following san (redacted domains):
probe-san-dev.domain1.com
*.probe-san-dev.domain1.com
probe-san-dev.domain2.com
*.probe-san-dev.domain2.com
I'm using DNS TXT validation, and both domains are on AWS Route 53 so I'd expect the library to create the relevant TXT records on each hosted zone. The problem I see is that legoroute53.Config only takes in a single HostedZoneID as input and this config is used to perform the ACME challenges for the multi-domain SAN certificate.
I'm probably miss-understanding something here and there's an alternate way to make this succeed.
What did you see instead?
An error described below, where the DNS challenge fails as Route53 rejects to create a TXT record for domain2.com in the domain1.com hosted zone.
How do you use lego?
Library
Reproduction steps
Attempt to issue a domain with the lego library and Lets Encrypt as CA with a multi-domain SAN certificate, as example:
probe-san-dev.domain1.com
*.probe-san-dev.domain1.com
probe-san-dev.domain2.com
*.probe-san-dev.domain2.com
Version of lego
v4.1.3
Logs
{"cert":"probe-san-dev.domain1.com","level":"error","msg":"Error renewing certificate. Error: error: one or more domains had a problem:\n[*.probe-san-dev.domain2.com] [*.probe-san-dev.domain2.com] acme: error presenting token: route53: failed to change record set: InvalidChangeBatch: [RRSet with DNS name _acme-challenge.probe-san-dev.domain2.com. is not permitted in zone domain1.com.]\n\tstatus code: 400, request id: XXXXX\n[probe-san-dev.domain2.com] [probe-san-dev.domain2.com] acme: error presenting token: route53: failed to change record set: InvalidChangeBatch: [RRSet with DNS name _acme-challenge.probe-san-dev.domain2.com. is not permitted in zone domain1.com.]\n\tstatus code: 400, request id: XXXXX\n","phase":"renew","time":"2022-03-15T11:38:35Z"}
This discussion was converted from issue #1605 on March 15, 2022 12:31.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Welcome
What did you expect to see?
I'm using the library to issue a bundled multi-domain certificate with the following san (redacted domains):
I'm using DNS TXT validation, and both domains are on AWS Route 53 so I'd expect the library to create the relevant TXT records on each hosted zone. The problem I see is that
legoroute53.Configonly takes in a single HostedZoneID as input and this config is used to perform the ACME challenges for the multi-domain SAN certificate.I'm probably miss-understanding something here and there's an alternate way to make this succeed.
What did you see instead?
An error described below, where the DNS challenge fails as Route53 rejects to create a TXT record for domain2.com in the domain1.com hosted zone.
How do you use lego?
Library
Reproduction steps
Attempt to issue a domain with the lego library and Lets Encrypt as CA with a multi-domain SAN certificate, as example:
Version of lego
v4.1.3Logs
{"cert":"probe-san-dev.domain1.com","level":"error","msg":"Error renewing certificate. Error: error: one or more domains had a problem:\n[*.probe-san-dev.domain2.com] [*.probe-san-dev.domain2.com] acme: error presenting token: route53: failed to change record set: InvalidChangeBatch: [RRSet with DNS name _acme-challenge.probe-san-dev.domain2.com. is not permitted in zone domain1.com.]\n\tstatus code: 400, request id: XXXXX\n[probe-san-dev.domain2.com] [probe-san-dev.domain2.com] acme: error presenting token: route53: failed to change record set: InvalidChangeBatch: [RRSet with DNS name _acme-challenge.probe-san-dev.domain2.com. is not permitted in zone domain1.com.]\n\tstatus code: 400, request id: XXXXX\n","phase":"renew","time":"2022-03-15T11:38:35Z"}Go environment (if applicable)
Beta Was this translation helpful? Give feedback.
All reactions