Letsencrypt with DNS challenge fails

1. Caddy version (caddy version):

v2.4.0-beta.1.0.20210302012759-ad8d01cb6631 h1:vf9HWT7UbJBxLLigI11b4SbWhD/7IlMFTU9t07A+HU8=

2. How I run Caddy:

We have caddy running our dev sandboxes in a rather complex set-up. We are asking for wildcard certs because we set up a whole bunch of sub-domains. We actually got everything working to the point where are full test suite passes it, etc. All good. So we rolled out to the rest of the developers.

However, it is failing on SOME developer machines. We get this error:

{"level":"error","ts":1616776725.1127188,"logger":"tls.obtain","msg":"will retry","error":"[accounts-customer.secondlife.buster3.dev.tilia-inc.com] Obtain: [accounts-customer.secondlife.buster3.dev.tilia-inc.com] solving challenges: presenting for challenge: adding temporary record for zone dev.tilia-inc.com.: InvalidChangeBatch: InvalidChangeBatch: [RRSet with DNS name _acme-challenge.accounts-customer.secondlife.buster3. is not permitted in zone dev.tilia-inc.com.]\n\tstatus code: 400, request id: a445466e-602f-4def-b0f9-737e890391b4 (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/18782613/18575500) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":3,"retrying_in":120,"elapsed":191.228348427,"max_duration":2592000}

What is odd is all the developer machines are pretty much configured the same way. So it is rather confusing it would be different. But, of course, this error has nothing to do with the developer machines Route53 doesn’t like is getting sent to it.

Anyone know enough about the DNS challenge stuff to help me figure out what is going on?

a. System environment:

b. Command:

paste command here

c. Service/unit/compose file:

paste full file contents here

d. My complete Caddyfile or JSON config:

paste config here, replacing this text
use `caddy fmt` to make it readable
DO NOT REDACT anything except credentials
or helpers will be sad

3. The problem I’m having:

4. Error messages and/or full log output:

5. What I already tried:

6. Links to relevant resources:

I think the route53 plugin needs to update to be compatible with the changes to how certmagic is now using the libdns APIs. See this issue:

For now, you’ll need to use an older version of Caddy, i.e. any commit before go.mod: Latest CertMagic (updated libdns conventions) · caddyserver/caddy@427bbe9 · GitHub

Well that creates a bit of a problem. Because I need the fix:
rewrite: Implement regex path replacements.

Which happened after the commit that apparently broken route53 plugin…

Is there an ETA when route53 support will be fixed?

No, because we don’t maintain that plugin. You’ll need to contact the maintainer.

This topic was automatically closed after 30 days. New replies are no longer allowed.