Our scenario is having a wildcard configuration to prevent the generation of certs to the domain that we have control.
We installed the module: Route53 because our domains are hosted on AWS (Downloaded from: https://github.com/caddy-dns/route53)
In order to install the module I executed the following commands:
sudo wget -O /usr/bin/caddy “https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Froute53&idempotency=78624988742012”
caddy list-modules sudo systemctl start caddy sudo systemctl status caddy
After that, I edited the Caddyfile inserting the code:
*.example.com {
tls {
dns route53 {
max_retries 10
}
}
reverse_proxy {
to http://target.example.com
}
}
Then we reload the service (or even reboot the machine) and now we receive the following error message after sudo systemctl status caddy:
Jul 19 20:49:29 caddy[1827]: {"level":"error","ts":1658263769.5214586,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.fcp.com","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[*.fcp.com] solving challenges: presenting for challenge: adding temporary record for zone fcp.com.: operation error Route 53: ListHostedZonesByName, failed to sign request: failed to retrieve credentials: static credentials are empty (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61399564/3266863684) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
I have no idea what else to do, and what we need is to generate wildcard certificates for 5 domains.
Ps. Our IAM on AWS is working fine and has Full Control on Route53.
Can you guys help us?
Thanks,
Rodolfo
OS: Ubuntu 22.04 LTS
Caddy Version: v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs= Wildcard not working
Are you sure you set up the AWS credentials on your server, as explained by the route53 plugin README?
You might want to ask for help on that plugin’s github issues. I don’t use route53 so I’m not sure I can do much to help. The error is coming from the plugin.
Edit: Looks like you already got helped on github:
Hello Francis, how are you?
Thanks for replying. I solved the issue yesterday, but I think worth commenting here to help the community.
The AWS Credentials were setup, as explained at the route53 module BUT it had a bug and the author corrected it yesterday.
One tip: Even adding the AWS Credentials I noticed that the best option is include the IAM Key inside the caddyfile. Reason: sometimes works, sometimes dont work. With the IAM inside the caddyfile always works.
I mean, the documentation says it is optional but I dont think so.
tls {
dns route53 {
max_retries 10 // optional
aws_profile "real-profile" // optional
access_key_id "AKI..." // optional (Even its optional, use it!)
secret_access_key "wJa..." // optional (Even its optional, use it!)
token "TOKEN..." // optional
region "us-east-1" // optional
}
}
The Wildcard process is not that fast at AWS, so wait at least 4 or 5 minutes after boot the server, it will generate the wildcard domain, but it take some time.
Caddy works very well in our scenario… so far, so good!