Wildcard SSL certificate not working aws dynamic subdomain

manuelfrans · January 21, 2023, 10:29pm

1. Output of `caddy version`:

caddy version
v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy:

i installed caddy on an aws ec2 instance ubuntu using exactly what was said on the documentation page

a. System environment:

Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-1022-aws x86_64)

b. Command:

Paste command here.

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane. -->

d. My complete Caddy config:

*.mysite, mysite {
tls {
		 dns route53 {
    max_retries 10 
    aws_profile "my profile" 
    access_key_id "my-profile-access-key" 
    secret_access_key "my-profile-secret-key" 
    token "my-profile-secret-key" 
    region "eu-west-3" 
  }
	}
        root * /var/www/mysite/public
        encode zstd gzip
        file_server
         php_fastcgi unix//var/run/php/php8.2-fpm.sock

}

3. The problem I’m having:

Im trying to get subdomain to work with my domain (wildcard certificate) but subdomain doesn’t generate ssl certificate
all my certificates are hosted on s3 storage so i have both s3 storage plugin and dns route 53 plugin

4. Error messages and/or full log output:

Jan 21 22:05:17 ip-172-31-39-194 caddy[249127]: {"level":"info","ts":1674338717.9979832,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.testlave.live"}
Jan 21 22:05:18 ip-172-31-39-194 caddy[249127]: {"level":"info","ts":1674338718.422322,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.testlave.live","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Jan 21 22:05:18 ip-172-31-39-194 caddy[249127]: {"level":"error","ts":1674338718.7669091,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"*.testlave.live","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.testlave.live\" (usually OK if presenting also failed)"}
Jan 21 22:05:18 ip-172-31-39-194 caddy[249127]: {"level":"error","ts":1674338718.9066675,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.testlave.live","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.testlave.live] solving challenges: presenting for challenge: adding temporary record for zone \"testlave.live.\": operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 6563e61e-134a-4fd2-bf70-7607d883a16e, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/84131713/6694827993) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
Jan 21 22:05:20 ip-172-31-39-194 caddy[249127]: {"level":"info","ts":1674338720.8710263,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.testlave.live","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
Jan 21 22:05:21 ip-172-31-39-194 caddy[249127]: {"level":"error","ts":1674338721.2110147,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"*.testlave.live","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.testlave.live\" (usually OK if presenting also failed)"}
Jan 21 22:05:21 ip-172-31-39-194 caddy[249127]: {"level":"error","ts":1674338721.700836,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.testlave.live","issuer":"acme.zerossl.com-v2-DV90","error":"[*.testlave.live] solving challenges: presenting for challenge: adding temporary record for zone \"testlave.live.\": operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 46ad2d23-adcd-40f0-830e-8da7edda790f, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. (order=https://acme.zerossl.com/v2/DV90/order/cM01XC8kmxAyX93orxXaxQ) (ca=https://acme.zerossl.com/v2/DV90)"}
Jan 21 22:05:21 ip-172-31-39-194 caddy[249127]: {"level":"error","ts":1674338721.7011356,"logger":"tls.obtain","msg":"will retry","error":"[*.testlave.live] Obtain: [*.testlave.live] solving challenges: presenting for challenge: adding temporary record for zone \"testlave.live.\": operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 46ad2d23-adcd-40f0-830e-8da7edda790f, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. (order=https://acme.zerossl.com/v2/DV90/order/cM01XC8kmxAyX93orxXaxQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":319.633461226,"max_duration":2592000}

5. What I already tried:

Please help me . Im assuming the error has to do with token Id value cause i tried using both access & secret key but to no avail’
when i create my iam user,AWS gives me only access key & secret key so dont know what to put at token

If my assumptions are wrong, please correct me in the right direction

6. Links to relevant resources:

francislavoie · January 22, 2023, 4:12am

Have your read the docs for authenticating?

Might be best if you ask for help on issues for the plugin. I don’t use AWS, so I can’t do much to help.

manuelfrans · January 22, 2023, 2:49pm

Thanks Francis for your guidance. I have been able to get it to work

francislavoie · January 22, 2023, 3:03pm

Please explain what you did to fix it.

The point of using forums for support is so that other users in the future may find answers for their questions via searching.

If you don’t explain the solution, it’ll be frustrating to people finding this thread later on.

manuelfrans · January 22, 2023, 4:24pm

okay sure.

So I added full route53 access to my iam profile.
i ignored the ‘token’ section in the routed3 plugin credentials .
so here is my caddy file config

{
email my-email@gmail.com
  storage s3 {
        host "my-bucket.s3.eu-west-3.amazonaws.com"
        bucket "my-bucket"
        access_id "My-access-key"
        secret_key "my-access-key"
        prefix "ssl"
        insecure true
        storage_clean_interval 100d
    }
debug
on_demand_tls {
                ask https://my-domain/domain/verify
                interval 2m
                burst 5
        }
}

http:// {
redir https://{host}{uri}
}

*.my-domain, my-domain {
@www header_regexp www Host ^www\.(.*)$
  redir @www https://{re.www.1} 301
tls {
    dns route53 {
    max_retries 10 
    aws_profile "laravel" 
    access_key_id "My-access-key" 
    secret_access_key "my-access-key" 
    region "eu-west-3" 
  }
	}
        root * /var/www/myfolder/public
        encode zstd gzip
        file_server
         php_fastcgi unix//var/run/php/php8.2-fpm.sock

}


https:// {
@www header_regexp www Host ^www\.(.*)$
  redir @www https://{re.www.1} 301

         tls {
        on_demand
    }

        root * /var/www/myfolder/public
        encode zstd gzip
        file_server
         php_fastcgi unix//var/run/php/php8.2-fpm.sock

}

system · February 21, 2023, 4:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.