Last active
November 18, 2019 06:06
-
-
Save li0nel/4563f8d909e808169c91a5521569ff10 to your computer and use it in GitHub Desktop.
Creating our Let's Encrypt hook script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| aws route53 wait resource-record-sets-changed --id \ | |
| $(aws route53 change-resource-record-sets --hosted-zone-id \ | |
| "$(aws route53 list-hosted-zones-by-name --dns-name $2. \ | |
| --query HostedZones[0].Id --output text)" \ | |
| --query ChangeInfo.Id \ | |
| --output text \ | |
| --change-batch "{ \ | |
| \"Changes\": [{ \ | |
| \"Action\": \"$1\", \ | |
| \"ResourceRecordSet\": { \ | |
| \"Name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\", \ | |
| \"ResourceRecords\": [{\"Value\": \"\\\"${CERTBOT_VALIDATION}\\\"\"}], \ | |
| \"Type\": \"TXT\", \ | |
| \"TTL\": 30 \ | |
| } \ | |
| }] \ | |
| }" \ | |
| ) |
Hi @li0nel really nice article, just tried it and ran into this error. Looks like there is an issue with the change-batch syntax:
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomain.com
dns-01 challenge for mydomain.com
Waiting for verification...
Cleaning up challenges
Hook command "./auth-hook.sh DELETE mydomain.com" returned error code 2
Error output from auth-hook.sh:
An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: Tried to delete resource record set [name='_acme-challenge.mydomain.com.', type='TXT'] but the values provided do not match the current values
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: argument --id: expected one argument
Failed authorization procedure. mydomain.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "Ri0158CAZCQQm-0bgtM6MBDDoKiZgLj86-KpQ6ccHNI" found at _acme-challenge.mydomain.com
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: mydomain.com
Type: unauthorized
Detail: Incorrect TXT record
"Ri0158CAZCQQm-0bgtM6MBDDoKiZgLj86-KpQ6ccHNI" found at
_acme-challenge.mydomain.com
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory.
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and private
keys obtained by Certbot so making regular backups of this folder
is ideal.
This script works fine -- in my case, errors came down to user error and not reading carefully enough. I think some of the confusion is that it's written for certbot to invoke, not manually and without arguments (hence the invalid XML operation error), and it requires modification to use your domain (as mentioned in article at Hackernoon, hence the mydomain.com related errors). Additionally, you must have Route 53 set up (as mentioned in the article).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
~ ./auth-hook.sh
An error occurred (InvalidInput) when calling the ChangeResourceRecordSets operation: Invalid XML ; cvc-enumeration-valid: Value '' is not facet-valid with respect to enumeration '[CREATE, DELETE, UPSERT]'. It must be a value from the enumeration.