-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wildcard certs do not work for the AWS route53 provider #162
Comments
I think this is a known problem, though I can only find a slightly different wildcard cert problem right now - #91. I'm working on changes that should make it possible to solve 91's issue, and I think I see the cause of your problem. Unfortunately, the easy & obvious fix in client.py might not work properly with other providers that have already taken care of it, so that will have to be checked. Are you comfortable pulling a git tree for testing, Eric? If so I'll setup a branch with the looks-trivial-from-here fix for you to test. |
…lete fixes from most providers.
@hobosteaux see PR #163 - the only part that affects route53 are the two lines of code removed from client.py. |
#163) * FIX #162 - removed "*." added by client.py, removed often incomplete fixes from most providers. * Removed broken tests - drivers are no longer passed *.domain.tld for wildcards Co-authored-by: Martin Maney <[email protected]>
tl;dr: commited PR #163 which fixes the extra star problem, but leaves the service-provider dependent issues when the cert lists both After reviewing all the in-tree DNS drivers, I found exactly none that need "*." stuck back onto the domain_name. A fair number did the removal incorrectly, usually by doing so when adding a record but forgetting to do so when removing it. #134 is an example of this that was patched recently. And two, route53 and powerdns, had no de-starring and so fell over when handed a wildcard (this bug and from a discussion with @kylejohnson). There is a related but separate issue that's shown up a few times, eg. #91, #123 and maybe others. And unless there's a fix I don't see having landed here, eliminating the "*." issue will only expose the underlying problem described in #91. @AirbornePorcine, are you still using this? Have any code you can share, since I don't use route53 and have no great desire to pour over Yet More Sketchy Docs just to produce untested code. :-( |
Sorry for the long turnaround time - I tested this by cherry-picking |
What version of sewer are you using?
0.8.1
What did you do? (be as detailed as you can)
Instantiated a client with the following parameters:
What did you expect to see/happen/not happen?
The cert to be created
What did you actually see/happen?
The
TXT
record was created under_acme-challenge.*.test.domain.com
, but the challenge was looking for it under_acme-challenge.test.domain.com
.Paste here the log output generated by
sewer
, if any. Please remember to remove any sensitive items from the log before pasting here.If you can, run sewer with loglevel set to debug; eg
sewer --loglevel DEBUG
The text was updated successfully, but these errors were encountered: