Stollpy
Reputation: 45
Let's encrypt / Traefik / Challenge DNS AWS NET::ERR_CERT_AUTHORITY_INVALID
I use traefik as a reverse proxy, I would like to be able to generate a let's encrypt certificate from DNS challenges using route 53 (AWS) providers.
Here is my configuration:
Traefik :
# Traefik
traefik:
image: traefik:v2.3.6
container_name: traefik
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# - ./traefik.toml:/etc/traefik/traefik.toml
- ./acme.json:/acme.json
- traefik-public-certicate:/certifcates
ports:
- "80:80" # http
- "443:443" # https
environment:
- AWS_REGION=${AWS_REGION}
- AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
- AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
- AWS_HOSTED_ZONE_ID=${AWS_HOSTED_ZONE_ID}
command:
- --api.dashboard=true
- --providers.docker=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --certificatesresolvers.default.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
# - --entrypoints.web.http.redirections.entrypoint.permanent=true
- [email protected]
- --certificatesresolvers.default.acme.storage=acme.json
- --certificatesresolvers.default.acme.dnschallenge=true
- --certificatesresolvers.default.acme.dnschallenge.provider=route53
- --certificatesresolvers.default.acme.dnschallenge.delayBeforeCheck=60
- --certificatesresolvers.default.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
- --certificatesresolvers.default.acme.dnschallenge.disablepropagationcheck=true
labels:
- traefik.enable=true
- traefik.docker.network=app
- traefik.http.routers.api.rule=Host(`${HOSTNAME}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
- traefik.http.routers.api.entrypoints=websecure
- traefik.http.routers.api.tls.certresolver=default
- traefik.http.routers.api.service=api@internal
- traefik.http.routers.api.middlewares=auth # middlewares auth
- traefik.http.routers.api.tls=true
- traefik.http.routers.api.tls.domains[0].main=${HOSTNAME}
- traefik.http.routers.api.tls.domains[0].sans=*.${HOSTNAME}
- traefik.http.middlewares.auth.basicauth.users=MyUser:MyPassword
networks:
- app
Example Service :
# Ms-example
ms-example:
build: ms-example
container_name: ms-example
expose:
- "80"
volumes:
- ./ms-example/vhosts:/etc/apache2/sites-enabled
- ./ms-example/:/var/www/html/example
restart: always
labels:
- traefik.docker.network=app
- traefik.enable=true
- traefik.http.routers.ms-security.rule=Host(`${HOSTNAME}`) && PathPrefix(`/v1.0/ms-example`)
- traefik.http.routers.ms-example.entrypoints=websecure
- traefik.http.routers.ms-example.tls=true
- traefik.http.routers.ms-example.tls.certresolver=default
- traefik.http.routers.ms-example.tls.domains[0].main=${HOSTNAME}
- traefik.http.routers.ms-example.tls.domains[0].sans=*.${HOSTNAME}
networks:
- app
The policy given to an IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:GetChange",
"route53:ListHostedZones"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"iam:UploadServerCertificate"
],
"Resource": [
"*"
]
}
]
}
I get an error on browsers and on postman like this :
NET::ERR_CERT_AUTHORITY_INVALID
Subject: TRAEFIK DEFAULT CERT
Issuer: TRAEFIK DEFAULT CERT
Expires on: 20 août 2022
Current date: 20 août 2021
PEM encoded chain:
-----BEGIN CERTIFICATE-----
MYCERTIFICATE
-----END CERTIFICATE-----
How do I make the certificates valid ? Where am I wrong ?
If you want more info do not hesitate and especially if someone has the slightest idea I am a taker.
EDIT
Here is the error I found in the Traefik logs:
time="2021-08-23T13:20:22Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.fr,*.mydomain.fr\" : unable to generate a certificate for the domains [mydomain.fr *.mydomain.fr]: error: one or more domains had a problem:\n[*.mydomain.fr] [*.mydomain.fr] acme: error presenting token: route53: NoSuchHostedZone: No hosted zone found with ID: use2-az1\n\tstatus code: 404, request id: c702090f-fdcc-4364-a207-a82d58446324\n[mydomain.fr] [mydomain.fr] acme: error presenting token: route53: NoSuchHostedZone: No hosted zone found with ID: use2-az1\n\tstatus code: 404, request id: eb5efd0e-10cd-4369-846c-e0dfe31109de\n" providerName=default.acme
mydomain is my domain name. From what I understand it is because of the host id that its blocking but I do not really understand this party despite numerous research.
Upvotes: 0
Views: 1454
Answers (1)
SYN
Reputation: 5032
Summarizing comments on initial post: unless there's a good reason not to, prefer using LetsEncrypt HTTP challenges. They would not require integrating with a specific DNS.
Upvotes: 1
Related Questions
- Traefik ACME DNS challenge not working with docker
- Letsencrypt certs generated but getting TLS error with docker traefik using dns acme challenge
- Traefik + Let's Encrypt on AWS Lightsail
- Traefik with Let's Encrypt trying to request certificate for localhost
- How can I use Route 53 as the DNS Challenge for Lets Encrypt in Traefik?
- Getting ACME error when going for new domain cert
- Traefik: Unable to obtain ACME certificate for domains
- Letsencrypt issue: The request message was malformed :: Error creating new authz :: DNS name does not have enough labels
- RRSet with DNS name _acme-challenge.mybar.org. is not permitted in zone bar.org. while letsencrypt certificate generation
- "Unauthorized" error in adding SSL Certificate to an AWS EC2 instance using Let's Encrypt