Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS01 challenge use the wrong zone through route53 #1192

Closed
CyrilPeponnet opened this issue Feb 24, 2017 · 2 comments
Closed

DNS01 challenge use the wrong zone through route53 #1192

CyrilPeponnet opened this issue Feb 24, 2017 · 2 comments
Labels
status/5-frozen-due-to-age

Comments

@CyrilPeponnet
Copy link

What version of Traefik are you using (traefik version)?

Version: 0247332
Codename: cheddar
Go version: go1.7.5
Built: 2017-02-01_11:13:06PM
OS/Arch: linux/amd64

What is your environment & configuration (arguments, toml...)?

Docker stack swarm:

version: "3"
services:
  traefik:
    image: cyrilpeponnet/traefik:latest
    deploy:
      update_config:
        parallelism: 1
        delay: 10s
      mode: global
      placement:
        constraints: [node.role == manager]
    environment:
      - "AWS_ACCESS_KEY_ID=BLA"
      - "AWS_SECRET_ACCESS_KEY=BLABLA"
      - "AWS_REGION=us-west-2"
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    networks:
      - backend
      - consul-net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command: |-
      -c /dev/null
      --web
      --consul
      --consul.endpoint=consul-cluster:8500
      --consul.watch=true
      --docker
      --docker.swarmmode
      --docker.domain=traefik
      --docker.watch
      --debug

  consul-cluster:
    image: consul:latest
    deploy:
      update_config:
        parallelism: 1
        delay: 10s
      mode: global
      placement:
        constraints: [node.role == manager]
    ports:
      - 8500:8500
    networks:
      - consul-net
    environment:
      - 'CONSUL_BIND_INTERFACE=eth2'
    command: agent -server -datacenter traefik -ui -retry-join=tasks.consul-cluster -retry-join=tasks.consul-cluster -bootstrap-expect=2 -client=0.0.0.0


volumes:
  consul-data:

networks:
  backend:
      driver: overlay
  consul-net:
      driver: overlay

toml config stored to kv with storeconfig

defaultEntryPoints = ["http"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = """-----BEGIN CERTIFICATE-----
MIIF...buw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIHP...iW3Zt8=
-----END CERTIFICATE-----"""
      KeyFile = """-----BEGIN RSA PRIVATE KEY-----
MII...zob==
-----END RSA PRIVATE KEY-----"""


[consul]
  endpoint = "consul-cluster:8500"

[acme]
email = "[email protected]"
storage = "traefik/acme/account"
entryPoint = "https"
dnsProvider = "route53"
acmeLogging = true
OnHostRule = true
caServer = "https://acme-staging.api.letsencrypt.org/directory"

What did you do?

Spawned a container with a task like :

  webssl:
    image: nginx
    deploy:
      replicas: 1
      labels:
        - "traefik.frontend.rule=Host:testssl.subdomain.domain.tld"
        - "traefik.domain=subdomain.domain.tld"
        - "traefik.port=80"
        - "traefik.frontend.entryPoints=https"
    networks:
      - traefik_backend

networks:
  traefik_backend:
    external:
      name: proxy_backend

What did you expect to see?

Creation of TXT record to subdomain.domain.tld zone id under route53.

What did you see instead?

Creation of TXT record to domain.tld zone id under route53 (which is not allowed and not correct).

time="2017-02-24T21:49:42Z" level=debug msg="Loading ACME certificates [testssl.subdomain.domain.tld]..."
legolog: 2017/02/24 21:49:42 [INFO][testssl.subdomain.domain.tld] acme: Obtaining bundled SAN certificate
legolog: 2017/02/24 21:49:43 [INFO][testssl.subdomain.domain.tld] acme: Could not find solver for: tls-sni-01
legolog: 2017/02/24 21:49:43 [INFO][testssl.subdomain.domain.tld] acme: Could not find solver for: http-01
legolog: 2017/02/24 21:49:43 [INFO][testssl.subdomain.domain.tld] acme: Trying to solve DNS-01
time="2017-02-24T21:49:44Z" level=error msg="map[testssl.subdomain.domain.tld:Error presenting token: Failed to change Route 53 record set: AccessDenied: User: arn:aws:iam::012343919338:user/myuser is
not authorized to perform: route53:ChangeResourceRecordSets on resource: arn:aws:route53:::hostedzone/ZXXXXXXXXI9VJ\n\tstatus code: 403, request id: 276d8738-fadb-11e6-950b-93d0b3ec9d51]"
time="2017-02-24T21:49:44Z" level=error msg="Error getting ACME certificates [testssl.subdomain.domain.tld] : Cannot obtain certificates map[testssl.subdomain.domain.tld:Error presenting token: Failed to change
Route 53 record set: AccessDenied: User: arn:aws:iam::012343919338:user/myuser is not authorized to perform: route53:ChangeResourceRecordSets on resource: arn:aws:route53:::hostedzone/ZXXXXXXXXI9VJ\n\t
status code: 403, request id: 276d8738-fadb-11e6-950b-93d0b3ec9d51]+v"
@CyrilPeponnet
Copy link
Author

Actually it may be a limitation from lego itself.

@QuingKhaos
Copy link

@CyrilPeponnet Did you open a issue on lego itself or what now? This is affecting us too, because we create subzones to delegate permissions.

@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
status/5-frozen-due-to-age
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@QuingKhaos @CyrilPeponnet @traefiker