
はじめに
個人で勉強中、AWS EC2で使用しているインスタンスでLet’s EncryptionによるSSL証明書の取得を試みようとしておりました。
ただ、いろいろな事情があり認証のためのDNSについてはRoute 53ではなくGoogle Cloudを使用したのですが、うまいこと証明書の取得がいきません。
一応解決までの手順を書いておきます。
公式サイト
Welcome :: Let’s Encrypt client and ACME library written in Go.
Google Cloud :: Let’s Encrypt client and ACME library written in Go.
環境:
Amazon Linux 2 AMI (HVM), SSD Volume Type - ami-0f53b51ee1388fd0b (64 ビット Arm)
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.1 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
$ uname -mr
4.14.209-160.339.amzn2.aarch64 aarch64
エラー内容
$ GCE_DEBUG=true \
GCE_PROJECT="default-project" \
GCE_DOMAIN="komeho.info" \
GCE_SERVICE_ACCOUNT_FILE="/home/ubuntu/google.json" \
lego -a \
-m "[email protected]" \
-d "test.komeho.info" \
--dns="gcloud" \
run
2021/01/10 05:17:47 [INFO] [test.komeho.info] acme: Obtaining bundled SAN certificate
2021/01/10 05:17:48 [INFO] [test.komeho.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/9961026041
2021/01/10 05:17:48 [INFO] [test.komeho.info] acme: Could not find solver for: tls-alpn-01
2021/01/10 05:17:48 [INFO] [test.komeho.info] acme: Could not find solver for: http-01
2021/01/10 05:17:48 [INFO] [test.komeho.info] acme: use dns-01 solver
2021/01/10 05:17:48 [INFO] [test.komeho.info] acme: Preparing to solve DNS-01
2021/01/10 05:18:30 skip: the record already exists: 7-oJ1R_znxqQEN0Cd047jgzuc2NNEsZqcgy8COhaz1I
2021/01/10 05:18:30 [INFO] [test.komeho.info] acme: Trying to solve DNS-01
2021/01/10 05:18:30 [INFO] [test.komeho.info] acme: Checking DNS record propagation using [127.0.0.1:53 172.30.0.2:53]
2021/01/10 05:18:35 [INFO] Wait for propagation [timeout: 3m0s, interval: 5s]
2021/01/10 05:19:10 [INFO] [test.komeho.info] acme: Waiting for DNS record propagation.
2021/01/10 05:19:50 [INFO] [test.komeho.info] acme: Waiting for DNS record propagation.
2021/01/10 05:20:30 [INFO] [test.komeho.info] acme: Waiting for DNS record propagation.
2021/01/10 05:21:10 [INFO] [test.komeho.info] acme: Waiting for DNS record propagation.
2021/01/10 05:21:50 [INFO] [test.komeho.info] acme: Waiting for DNS record propagation.
2021/01/10 05:21:55 [INFO] [test.komeho.info] acme: Cleaning DNS-01 challenge
2021/01/10 05:22:04 [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/9961026041 :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "0103pqp4P0Fgg7VFfFtzLe6iKMc1TEli4rWZcQTsabUjCLw", url:
2021/01/10 05:22:04 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/9961026041
2021/01/10 05:22:05 Could not obtain certificates:
error: one or more domains had a problem:
[test.komeho.info] time limit exceeded: last error: read udp [2406:da14:e28:8410:af75:5507:459e:f4e]:36769->[2001:4860:4802:36::6b]:53: i/o timeout
acme: Waiting for DNS record propagation.
が続いた後、結局 time limit exceeded:
でタイムアウトして失敗する感じです。
試したこと
一応Lego側で気になった情報はこちら。
これを参考に以下のようなパラメータを追加してみました。
GCE_POLLING_INTERVAL=120 \
GCE_PROPAGATION_TIMEOUT=3600 \
GCE_TTL=3600 \
が、これでも駄目。
これで解決した
で気になったオプションが。
--dns.resolvers value Set the resolvers to use for performing recursive DNS queries.
Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if
the system's cannot be determined.
DNS認証の際に、ホストのDNSではなく別指定する形でDNSレゾルバーを指定できるんですね。
ということで以下のようにしてみました。
※このときは思いついていなかったのですが、Google Cloudへ認証しているのだからGoogle Public DNSの8.8.8.8
を指定した方が良かったかもしれない。
$ GCE_DEBUG=true \
GCE_PROJECT="default-project" \
GCE_DOMAIN="komeho.info" \
GCE_SERVICE_ACCOUNT_FILE="/home/ubuntu/google.json" \
lego -a \
-m "[email protected]" \
-d "test.komeho.info" \
--dns="gcloud" \
--dns.resolvers="1.1.1.1" \
run
結果
2021/01/12 13:20:57 [INFO] [test.komeho.info] acme: Obtaining bundled SAN certificate
2021/01/12 13:20:58 [INFO] [test.komeho.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10011281663
2021/01/12 13:20:58 [INFO] [testkomeho.info] acme: Could not find solver for: tls-alpn-01
2021/01/12 13:20:58 [INFO] [test.komeho.info] acme: Could not find solver for: http-01
2021/01/12 13:20:58 [INFO] [test.komeho.info] acme: use dns-01 solver
2021/01/12 13:20:58 [INFO] [test.komeho.info] acme: Preparing to solve DNS-01
2021/01/12 13:21:09 change (Create): {"additions":[{"name":"_acme-challenge.test.komeho.info.","rrdatas":["qCFhKYprqUlqiqYIRhKU5tIjgQSs98O1FWGkxSPw89o"],"ttl":120,"type":"TXT"}]}
2021/01/12 13:21:10 [INFO] Wait for apply change [timeout: 30s, interval: 3s]
2021/01/12 13:21:10 change (Get): {"additions":[{"name":"_acme-challenge.test.komeho.info.","rrdatas":["qCFhKYprqUlqiqYIRhKU5tIjgQSs98O1FWGkxSPw89o"],"ttl":120,"type":"TXT"}]}
2021/01/12 13:21:10 [INFO] [test.komeho.info] acme: Trying to solve DNS-01
2021/01/12 13:21:10 [INFO] [test.komeho.info] acme: Checking DNS record propagation using [1.1.1.1:53]
2021/01/12 13:21:15 [INFO] Wait for propagation [timeout: 3m0s, interval: 5s]
2021/01/12 13:21:20 [INFO] [test.komeho.info] acme: Waiting for DNS record propagation.
2021/01/12 13:21:30 [INFO] [test.komeho.info] acme: Waiting for DNS record propagation.
2021/01/12 13:21:40 [INFO] [test.komeho.info] acme: Waiting for DNS record propagation.
2021/01/12 13:21:50 [INFO] [test.komeho.info] acme: Waiting for DNS record propagation.
2021/01/12 13:22:00 [INFO] [test.komeho.info] acme: Waiting for DNS record propagation.
2021/01/12 13:22:21 [INFO] [test.komeho.info] acme: Waiting for DNS record propagation.
2021/01/12 13:22:54 [INFO] [test.komeho.info] The server validated our request
2021/01/12 13:22:54 [INFO] [test.komeho.info] acme: Cleaning DNS-01 challenge
2021/01/12 13:22:59 [INFO] [test.komeho.info] acme: Validations succeeded; requesting certificates
2021/01/12 13:23:00 [INFO] [test.komeho.info] Server responded with a certificate.
バリデーションが成功し証明書を要求出来ていることを確認できました。また、~/.lego/certificates
に証明書が作成されていることも確認できました。
結論
- TXTレコードの認証に時間がかかるようならタイムアウト時間を調整する
- 名前解決が正常ではなさそうなら、Public DNSなどを利用する
- 今回のようなケースならそもそもAWS Route 53を使用した方が良さそう