DNS01 challenge use the wrong zone through route53 #1192
Description
What version of Traefik are you using (traefik version)?
Version: 0247332
Codename: cheddar
Go version: go1.7.5
Built: 2017-02-01_11:13:06PM
OS/Arch: linux/amd64
What is your environment & configuration (arguments, toml...)?
Docker stack swarm:
version: "3"
services:
traefik:
image: cyrilpeponnet/traefik:latest
deploy:
update_config:
parallelism: 1
delay: 10s
mode: global
placement:
constraints: [node.role == manager]
environment:
- "AWS_ACCESS_KEY_ID=BLA"
- "AWS_SECRET_ACCESS_KEY=BLABLA"
- "AWS_REGION=us-west-2"
ports:
- 80:80
- 443:443
- 8080:8080
networks:
- backend
- consul-net
volumes:
- /var/run/docker.sock:/var/run/docker.sock
command: |-
-c /dev/null
--web
--consul
--consul.endpoint=consul-cluster:8500
--consul.watch=true
--docker
--docker.swarmmode
--docker.domain=traefik
--docker.watch
--debug
consul-cluster:
image: consul:latest
deploy:
update_config:
parallelism: 1
delay: 10s
mode: global
placement:
constraints: [node.role == manager]
ports:
- 8500:8500
networks:
- consul-net
environment:
- 'CONSUL_BIND_INTERFACE=eth2'
command: agent -server -datacenter traefik -ui -retry-join=tasks.consul-cluster -retry-join=tasks.consul-cluster -bootstrap-expect=2 -client=0.0.0.0
volumes:
consul-data:
networks:
backend:
driver: overlay
consul-net:
driver: overlay
toml config stored to kv with storeconfig
defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = """-----BEGIN CERTIFICATE-----
MIIF...buw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIHP...iW3Zt8=
-----END CERTIFICATE-----"""
KeyFile = """-----BEGIN RSA PRIVATE KEY-----
MII...zob==
-----END RSA PRIVATE KEY-----"""
[consul]
endpoint = "consul-cluster:8500"
[acme]
email = "myemail@domain.tld"
storage = "traefik/acme/account"
entryPoint = "https"
dnsProvider = "route53"
acmeLogging = true
OnHostRule = true
caServer = "https://acme-staging.api.letsencrypt.org/directory"
What did you do?
Spawned a container with a task like :
webssl:
image: nginx
deploy:
replicas: 1
labels:
- "traefik.frontend.rule=Host:testssl.subdomain.domain.tld"
- "traefik.domain=subdomain.domain.tld"
- "traefik.port=80"
- "traefik.frontend.entryPoints=https"
networks:
- traefik_backend
networks:
traefik_backend:
external:
name: proxy_backend
What did you expect to see?
Creation of TXT record to subdomain.domain.tld zone id under route53.
What did you see instead?
Creation of TXT record to domain.tld zone id under route53 (which is not allowed and not correct).
time="2017-02-24T21:49:42Z" level=debug msg="Loading ACME certificates [testssl.subdomain.domain.tld]..."
legolog: 2017/02/24 21:49:42 [INFO][testssl.subdomain.domain.tld] acme: Obtaining bundled SAN certificate
legolog: 2017/02/24 21:49:43 [INFO][testssl.subdomain.domain.tld] acme: Could not find solver for: tls-sni-01
legolog: 2017/02/24 21:49:43 [INFO][testssl.subdomain.domain.tld] acme: Could not find solver for: http-01
legolog: 2017/02/24 21:49:43 [INFO][testssl.subdomain.domain.tld] acme: Trying to solve DNS-01
time="2017-02-24T21:49:44Z" level=error msg="map[testssl.subdomain.domain.tld:Error presenting token: Failed to change Route 53 record set: AccessDenied: User: arn:aws:iam::012343919338:user/myuser is
not authorized to perform: route53:ChangeResourceRecordSets on resource: arn:aws:route53:::hostedzone/ZXXXXXXXXI9VJ\n\tstatus code: 403, request id: 276d8738-fadb-11e6-950b-93d0b3ec9d51]"
time="2017-02-24T21:49:44Z" level=error msg="Error getting ACME certificates [testssl.subdomain.domain.tld] : Cannot obtain certificates map[testssl.subdomain.domain.tld:Error presenting token: Failed to change
Route 53 record set: AccessDenied: User: arn:aws:iam::012343919338:user/myuser is not authorized to perform: route53:ChangeResourceRecordSets on resource: arn:aws:route53:::hostedzone/ZXXXXXXXXI9VJ\n\t
status code: 403, request id: 276d8738-fadb-11e6-950b-93d0b3ec9d51]+v"