starred/certimate

Fork 0

mirror of https://github.com/certimate-go/certimate.git synced 2026-04-25 20:55:52 +03:00

[GH-ISSUE #806] aws 证书申请的dns授权应该授权那些权限呢 #547

New issue

Closed

opened 2026-03-03 01:04:13 +03:00 by kerem · 4 comments

kerem commented

2026-03-03 01:04:13 +03:00

Owner

Originally created by @0x5c0f on GitHub (Jun 17, 2025).
Original GitHub issue: https://github.com/certimate-go/certimate/issues/806

软件版本 / Release Version

v0.3.18

问题描述 / Description

关于aws dns 授权策略应该如何调整，这是我目前的策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "route53:*",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "<sourceip>/32"
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "route53domains:CheckDomainTransferability",
                "route53domains:CheckDomainAvailability",
                "route53domains:ListDomains",
                "route53domains:ListTagsForDomain",
                "route53domains:ListOperations",
                "route53domains:GetDomainSuggestions",
                "route53domains:GetContactReachabilityStatus",
                "route53domains:GetDomainDetail",
                "route53domains:ListPrices",
                "route53domains:GetOperationDetail"
            ],
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "<sourceip>/32"
                }
            }
        }
    ]
}

这是运行报错

开始
[2025-06-17 14:19:29]
workflow is started
申请
[2025-06-17 14:19:29]
ready to obtain certificiate ...
[2025-06-17 14:20:25]
failed to obtain certificiate
[2025-06-17 14:20:25]
error: one or more domains had a problem: [<api.example.com>] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.<api.example.com> - check that a DNS record exists for this domain

其他 / Miscellaneous

我希望能得到严格的dns策略授权规则，非必要不是 FullAccess 策略

Originally created by @0x5c0f on GitHub (Jun 17, 2025). Original GitHub issue: https://github.com/certimate-go/certimate/issues/806 ### 软件版本 / Release Version v0.3.18 ### 问题描述 / Description 关于aws dns 授权策略应该如何调整，这是我目前的策略 ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "route53:*", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": "<sourceip>/32" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "route53domains:CheckDomainTransferability", "route53domains:CheckDomainAvailability", "route53domains:ListDomains", "route53domains:ListTagsForDomain", "route53domains:ListOperations", "route53domains:GetDomainSuggestions", "route53domains:GetContactReachabilityStatus", "route53domains:GetDomainDetail", "route53domains:ListPrices", "route53domains:GetOperationDetail" ], "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": "<sourceip>/32" } } } ] } ``` 这是运行报错 ```bash 开始 [2025-06-17 14:19:29] workflow is started 申请 [2025-06-17 14:19:29] ready to obtain certificiate ... [2025-06-17 14:20:25] failed to obtain certificiate [2025-06-17 14:20:25] error: one or more domains had a problem: [<api.example.com>] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.<api.example.com> - check that a DNS record exists for this domain ``` ### 其他 / Miscellaneous 我希望能得到**严格的dns策略授权规则**，非必要不是 `FullAccess` 策略

kerem closed this issue

2026-03-03 01:04:13 +03:00

kerem commented

2026-03-03 01:04:14 +03:00

Author

Owner

@0x5c0f commented on GitHub (Jun 17, 2025):

这个是证书申请时候的配置

如果 DNS 递归服务器（可选） 不配置则会报告下面这些错误, 填写就会报告上面的错误

[2025-06-17 14:30:02]
workflow is started
申请
[2025-06-17 14:30:02]
ready to obtain certificiate ...
[2025-06-17 14:33:01]
failed to obtain certificiate
[2025-06-17 14:33:01]
error: one or more domains had a problem: [<api.example.com>] propagation: time limit exceeded: last error: authoritative nameservers: NS a2.nic.io.:53 returned NXDOMAIN for _acme-challenge.<api.example.com>.

@0x5c0f commented on GitHub (Jun 17, 2025): 这个是证书申请时候的配置 ![Image](https://github.com/user-attachments/assets/43e06a9e-f565-4353-8fc9-e85193420c02) 如果 `DNS 递归服务器（可选）` 不配置则会报告下面这些错误, 填写就会报告上面的错误 ``` [2025-06-17 14:30:02] workflow is started 申请 [2025-06-17 14:30:02] ready to obtain certificiate ... [2025-06-17 14:33:01] failed to obtain certificiate [2025-06-17 14:33:01] error: one or more domains had a problem: [<api.example.com>] propagation: time limit exceeded: last error: authoritative nameservers: NS a2.nic.io.:53 returned NXDOMAIN for _acme-challenge.<api.example.com>. ```

kerem commented

2026-03-03 01:04:14 +03:00

Author

Owner

@usual2970 commented on GitHub (Jun 17, 2025):

应该不是权限的问题，dns 没有查询到，可以多设置几个 DNS 递归服务器

@usual2970 commented on GitHub (Jun 17, 2025): 应该不是权限的问题，dns 没有查询到，可以多设置几个 DNS 递归服务器

kerem commented

2026-03-03 01:04:14 +03:00

Author

Owner

@0x5c0f commented on GitHub (Jun 18, 2025):

应该不是权限的问题，dns 没有查询到，可以多设置几个 DNS 递归服务器

仍然无效，当前应用部署到阿里云成都节点，使用docker部署，也许这是一个bug ？

错误报告

开始
[2025-06-18 08:43:50]
workflow is started
申请
[2025-06-18 08:43:50]
ready to obtain certificiate ...
[2025-06-18 08:44:43]
failed to obtain certificiate
[2025-06-18 08:44:43]
error: one or more domains had a problem: [<api.example.com>] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.<api.example.com> - check that a DNS record exists for this domain

@0x5c0f commented on GitHub (Jun 18, 2025): > 应该不是权限的问题，dns 没有查询到，可以多设置几个 DNS 递归服务器仍然无效，当前应用部署到阿里云成都节点，使用docker部署，也许这是一个bug ？ ![Image](https://github.com/user-attachments/assets/66d635a1-12fc-44dc-8319-ca44cbb26331) 错误报告 ``` 开始 [2025-06-18 08:43:50] workflow is started 申请 [2025-06-18 08:43:50] ready to obtain certificiate ... [2025-06-18 08:44:43] failed to obtain certificiate [2025-06-18 08:44:43] error: one or more domains had a problem: [<api.example.com>] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.<api.example.com> - check that a DNS record exists for this domain ```

kerem commented

2026-03-03 01:04:14 +03:00

Author

Owner

@0x5c0f commented on GitHub (Jun 23, 2025):

此项问题解决，测试的域名已经不存在

@0x5c0f commented on GitHub (Jun 23, 2025): 此项问题解决，测试的域名已经不存在

kerem referenced this issue

2026-03-03 01:07:09 +03:00

[PR #543] [MERGED] new providers & bugfix #982