Acme.sh: Support for AWS Route 53?

yes, I'd like to keep it bash only. no more dependencies, like python, perl etc.

If you can fix that, I'd be happy to merge your code.

OK, thanks for the quick response. I'll see what I can do.

If anyone is interested, I wrote an API for AWS Route53. It still depends on AWSCLI and Python, but doesn't need a JSON library for parsing the results.

https://gist.github.com/theit8514/2368a2030c8c31efacdd

Thanks @theit8514 , Can you make it a separate repository ? So that I can update the doc to refer to your code.

Thanks.

Moved code to repository and added some docs on what is required. https://github.com/theit8514/dnsapi-route53-python

I've wrote a different AWS Route53 dns api.
The difference with the @mbentley one, which it is based on, is that my one supports multiple domains and arbitrary long subdomain names.
You can issue or renew LE certs for my.com, your.com, their.com, this.is.my.domain.co.uk in a single certificate and in one single step. Only limitation is all domains should be hosted on AWS.

I've forked Neilpang/le and added my api inside (I don't want to maintain a repo for a single file); you can find it at https://github.com/colegatron/le

What's the status of the pure bash implementation for Route53?

Hi @oscar-b ,
I don't have a AWS account to test. So, please use the script from @colegatron .

The dns-aws script is ready for production.

At least I have it running in the production deployment pipeline issuing
and renewing automatically the certificates.

Iván González
Systems Developer - AWS Certified Developer - IT Manager
El 25 mar. 2016 12:35 a. m., "Oscar Bolmsten" [email protected]
escribió:

What's the status of the pure bash implementation for Route53?

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub
https://github.com/Neilpang/le/issues/65#issuecomment-201073872

But it still have external dependencies on other scripts and Python?

My own script is not part of Neil development and it is not tied to his
repo restrictions.

I try to keep things simple, easy and functional, but write
pure-whatever-language is never part of my requirements.

Feel free to use it as is or modify it as per your needs.
El 25 mar. 2016 6:49 p. m., "Oscar Bolmsten" [email protected]
escribió:

But it still have external dependencies on other scripts and Python?

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
https://github.com/Neilpang/le/issues/65#issuecomment-201383962

The requirement is due to the fact that this is for an embedded system, and disk space is a bit limited. I will see if it's feasible to install the aws cli. Thanks!

The dns-aws api depends on jq aside aws cli, but there are only a couple of
calls to jq. For sure you can remove the jq dependency using the --output
text argument on the aws cli call and some greps and seds.

Maybe even the 3 call to the aws can be replaced with some curl call.

2016-03-25 20:04 GMT+01:00 Oscar Bolmsten [email protected]:

The requirement is due to the fact that this is for an embedded system,
and disk space is a bit limited. I will see if it's feasible to install the
aws cli. Thanks!

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
https://github.com/Neilpang/le/issues/65#issuecomment-201431830

@Neilpang any movement for this request ?

revisiting this request for Route53 as it's what i use for my main domains

• http://docs.aws.amazon.com/Route53/latest/APIReference/Welcome.html
• http://docs.aws.amazon.com/Route53/latest/APIReference/requests.html
• http://docs.aws.amazon.com/Route53/latest/APIReference/ActionsOnRRS.html

with regards to bash only and @colegatron jq maybe acme.sh can just check if /usr/bin/jq exists (for centos 6 and centos 7 it's in EPEL repo) and enable or disable the aws plugin according. So if the jq binary doesn't exist disable aws plugin from being triggered.

@Neilpang @colegatron any plans to revisit Route53 support ?

awscli is easy to install

wget https://s3.amazonaws.com/aws-cli/awscli-bundle.zip
unzip awscli-bundle.zip
./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
chmod +x /usr/local/bin/aws
aws --version

jq for centos/rhel

yum -y install jq

and as per previous reply

jq maybe acme.sh can just check if /usr/bin/jq exists (for centos 6 and centos 7 it's in EPEL repo) and enable or disable the aws plugin according. So if the jq binary doesn't exist disable aws plugin from being triggered. Same with /usr/local/bin/aws if exists or not and auto disable aws plugin if not. This won't affect acme.sh usage for normal folks unless jq and aws binaries exist

+1 on native Route53 support!!

@centminmod @FernandoMiguel

Reopen, I will move the implementation to acme.sh, I think it's ok to use jq and aws-cli in this wrapper.

But I have not aws to test, if you guys have, please let me know.

Thanks.

Let me know of a way to privately contact you and what domain you want on route53 and I'll send you API keys Monday morning

@FernandoMiguel
Contact me: [email protected]

Using the aws-cli isn't feasible on smaller systems such as routers, it's huge (almost 100mb installed if I remember correctly). Should be possible to to without external dependencies.

@oscar-b I'm guessing most of our use cases it to have it running from aws instances itself, where those packages are usually available

@oscar-b

I agree with @FernandoMiguel , most cases would be in the aws instances, so it's not a big problem.

yes, I will also try to write a sh version without any dependencies after this awscli version, as long as I have a testing domain there.

@FernandoMiguel
Hi,
I received your email, and the ns server is changed.

Please write to me the api key. My mail server has a temp issue that I can only receive email, can not send email now.

@Neilpang that email had the key attached.
would you prefer inline?

@FernandoMiguel

yes, I see.
Thanks.

@FernandoMiguel

I need to call ListHostedZones

But I got error:

An error occurred (AccessDenied) when calling the ListHostedZones operation: User: arn:aws:iam::800596930647:user/[email protected] is not authorized to perform: route53:ListHostedZones

humm
you have it in the policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:GetHostedZoneCount",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/Z309C9U7RMOAW1"
}
]
}

let me move it out

try now!

@FernandoMiguel

Same error.

ok, let me debug it on my side.

should work now.

@FernandoMiguel
yes

@FernandoMiguel was it case of ListHostedZone needing to be unrestricted to specific ZONE ? https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/r53-api-permissions-ref.html

Required Permissions for Actions on Public Hosted Zones

ListHostedZones route53:ListHostedZones arn:aws:route53:::hostedzone/*

Hi @centminmod @mbentley @theit8514 @FernandoMiguel @oscar-b @colegatron

Everybody, I just supported AWS Route53 api, pure shell, no dependency to awscli.

see:

https://github.com/Neilpang/acme.sh/tree/dev/dnsapi#10-use-amazon-route53-domain-api

And @FernandoMiguel

Can you please edit this page: https://github.com/Neilpang/acme.sh/wiki/How-to-use-Amazon-Route53-API , and write how to get the api key secret/id and how to configure the api permissions ?

Thank you.

Great work mate. I was wondering how progress on this was going.
I'll give it a quick test tomorrow and add the requested information/guides

i'm having issues with this from my mac.
havent tested from EC2 yet

./acme.sh --issue --dns dns_aws -d test.awsroute53.acme.sh --test --debug 2
[Mon 21 Nov 2016 19:16:41 GMT] Lets find script dir.
[Mon 21 Nov 2016 19:16:41 GMT] _SCRIPT_='./acme.sh'
[Mon 21 Nov 2016 19:16:41 GMT] _script='/Users/fernando/.acme.sh/acme.sh'
[Mon 21 Nov 2016 19:16:41 GMT] _script_home='/Users/fernando/.acme.sh'
[Mon 21 Nov 2016 19:16:41 GMT] It seems that acme.sh is already installed in /Users/fernando/.acme.sh
[Mon 21 Nov 2016 19:16:41 GMT] 15:AUTO_UPGRADE='1'
[Mon 21 Nov 2016 19:16:41 GMT] LE_WORKING_DIR='/Users/fernando/.acme.sh'
https://github.com/Neilpang/acme.sh
v2.6.5
[Mon 21 Nov 2016 19:16:41 GMT] Using api:
[Mon 21 Nov 2016 19:16:41 GMT] Using stage api:https://acme-staging.api.letsencrypt.org
[Mon 21 Nov 2016 19:16:41 GMT] DOMAIN_PATH='/Users/fernando/.acme.sh/test.awsroute53.acme.sh'
[Mon 21 Nov 2016 19:16:41 GMT] Le_NextRenewTime
[Mon 21 Nov 2016 19:16:41 GMT] 1:Le_Domain='test.awsroute53.acme.sh'
[Mon 21 Nov 2016 19:16:41 GMT] 2:Le_Alt='no'
[Mon 21 Nov 2016 19:16:41 GMT] 3:Le_Webroot='dns_aws'
[Mon 21 Nov 2016 19:16:41 GMT] 4:Le_PreHook=''
[Mon 21 Nov 2016 19:16:41 GMT] 5:Le_PostHook=''
[Mon 21 Nov 2016 19:16:41 GMT] 6:Le_RenewHook=''
[Mon 21 Nov 2016 19:16:41 GMT] 7:Le_API='https://acme-staging.api.letsencrypt.org'
[Mon 21 Nov 2016 19:16:41 GMT] _on_before_issue
[Mon 21 Nov 2016 19:16:41 GMT] 'dns_aws' does not contain 'no'
[Mon 21 Nov 2016 19:16:41 GMT] Le_LocalAddress
[Mon 21 Nov 2016 19:16:41 GMT] Check for domain='test.awsroute53.acme.sh'
[Mon 21 Nov 2016 19:16:41 GMT] _currentRoot='dns_aws'
[Mon 21 Nov 2016 19:16:41 GMT] 'dns_aws' does not contain 'apache'
[Mon 21 Nov 2016 19:16:41 GMT] _saved_account_key_hash='XXXX'
[Mon 21 Nov 2016 19:16:41 GMT] _saved_account_key_hash is not changed, skip register account.
[Mon 21 Nov 2016 19:16:41 GMT] Read key length:
[Mon 21 Nov 2016 19:16:41 GMT] _createcsr
[Mon 21 Nov 2016 19:16:41 GMT] domain='test.awsroute53.acme.sh'
[Mon 21 Nov 2016 19:16:41 GMT] domainlist
[Mon 21 Nov 2016 19:16:41 GMT] csrkey='/Users/fernando/.acme.sh/test.awsroute53.acme.sh/test.awsroute53.acme.sh.key'
[Mon 21 Nov 2016 19:16:41 GMT] csr='/Users/fernando/.acme.sh/test.awsroute53.acme.sh/test.awsroute53.acme.sh.csr'
[Mon 21 Nov 2016 19:16:41 GMT] csrconf='/Users/fernando/.acme.sh/test.awsroute53.acme.sh/test.awsroute53.acme.sh.csr.conf'
[Mon 21 Nov 2016 19:16:41 GMT] Single domain='test.awsroute53.acme.sh'
[Mon 21 Nov 2016 19:16:41 GMT] _is_idn_d='test.awsroute53.acme.sh'
[Mon 21 Nov 2016 19:16:41 GMT] _idn_temp
[Mon 21 Nov 2016 19:16:41 GMT] _csr_cn='test.awsroute53.acme.sh'
[Mon 21 Nov 2016 19:16:41 GMT] 8:Le_Keylength=''
[Mon 21 Nov 2016 19:16:41 GMT] Getting domain auth token for each domain
[Mon 21 Nov 2016 19:16:41 GMT] Getting webroot for domain='test.awsroute53.acme.sh'
[Mon 21 Nov 2016 19:16:41 GMT] _w='dns_aws'
[Mon 21 Nov 2016 19:16:41 GMT] _currentRoot='dns_aws'
[Mon 21 Nov 2016 19:16:41 GMT] Getting new-authz for domain='test.awsroute53.acme.sh'
[Mon 21 Nov 2016 19:16:41 GMT] Try new-authz for the 0 time.
[Mon 21 Nov 2016 19:16:41 GMT] _is_idn_d='test.awsroute53.acme.sh'
[Mon 21 Nov 2016 19:16:41 GMT] _idn_temp
[Mon 21 Nov 2016 19:16:41 GMT] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Mon 21 Nov 2016 19:16:41 GMT] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "test.awsroute53.acme.sh"}}'
[Mon 21 Nov 2016 19:16:41 GMT] RSA key
[Mon 21 Nov 2016 19:16:43 GMT] Get nonce.
[Mon 21 Nov 2016 19:16:43 GMT] GET
[Mon 21 Nov 2016 19:16:43 GMT] url='https://acme-staging.api.letsencrypt.org/directory'
[Mon 21 Nov 2016 19:16:43 GMT] timeout
[Mon 21 Nov 2016 19:16:43 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header --trace-ascii /var/folders/b4/y3_m1qtd4p34v1_kwpgg3vrc0000gn/T/tmp.ByzrDNSh '
[Mon 21 Nov 2016 19:16:43 GMT] ret='0'
[Mon 21 Nov 2016 19:16:43 GMT] _headers='HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 372
Boulder-Request-Id: XXX
Replay-Nonce: XXX
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 21 Nov 2016 19:16:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Nov 2016 19:16:43 GMT
Connection: keep-alive
'
[Mon 21 Nov 2016 19:16:43 GMT] _CACHED_NONCE='XXX'
[Mon 21 Nov 2016 19:16:43 GMT] nonce='XXX'
[Mon 21 Nov 2016 19:16:43 GMT] POST
[Mon 21 Nov 2016 19:16:43 GMT] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Mon 21 Nov 2016 19:16:43 GMT] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XX-XX-MRmd-3Yfp8NEyBl8Vg0po_GypSGzFTC8x4CIRl_HFZlRlTwnI9aKx3FGIMVtMm2w"}}, "protected": "XX", "payload": "XX", "signature": "XX-ayTcFVuA"}'
[Mon 21 Nov 2016 19:16:43 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header --trace-ascii /var/folders/b4/y3_m1qtd4p34v1_kwpgg3vrc0000gn/T/tmp.VtlyTDI8 '
[Mon 21 Nov 2016 19:16:44 GMT] _ret='0'
[Mon 21 Nov 2016 19:16:44 GMT] original='{
"identifier": {
"type": "dns",
"value": "test.awsroute53.acme.sh"
},
"status": "pending",
"expires": "2016-11-28T19:16:44.695898977Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/J-XX-XX/17091245",
"token": "XX-bjRNIXu8"
},
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/J-XX-XX/17091246",
"token": "XX-"
},
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/J-XXX-XX/17091247",
"token": "XXX"
}
],
"combinations": [
[
2
],
[
1
],
[
0
]
]
}'
[Mon 21 Nov 2016 19:16:44 GMT] responseHeaders='HTTP/1.1 100 Continue
Expires: Mon, 21 Nov 2016 19:16:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 201 Created
Server: nginx
Content-Type: application/json
Content-Length: 1017
Boulder-Request-Id: XXX
Boulder-Requester: 470416
Link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/J-XX-XXX
Replay-Nonce: Uh3IspfyWokMKKrcjdCcnTpmyETG0zicYY_OdzgazME
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 21 Nov 2016 19:16:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Nov 2016 19:16:44 GMT
Connection: keep-alive
'
[Mon 21 Nov 2016 19:16:44 GMT] response='{"identifier":{"type":"dns","value":"test.awsroute53.acme.sh"},"status":"pending","expires":"2016-11-28T19:16:44.695898977Z","challenges":[{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/J--p3XpLi3KeHOGOrdU_Jc20/17091245","token":"Ta74uqR6xr2IHSHsPMFe2t8p8__hNV7shN-bjRNIXu8"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/J--p3XpLi3KeHOGOrdU_Jc20/17091246","token":"-iUBouQ_iPp9uwx_BRVwbE0Z7pnk"},{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/J--/17091247","token":""}],"combinations":[[2],[1],[0]]}'
[Mon 21 Nov 2016 19:16:44 GMT] code='201'
[Mon 21 Nov 2016 19:16:44 GMT] The new-authz request is ok.
[Mon 21 Nov 2016 19:16:44 GMT] entry='"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/J--XXX/17091247","token":""'
[Mon 21 Nov 2016 19:16:44 GMT] token=''
[Mon 21 Nov 2016 19:16:44 GMT] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/J--XXX/17091247'
[Mon 21 Nov 2016 19:16:44 GMT] keyauthorization='.XXX'
[Mon 21 Nov 2016 19:16:44 GMT] dvlist='test.awsroute53.acme.sh#.XXX#https://acme-staging.api.letsencrypt.org/acme/challenge/J--XX/17091247#dns-01#dns_aws'
[Mon 21 Nov 2016 19:16:44 GMT] txtdomain='_acme-challenge.test.awsroute53.acme.sh'
[Mon 21 Nov 2016 19:16:44 GMT] txt='T-XXX'
[Mon 21 Nov 2016 19:16:45 GMT] d_api='/Users/fernando/.acme.sh/dnsapi/dns_aws.sh'
[Mon 21 Nov 2016 19:16:45 GMT] Found domain api file: /Users/fernando/.acme.sh/dnsapi/dns_aws.sh
[Mon 21 Nov 2016 19:16:45 GMT] 61:AWS_ACCESS_KEY_ID='XXX'
[Mon 21 Nov 2016 19:16:45 GMT] 62:AWS_SECRET_ACCESS_KEY='XXX'
[Mon 21 Nov 2016 19:16:45 GMT] First detect the root zone
[Mon 21 Nov 2016 19:16:45 GMT] mtd='GET'
[Mon 21 Nov 2016 19:16:45 GMT] ep='2013-04-01/hostedzone'
[Mon 21 Nov 2016 19:16:45 GMT] qsr
[Mon 21 Nov 2016 19:16:45 GMT] data
[Mon 21 Nov 2016 19:16:45 GMT] CanonicalURI='/2013-04-01/hostedzone'
[Mon 21 Nov 2016 19:16:45 GMT] CanonicalQueryString
[Mon 21 Nov 2016 19:16:45 GMT] RequestDate='20161121T191645Z'
[Mon 21 Nov 2016 19:16:45 GMT] CanonicalHeaders='host:route53.amazonaws.com
x-amz-date:20161121T191645Z
'
[Mon 21 Nov 2016 19:16:45 GMT] SignedHeaders='host;x-amz-date'
[Mon 21 Nov 2016 19:16:45 GMT] RequestPayload
[Mon 21 Nov 2016 19:16:45 GMT] CanonicalRequest='GET
/2013-04-01/hostedzone

host:route53.amazonaws.com
x-amz-date:20161121T191645Z

host;x-amz-date
XXX'
[Mon 21 Nov 2016 19:16:45 GMT] HashedCanonicalRequest='XXX'
[Mon 21 Nov 2016 19:16:45 GMT] Algorithm='AWS4-HMAC-SHA256'
[Mon 21 Nov 2016 19:16:45 GMT] RequestDateOnly='20161121'
[Mon 21 Nov 2016 19:16:45 GMT] CredentialScope='20161121/us-east-1/route53/aws4_request'
[Mon 21 Nov 2016 19:16:45 GMT] StringToSign='AWS4-HMAC-SHA256
20161121T191645Z
20161121/us-east-1/route53/aws4_request
XXX'
[Mon 21 Nov 2016 19:16:45 GMT] kSecret='XXX'
[Mon 21 Nov 2016 19:16:45 GMT] kSecretH='XXX'
unknown option '-mac'
options are
-c to output the digest with separating colons
-d to output debug info
-hex output as hex dump
-binary output in binary form
-sign file sign digest using private key in file
-verify file verify a signature using public key in file
-prverify file verify a signature using private key in file
-keyform arg key file format (PEM or ENGINE)
-signature file signature to verify
-binary output in binary form
-hmac key create hashed MAC with key
-engine e use engine e, possibly a hardware device.
-md5 to use the md5 message digest algorithm (default)
-md4 to use the md4 message digest algorithm
-md2 to use the md2 message digest algorithm
-sha1 to use the sha1 message digest algorithm
-sha to use the sha message digest algorithm
-sha224 to use the sha224 message digest algorithm
-sha256 to use the sha256 message digest algorithm
-sha384 to use the sha384 message digest algorithm
-sha512 to use the sha512 message digest algorithm
-mdc2 to use the mdc2 message digest algorithm
-ripemd160 to use the ripemd160 message digest algorithm
[Mon 21 Nov 2016 19:16:45 GMT] kDateH
Usage: _hmac hashalg secret [outputhex]
[Mon 21 Nov 2016 19:16:45 GMT] kRegionH
Usage: _hmac hashalg secret [outputhex]
[Mon 21 Nov 2016 19:16:45 GMT] kServiceH
Usage: _hmac hashalg secret [outputhex]
[Mon 21 Nov 2016 19:16:45 GMT] kSigningH
Usage: _hmac hashalg secret [outputhex]
[Mon 21 Nov 2016 19:16:45 GMT] signature
[Mon 21 Nov 2016 19:16:45 GMT] Authorization='AWS4-HMAC-SHA256 Credential=XXX/20161121/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature='
[Mon 21 Nov 2016 19:16:45 GMT] _H3='Authorization: AWS4-HMAC-SHA256 Credential=XXX/20161121/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature='
[Mon 21 Nov 2016 19:16:45 GMT] GET
[Mon 21 Nov 2016 19:16:45 GMT] url='https://route53.amazonaws.com/2013-04-01/hostedzone'
[Mon 21 Nov 2016 19:16:45 GMT] timeout
[Mon 21 Nov 2016 19:16:45 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header --trace-ascii /var/folders/b4/T/tmp.T17pkfMx '
[Mon 21 Nov 2016 19:16:45 GMT] ret='0'
[Mon 21 Nov 2016 19:16:45 GMT] Response error:
SenderIncompleteSignatureAuthorization header requires 'Signature' parameter. Authorization=AWS4-HMAC-SHA256 Credential=XXX/20161121/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=0b2c34e1-b01f-11e6-bb47-XXX
[Mon 21 Nov 2016 19:16:46 GMT] invalid domain
[Mon 21 Nov 2016 19:16:46 GMT] Error add txt for domain:_acme-challenge.test.awsroute53.acme.sh
[Mon 21 Nov 2016 19:16:46 GMT] pid
[Mon 21 Nov 2016 19:16:46 GMT] _clearupdns
[Mon 21 Nov 2016 19:16:46 GMT] Dns not added, skip.
[Mon 21 Nov 2016 19:16:46 GMT] _on_issue_err
[Mon 21 Nov 2016 19:16:46 GMT] Please add '--debug' or '--log' to check more details.
[Mon 21 Nov 2016 19:16:46 GMT] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Mon 21 Nov 2016 19:16:46 GMT] Diagnosis versions:
openssl:
OpenSSL 0.9.8zh 14 Jan 2016
apache:
apache doesn't exists.
nc:
usage: nc [-46AacCDdEFhklMnOortUuvz] [-K tc] [-b boundif] [-i interval] [-p source_port] [--apple-delegate-pid pid] [--apple-delegate-uuid uuid]
[-s source_ip_address] [-w timeout] [-X proxy_version]
[-x proxy_address[:port]] [hostname] [port[s]]
Command Summary:
-4 Use IPv4
-6 Use IPv6
-A Set SO_RECV_ANYIF on socket
-a Set SO_AWDL_UNRESTRICTED on socket
-b ifbound Bind socket to interface
-c Send CRLF as line-ending
-C Don't use cellular connection
-D Enable the debug socket option
-d Detach from stdin
-E Don't use expensive interfaces
-F Do not use flow advisory (flow adv enabled by default)
-G conntimo Connection timeout in seconds
-h This help text
-H keepidle Initial idle timeout in seconds
-I keepintvl Interval for repeating idle timeouts in seconds
-i secs Delay interval for lines sent, ports scanned
-J keepcnt Number of times to repeat idle timeout
-k Keep inbound sockets open for multiple connects
-K tclass Specify traffic class
-l Listen mode, for inbound connects
-L num_probes Number of probes to send before generating a read timeout event
-m Set SO_INTCOPROC_ALLOW on socket
-n Suppress name/port resolutions
-M Use MULTIPATH domain socket
-N num_probes Number of probes to send before generating a write timeout event
-O Use old-style connect instead of connectx
-p port Specify local port for remote connects (cannot use with -l)
-r Randomize remote ports
-s addr Local source address
-t Answer TELNET negotiation
-U Use UNIX domain socket
-u UDP mode
-v Verbose
-w secs Timeout for connects and final net reads
-X proto Proxy protocol: "4", "5" (SOCKS) or "connect"
-x addr[:port] Specify proxy address and port
-z Zero-I/O mode [used for scanning]
-o Issue socket options after connect/bind
--apple-delegate-pid pid Set socket as delegate using pid
Port numbers can be individual or ranges: lo-hi [inclusive]

@FernandoMiguel
It seems that your openssl is too old, please upgrade your openssl first.

Any way, I will fix it to give a nice error message in this case.

Thanks.

@Neilpang
i've updated the AWS policy for your account to reflect some new changes.
I did a quick test and it seemed to work.
if you find that the new policy broke your access to Route53, please let me know so i can fix.

cheers

@FernandoMiguel
Got it, thank you.