AWSのEC2上からlegoで証明書が取ってこれない

結論

EC2上からlegoでLet's Encryptを使う場合はUDPの53番を空ける

経緯

ログは適当にデータをマスクしています。

ドキュメント通りに実行してもタイムアウトして動かない。

[ec2-user@ip-172-31-20-114 ~]$ ./lego --server=https://acme-staging-v02.api.letsencrypt.org/directory --accept-tos --dns=route53 --domains=test.example.com --email=myaddress@gmail.com run
2021/06/28 16:31:32 [INFO] [test.example.com] acme: Obtaining bundled SAN certificate
2021/06/28 16:31:32 [INFO] [test.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/77091017
2021/06/28 16:31:32 [INFO] [test.example.com] acme: Could not find solver for: tls-alpn-01
2021/06/28 16:31:32 [INFO] [test.example.com] acme: Could not find solver for: http-01
2021/06/28 16:31:32 [INFO] [test.example.com] acme: use dns-01 solver
2021/06/28 16:31:32 [INFO] [test.example.com] acme: Preparing to solve DNS-01
2021/06/28 16:31:34 [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]
2021/06/28 16:32:00 [INFO] [test.example.com] acme: Trying to solve DNS-01
2021/06/28 16:32:00 [INFO] [test.example.com] acme: Checking DNS record propagation using [172.31.0.2:53]
2021/06/28 16:32:04 [INFO] Wait for propagation [timeout: 2m0s, interval: 4s]
2021/06/28 16:32:14 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2021/06/28 16:32:29 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2021/06/28 16:32:43 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2021/06/28 16:32:57 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2021/06/28 16:33:11 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2021/06/28 16:33:25 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2021/06/28 16:33:39 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2021/06/28 16:33:53 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2021/06/28 16:34:07 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2021/06/28 16:34:11 [INFO] [test.example.com] acme: Cleaning DNS-01 challenge
2021/06/28 16:34:12 [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]
2021/06/28 16:34:43 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/77091017
2021/06/28 16:34:43 Could not obtain certificates:
        error: one or more domains had a problem:
[test.example.com] time limit exceeded: last error: read udp 172.31.20.114:46348->205.251.192.158:53: i/o timeout

小一時間悩んでいたものの、下記ページを見てティンときた。

https://blog.komeho.info/2021/01/18/22252/

直接答えは書いてなかったものの、Google DNSの8.8.8.8につながらない→ポート空いてない？と気が付いたので、セキュリティグループでUDP 53を空けたら何事もなく証明書が取れるようになってるでやんの。

[ec2-user@ip-172-31-20-114 ~]$ ./lego --server=https://acme-staging-v02.api.letsencrypt.org/directory --accept-tos --dns=route53 --domains=test.example.com --email=myaddress@gmail.com run
2021/06/28 16:52:23 [INFO] [test.example.com] acme: Obtaining bundled SAN certificate
2021/06/28 16:52:24 [INFO] [test.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/77103657
2021/06/28 16:52:24 [INFO] [test.example.com] acme: Could not find solver for: tls-alpn-01
2021/06/28 16:52:24 [INFO] [test.example.com] acme: Could not find solver for: http-01
2021/06/28 16:52:24 [INFO] [test.example.com] acme: use dns-01 solver
2021/06/28 16:52:24 [INFO] [test.example.com] acme: Preparing to solve DNS-01
2021/06/28 16:52:25 [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]
2021/06/28 16:53:05 [INFO] [test.example.com] acme: Trying to solve DNS-01
2021/06/28 16:53:05 [INFO] [test.example.com] acme: Checking DNS record propagation using [172.31.0.2:53]
2021/06/28 16:53:09 [INFO] Wait for propagation [timeout: 2m0s, interval: 4s]
2021/06/28 16:53:15 [INFO] [test.example.com] The server validated our request
2021/06/28 16:53:15 [INFO] [test.example.com] acme: Cleaning DNS-01 challenge
2021/06/28 16:53:16 [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]
2021/06/28 16:53:43 [INFO] [test.example.com] acme: Validations succeeded; requesting certificates
2021/06/28 16:53:44 [INFO] [test.example.com] Server responded with a certificate.

DNSはTCPとUDPどちらも使う可能性があるらしいです。

https://docs.microsoft.com/ja-jp/troubleshoot/windows-server/networking/dns-works-on-tcp-and-udp

certbotの場合はUDP開けてなくても普通に動いていたのでハマりにハマった。

ちゃんちゃん。