Route 53 allows multiple zones with the same name to co-exist in an
account. The most common use case for this is a split-view DNS with one
private and one public zone for the same domain name. This patch makes
sure we don’t ever provision the authorization record to the private
zone.
The other case where a user has multiple public zones with the same
name is not covered here since this would require a bigger change in
code in order to determine which of the zones is active from the
viewpoint of the internet. Also this is probably an edge use case that
can be addressed once it comes up in the issues.
I have modified the official Dockerfile and made two changes
- Each RUN instruction creates an additional layer in the docker image. Adding files in one RUN instruction and deleting it in another RUN instruction will not reduce the size of the image. I used a single RUN command so that all the package/file removal happens in the same command in which the package installation happens, so that no additional layers are created.
- Similar to RUN statement, ADD instruction also creates an additional layer. Using git clone in the RUN statement and deleting it within the same statement ensures that an additional layer with source files is not added.
Added a slice of NS to be used when retrying queries. Also used with FindZoneByFqdn()
Adjusted 2 error messages given to better differentiate the returned error string
This patch adds code to only parse the HTTP response body as JSON if the
content-type header advertises the content as JSON. In my case, the
directory server was unavailable: it returned a 503 HTTP response code
with an HTML document, and the only thing lego reported was:
2016/04/04 19:12:56 Could not create client: get directory at 'https://acme-v01.api.letsencrypt.org/directory': invalid character '<' looking for beginning of value
This was caused by trying to parse the document body (HTML) as JSON,
without looking at the content-type header and returning the JSON parse
error.
Fully backwards compatible in terms of credential mechanisms
(environment variables, shared credentials file, EC2 metadata). If a
custom AWS IAM policy is in use it needs to be updated with permissions
for the route53:ListHostedZonesByName action.