{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/ZZZZZZZZ"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "route53:ListHostedZonesByName",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "route53:ListResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/ZZZZZZZZ"
        }
    ]
}

FROM caddy:2.3.0-builder-alpine AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/route53

FROM caddy:2.3.0-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

COPY Caddyfile /etc/caddy/Caddyfile

www.mydomain.com
reverse_proxy 127.0.0.1:3000
tls {
  dns route53 {
    max_retries 10
    aws_profile ""
  }
}

root@ip-10-0-0-17:~# docker logs caddy
{"level":"info","ts":1631101549.0512967,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1631101549.0558064,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1631101549.0587218,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1631101549.0589776,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1631101549.06152,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0002e12d0"}
{"level":"info","ts":1631101549.0621595,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["www.mydomain.com"]}
{"level":"info","ts":1631101549.0632653,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1631101549.0637987,"msg":"serving initial configuration"}
{"level":"info","ts":1631101549.0639155,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1631101549.0643346,"logger":"tls.obtain","msg":"acquiring lock","identifier":"www.mydomain.com"}
{"level":"info","ts":1631101549.0663319,"logger":"tls.obtain","msg":"lock acquired","identifier":"www.mydomain.com"}
{"level":"info","ts":1631101549.981814,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["www.mydomain.com"]}
{"level":"info","ts":1631101549.9818606,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["www.mydomain.com"]}
{"level":"info","ts":1631101550.898957,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"www.mydomain.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1631101551.5204628,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"www.mydomain.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for www.mydomain.com (probably OK if presenting failed)"}
{"level":"error","ts":1631101551.7166426,"logger":"tls.obtain","msg":"will retry","error":"[www.mydomain.com] Obtain: [www.mydomain.com] solving challenges: presenting for challenge: adding temporary record for zone mydomain.com.: InvalidChangeBatch: InvalidChangeBatch: [Tried to create resource record set [name='_acme-challenge.www.mydomain.com.mydomain.com.', type='TXT'] but it already exists]\n\tstatus code: 400, request id: 4d3c4fea-681a-4c09-8965-7fd2fb111dfd (order=https://acme-v02.api.letsencrypt.org/acme/order/192612760/22920570770) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":2.650090972,"max_duration":2592000}
{"level":"info","ts":1631101612.867892,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"www.mydomain.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1631101613.3855636,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"www.mydomain.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for www.mydomain.com (probably OK if presenting failed)"}
{"level":"error","ts":1631101613.5276074,"logger":"tls.obtain","msg":"will retry","error":"[www.mydomain.com] Obtain: [www.mydomain.com] solving challenges: presenting for challenge: adding temporary record for zone mydomain.com.: InvalidChangeBatch: InvalidChangeBatch: [Tried to create resource record set [name='_acme-challenge.www.mydomain.com.mydomain.com.', type='TXT'] but it already exists]\n\tstatus code: 400, request id: 8cfb3e00-9657-453d-b867-5e2193a54623 (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/25931808/488611558) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":64.461055717,"max_duration":2592000}
{"level":"info","ts":1631101735.2945147,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"www.mydomain.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1631101876.6568108,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/25931808/488621888"}
{"level":"info","ts":1631101878.9950337,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa47a21093c8f08654bbf8d740f229b28fdd"}
{"level":"info","ts":1631101878.9953816,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["www.mydomain.com"]}
{"level":"info","ts":1631101878.9954185,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["www.mydomain.com"]}
{"level":"info","ts":1631101880.0348005,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"www.mydomain.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1631102028.8770761,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/192612760/22921420555"}
{"level":"info","ts":1631102029.8177788,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/0412ef9b7a225e28e353c35d0a1119f972cc"}
{"level":"info","ts":1631102029.818293,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"www.mydomain.com"}
{"level":"info","ts":1631102029.8183181,"logger":"tls.obtain","msg":"releasing lock","identifier":"www.mydomain.com"}

    // plug in Caddy modules here
    _ "github.com/caddyserver/caddy/v2/modules/standard"
    _ "github.com/caddy-dns/route53"

caddyaws2023  | {"level":"error","ts":1675008197.5518668,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"testicule.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.testicule.example.com - check that a DNS record exists for this domain"}
caddyaws2023  | {"level":"info","ts":1675008197.552192,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["testicule.example.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"[email protected]"}
caddyaws2023  | {"level":"info","ts":1675008197.5522494,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["testicule.example.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"[email protected]"}
caddyaws2023  | {"level":"info","ts":1675008212.2545922,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"testicule.example.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
caddyaws2023  | {"level":"info","ts":1675008236.4299083,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme.zerossl.com/v2/DV90/order/A-Ipu8zXJvrtt8Tit59eNA"}
caddyaws2023  | {"level":"info","ts":1675008282.009358,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":"https://acme.zerossl.com/v2/DV90/cert/ov2FO9h15NjWjCThsQBhkA"}
caddyaws2023  | {"level":"info","ts":1675008282.009628,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"testicule.example.com"}
caddyaws2023  | {"level":"info","ts":1675008282.0096378,"logger":"tls.obtain","msg":"releasing lock","identifier":"testicule.example.com"}

{$DOMAIN}:443 {
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  tls {
    dns route53 {
      max_retries 10
      aws_profile {$aws_profile}
      access_key_id {$access_key_id}
      secret_access_key {$secret_access_key}

    }
  }
  reverse_proxy code-server:8443
}

#  curl --verbose --output /usr/local/bin/caddy 'https://caddyserver.com/api/download?os=linux&arch=arm64'

# curl --verbose --output /usr/local/bin/caddy 'https://caddyserver.com/api/download?os=linux&arch=arm64&p=github.com%2Fcaddy-dns%2Froute53'

go get: added google.golang.org/protobuf v1.27.1
2023/03/14 07:17:14 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/caddy-dns/route53
github.com/caddy-dns/route53 imports
	github.com/caddyserver/caddy/v2 imports
	net/netip: package net/netip is not in GOROOT (/usr/local/go/src/net/netip)

#0 30.13 panic: internal error: can't find reason for requirement on github.com/google/[email protected]

--with github.com/caddy-dns/[email protected]

tls {
	dns route53 {
		aws_profile "my_profile"
		max_retries 1
	}
	dns_challenge_override_domain appsite.com
}

go get github.com/caddy-dns/route53
go: downloading github.com/caddy-dns/route53 v1.1.0
go: github.com/caddy-dns/route53 upgrade => v1.1.0
go: downloading github.com/libdns/route53 v1.0.1
# github.com/caddy-dns/route53
../../../../../../pkg/mod/github.com/caddy-dns/[email protected]/route53.go:32:12: p.Provider.AWSProfile undefined (type *"github.com/libdns/route53".Provider has no field or method AWSProfile)
../../../../../../pkg/mod/github.com/caddy-dns/[email protected]/route53.go:60:16: p.Provider.AWSProfile undefined (type *"github.com/libdns/route53".Provider has no field or method AWSProfile)

*.mysite, mysite {
tls {
		 dns route53 {
    max_retries 10 
    aws_profile "my profile" 
    access_key_id "my-profile-access-key" 
    secret_access_key "my-profile-secret-key" 
    token "my-profile-secret-key" 
    region "eu-west-3" 
  }
	}
        root * /var/www/mysite/public
        encode zstd gzip
        file_server
         php_fastcgi unix//var/run/php/php8.2-fpm.sock

}

Jan 21 22:05:17 ip-172-31-39-194 caddy[249127]: {"level":"info","ts":1674338717.9979832,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.testlave.live"}
Jan 21 22:05:18 ip-172-31-39-194 caddy[249127]: {"level":"info","ts":1674338718.422322,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.testlave.live","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Jan 21 22:05:18 ip-172-31-39-194 caddy[249127]: {"level":"error","ts":1674338718.7669091,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"*.testlave.live","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.testlave.live\" (usually OK if presenting also failed)"}
Jan 21 22:05:18 ip-172-31-39-194 caddy[249127]: {"level":"error","ts":1674338718.9066675,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.testlave.live","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.testlave.live] solving challenges: presenting for challenge: adding temporary record for zone \"testlave.live.\": operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 6563e61e-134a-4fd2-bf70-7607d883a16e, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/84131713/6694827993) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
Jan 21 22:05:20 ip-172-31-39-194 caddy[249127]: {"level":"info","ts":1674338720.8710263,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"*.testlave.live","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
Jan 21 22:05:21 ip-172-31-39-194 caddy[249127]: {"level":"error","ts":1674338721.2110147,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"*.testlave.live","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.testlave.live\" (usually OK if presenting also failed)"}
Jan 21 22:05:21 ip-172-31-39-194 caddy[249127]: {"level":"error","ts":1674338721.700836,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.testlave.live","issuer":"acme.zerossl.com-v2-DV90","error":"[*.testlave.live] solving challenges: presenting for challenge: adding temporary record for zone \"testlave.live.\": operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 46ad2d23-adcd-40f0-830e-8da7edda790f, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. (order=https://acme.zerossl.com/v2/DV90/order/cM01XC8kmxAyX93orxXaxQ) (ca=https://acme.zerossl.com/v2/DV90)"}
Jan 21 22:05:21 ip-172-31-39-194 caddy[249127]: {"level":"error","ts":1674338721.7011356,"logger":"tls.obtain","msg":"will retry","error":"[*.testlave.live] Obtain: [*.testlave.live] solving challenges: presenting for challenge: adding temporary record for zone \"testlave.live.\": operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 46ad2d23-adcd-40f0-830e-8da7edda790f, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. (order=https://acme.zerossl.com/v2/DV90/order/cM01XC8kmxAyX93orxXaxQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":319.633461226,"max_duration":2592000}

2020/12/08 16:33:12 [INFO] Writing main module: /tmp/buildenv_2020-12-08-1633.970086107/main.go
2020/12/08 16:33:12 [INFO] Initializing Go module
2020/12/08 16:33:12 [INFO] exec (timeout=10s): /usr/local/go/bin/go mod init caddy
go: creating new go.mod: module caddy
2020/12/08 16:33:12 [INFO] Replace github.com/caddy-dns/route53 => /home/<user>/.aws/route53
2020/12/08 16:33:12 [INFO] exec (timeout=10s): /usr/local/go/bin/go mod edit -replace github.com/caddy-dns/route53=/home/<user>/.aws/route53
2020/12/08 16:33:12 [INFO] Pinning versions
2020/12/08 16:33:12 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/caddyserver/caddy/v2
go: github.com/caddyserver/caddy/v2 upgrade => v2.2.2
2020/12/08 16:33:13 [INFO] Build environment ready
2020/12/08 16:33:13 [INFO] Building Caddy
2020/12/08 16:33:13 [INFO] exec (timeout=0s): /usr/local/go/bin/go build -o /home/<user>/.aws/route53/caddy -ldflags -w -s -trimpath
go: found github.com/caddy-dns/route53 in github.com/caddy-dns/route53 v0.0.0-00010101000000-000000000000
# github.com/caddy-dns/route53
/home/ascii17/.aws/route53/route53.go:58:16: p.Provider.AWSProfile undefined (type *"github.com/libdns/route53".Provider has no field or method AWSProfile)
2020/12/08 16:33:14 [INFO] Cleaning up temporary folder: /tmp/buildenv_2020-12-08-1633.970086107
2020/12/08 16:33:14 [ERROR] exit status 2

admin.api.load
admin.api.metrics
caddy.adapters.caddyfile
caddy.listeners.tls
caddy.logging.encoders.console
caddy.logging.encoders.filter
caddy.logging.encoders.filter.delete
caddy.logging.encoders.filter.ip_mask
caddy.logging.encoders.json
caddy.logging.encoders.logfmt
caddy.logging.encoders.single_field
caddy.logging.writers.discard
caddy.logging.writers.file
caddy.logging.writers.net
caddy.logging.writers.stderr
caddy.logging.writers.stdout
caddy.storage.file_system
http
http.authentication.hashes.bcrypt
http.authentication.hashes.scrypt
http.authentication.providers.http_basic
http.encoders.gzip
http.encoders.zstd
http.handlers.acme_server
http.handlers.authentication
http.handlers.encode
http.handlers.error
http.handlers.file_server
http.handlers.headers
http.handlers.map
http.handlers.metrics
http.handlers.push
http.handlers.request_body
http.handlers.reverse_proxy
http.handlers.rewrite
http.handlers.static_response
http.handlers.subroute
http.handlers.templates
http.handlers.vars
http.matchers.expression
http.matchers.file
http.matchers.header
http.matchers.header_regexp
http.matchers.host
http.matchers.method
http.matchers.not
http.matchers.path
http.matchers.path_regexp
http.matchers.protocol
http.matchers.query
http.matchers.remote_ip
http.matchers.vars
http.matchers.vars_regexp
http.reverse_proxy.selection_policies.first
http.reverse_proxy.selection_policies.header
http.reverse_proxy.selection_policies.ip_hash
http.reverse_proxy.selection_policies.least_conn
http.reverse_proxy.selection_policies.random
http.reverse_proxy.selection_policies.random_choose
http.reverse_proxy.selection_policies.round_robin
http.reverse_proxy.selection_policies.uri_hash
http.reverse_proxy.transport.fastcgi
http.reverse_proxy.transport.http
pki
tls
tls.certificates.automate
tls.certificates.load_files
tls.certificates.load_folders
tls.certificates.load_pem
tls.handshake_match.sni
tls.issuance.acme
tls.issuance.internal
tls.issuance.zerossl
tls.stek.distributed
tls.stek.standard

Distributor ID: Ubuntu
Description:    Ubuntu 20.04.1 LTS
Release:        20.04

go version go1.15.6 linux/amd64

v2.2.1 h1:Q62GWHMtztnvyRU+KPOpw6fNfeCD3SkwH7SfT1Tgt2c=

/go/pkg/mod/github.com/eth-limo/[email protected]/route53.go:35:10: p.NewSession undefined (type *Provider has no field or method NewSession)

go get github.com/caddyserver/xcaddy/cmd/xcaddy && \
    xcaddy build v2.5.1 \
      --with github.com/eth-limo/[email protected]

[default]
aws_access_key_id = <YOUR_DEFAULT_ACCESS_KEY_ID>
aws_secret_access_key = <YOUR_DEFAULT_SECRET_ACCESS_KEY>

[development]
aws_access_key_id = <YOUR_DEFAULT_ACCESS_KEY_ID>
aws_secret_access_key = <YOUR_DEFAULT_SECRET_ACCESS_KEY>

[production]
aws_access_key_id = <YOUR_DEFAULT_ACCESS_KEY_ID>
aws_secret_access_key = <YOUR_DEFAULT_SECRET_ACCESS_KEY>

dev.example.com:443 {
  bind {$ADDRESS}
  header X-Robots-Tag noindex
  reverse_proxy /* dev:80 {
      header_up Host "dev.example.com"
  }
  tls {
      dns route53 # from the development aws account
  }
}

prod.example.com:443 {
  bind {$ADDRESS}
  header X-Robots-Tag noindex
  reverse_proxy /* dev:80 {
      header_up Host "prod.example.com"
  }
  tls {
      dns route53 # from the production aws account
  }
}

dev.example.com:443 {
  bind {$ADDRESS}
  header X-Robots-Tag noindex
  reverse_proxy /* dev:80 {
      header_up Host "dev.example.com"
  }
  tls {
      dns cloudflare "redacted-key"
  }
}