I requested an SSL certificate using DNS authentication. When attempting to add the TXT record, I received ‘not authorized to perform: route53:GetChange’. However, I was still issued an SSL certificate anyway:
2020-07-06 15:49:43.298 -07:00 [INF] Performing automated challenge responses (xxx.xxxxx.com) 2020-07-06 15:49:43.306 -07:00 [INF] DNS: Creating TXT Record '_acme-challenge.xxxxx.xxxxxx.com' with value 'pYzh4UxIUYyrQ0K_e6du1EBRNIgeO1W-Vpfg7qj-IH8', in Zone Id 'ZYZYZYZYZX' using API provider 'Amazon Route 53 DNS API' 2020-07-06 15:49:44.394 -07:00 [ERR] DNS update failed: Amazon Route 53 DNS API :: Dns Record Create/Update: _acme-challenge.xxx.xxxxx.com - User: arn:aws:iam::979797977:user/UserName is not authorized to perform: route53:GetChange on resource: arn:aws:route53:::change/H808089890PH 2020-07-06 15:49:44.395 -07:00 [INF] Requesting Validation: xxx.xxxxx.com 2020-07-06 15:50:44.794 -07:00 [INF] Attempting Challenge Response Validation for Domain: xxx.xxxxx.com 2020-07-06 15:50:44.794 -07:00 [INF] Registering and Validating xxx.xxxxx.com 2020-07-06 15:50:44.794 -07:00 [INF] Checking automated challenge response for Domain: xxx.xxxxx.com 2020-07-06 15:50:44.922 -07:00 [WRN] Challenge response validation still pending. Re-checking .. 2020-07-06 15:50:46.676 -07:00 [INF] Domain validation completed: xxx.xxxxx.com
The ‘UserName’ user does have permission in AWS to ‘route53:GetChange’ .
Testing with a browser on a client machine configured with a host file shows the certificate as valid.
Does this mean we have a permissions issue, or should we be ignoring this warning?