Route53 DNS Challenge fails for hosted zone that is not a "root" zone

[david-igou]

I'm attempting a Route53 DNS Challenge for a domain foo.bar.example.com, in my AWS dashboard, my hosted zone name is bar.example.com

This fails on task Creating challenge DNS entries for foo.bar.example.com via Route53 with Zone example.com. does not exist in Route53

So the logic here: https://github.com/felixfontein/ansible-acme/blob/main/roles/acme_certificate/tasks/dns-route53-create.yml#L10

is setting zone to example.com instead of the desired bar.example.com

A quick work around is adding a variable to leverage the hosted zone id parameter in the aws module. But there could be a cleaner way..

[felixfontein]

The problem is that you can have multiple DNS names in the same certificate that belong to different zones, so simply allowing to provide the hosted zone ID doesn't solve the problem. Probably a mechanism similar to acme_certificate_dns_substitution would be better, where you could provide IDs for different zones and the role selects the best fitting zone ID for every DNS name.