dnsrobocert icon indicating copy to clipboard operation
dnsrobocert copied to clipboard

Published 20 hours ago verified publisher icon adferrand

v3.25.0 truncates domain name leading to Exception with cloudflare

Open charleszlu opened this issue 1 year ago • 2 comments

In v3.25.0. When using cloudflare as the provider it raises the following exception:

Executing auth hook for domain example.net, lineage example.net. 2024-01-26 08:48:32,230:WARNING:certbot.display.ops:Hook '--manual-auth-hook' for example.net ran with error output: Error while executing the auth hook: Traceback (most recent call last): File "/usr/local/lib/python3.11/site-packages/dnsrobocert/core/hooks.py", line 40, in main globals()[parsed_args.type](dnsrobocert_config, parsed_args.lineage) File "/usr/local/lib/python3.11/site-packages/dnsrobocert/core/hooks.py", line 61, in auth txt_challenge(certificate, profile, token, domain, action="create") File "/usr/local/lib/python3.11/site-packages/dnsrobocert/core/challenge.py", line 52, in txt_challenge with Client(ConfigResolver().with_dict(config_dict)) as operations: File "/usr/local/lib/python3.11/site-packages/lexicon/client.py", line 168, in enter raise e File "/usr/local/lib/python3.11/site-packages/lexicon/client.py", line 161, in enter provider.authenticate() File "/usr/local/lib/python3.11/site-packages/lexicon/_private/providers/cloudflare.py", line 54, in authenticate raise AuthenticationError("No domain found) lexicon.exceptions.AuthenticationError: No domain found

This is due to resolve_zone_name is set to True in file challenge.py, which triggers lexicon's Client to call dns.resolver.zone_for_name(domain). This truncates the domain name from example.net to just net, leading to the exception above. If I manually set resolve_zone_name to False. Everything works the same as in v 3.24.x.

I have tested using:

  • Global API key with auth_username and auth_token
  • Unscoped API token with auth_token

Both methods give the above exception.

I am using the below config:

acme:
  staging: false
  certs_permissions:
    dirs_mode: 493
    files_mode: 420
  crontab_renew: 0 4 * * *
  email_account: [email protected]

profiles:
- name: cloudflare
  provider: cloudflare
  provider_options:
    auth_token: <unscoped API token>
  sleep_time: 600

certificates:
- name: example.net
  domains:
  - example.net
  - '*.example.net'
  profile: cloudflare
  pfx:
    export: true
    passphrase: **********
  force_renew: false

charleszlu avatar Jan 26 '24 00:01 charleszlu

It's the same on the duckdns provider. I had to downgrade the dnsrobocert docker container to 3.24.2 otherwise the certs can't be issued/renewed for this same reason.

LiskoFINAL avatar Feb 13 '24 13:02 LiskoFINAL

In my case(cloudflare, I had set up the email):

2024-05-03 11:20:47 tn-jail-docker dnsrobocert.core.main[21] INFO Starting DNSroboCert.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/dnsrobocert/logs/letsencrypt.log or re-run Certbot with -v for more details.
2024-05-03 11:20:47 tn-jail-docker dnsrobocert.core.main[21] INFO Registering ACME account if needed.
2024-05-03 11:20:47 tn-jail-docker dnsrobocert.core.utils[21] INFO Launching command: /usr/local/bin/python -m dnsrobocert.core.certbot register -n --user-agent-comment DNSroboCert/3.25.0 --preferred-chain "ISRG Root X1" --config-dir /data/dnsrobocert --work-dir /data/dnsrobocert/workdir --logs-dir /data/dnsrobocert/logs -m [email protected] --agree-tos --server https://acme-v02.api.letsencrypt.org/directory
----------
An unexpected error occurred:
Saving debug log to /data/dnsrobocert/logs/letsencrypt.log
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f5539ca4e60>: Failed to establish a new connection: [Errno -3] Try again'))
2024-05-03 11:20:52 tn-jail-docker dnsrobocert.core.main[21] INFO Creating missing certificates if needed (~1min for each)
2024-05-03 11:20:52 tn-jail-docker dnsrobocert.core.certbot[21] INFO Handling the certificate for domain(s): h.rexzhang.com, *.h.rexzhang.com
2024-05-03 11:20:52 tn-jail-docker dnsrobocert.core.utils[21] INFO Launching command: /usr/local/bin/python -m dnsrobocert.core.certbot certonly -n --user-agent-comment DNSroboCert/3.25.0 --preferred-chain "ISRG Root X1" --config-dir /data/dnsrobocert --work-dir /data/dnsrobocert/workdir --logs-dir /data/dnsrobocert/logs --manual --preferred-challenges=dns --manual-auth-hook "/usr/local/bin/python -m dnsrobocert.core.hooks -t auth -c \"/tmp/tmpdwt709bq/dnsrobocert-runtime.yml\" -l \"h.rexzhang.com\"" --manual-cleanup-hook "/usr/local/bin/python -m dnsrobocert.core.hooks -t cleanup -c \"/tmp/tmpdwt709bq/dnsrobocert-runtime.yml\" -l \"h.rexzhang.com\"" --expand --deploy-hook "/usr/local/bin/python -m dnsrobocert.core.hooks -t deploy -c \"/tmp/tmpdwt709bq/dnsrobocert-runtime.yml\" -l \"h.rexzhang.com\"" --server https://acme-v02.api.letsencrypt.org/directory --cert-name h.rexzhang.com --key-type rsa -d h.rexzhang.com -d *.h.rexzhang.com
You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.

rexzhang avatar May 03 '24 04:05 rexzhang