certbot-plugin-gandi
certbot-plugin-gandi copied to clipboard
obynio
Gandi LiveDNS API communication stopped working
Hi, since a little while I'm getting these errors:
Unable to find or delete the DNS TXT record: <No reason given>
Failed to renew certificate subdomain.example.com with error: An error occurred adding the DNS TXT record: <No reason given>
In the log files I find this:
2022-07-23 18:48:09,169:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-07-23 18:48:09,299:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/subdomain.example.com HTTP/1.1" 404 108
2022-07-23 18:48:09,301:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-07-23 18:48:09,534:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/example.com HTTP/1.1" 200 532
2022-07-23 18:48:09,537:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-07-23 18:48:09,795:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/example.com/records/_acme-challenge.subdomain/TXT HTTP/1.1" 200 209
2022-07-23 18:48:09,797:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-07-23 18:48:10,210:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "PUT /api/v5/domains/example.com/records/_acme-challenge.subdomain/TXT HTTP/1.1" 400 151
2022-07-23 18:48:10,212:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: <No reason given>
2022-07-23 18:48:10,212:ERROR:certbot._internal.renewal:Failed to renew certificate subdomain.example.com with error: An error occurred adding the DNS TXT record: <No reason given>
I tried rotating the key, installing the latest plugin version, etc, but nothing seems to help.
It seems I'm getting a HTTP status code of 200 on GET, but 400 on PUT.
Any ideas?
It seems the patch in #34 doesn't help, still getting a 400 on PUT:
2022-07-25 13:03:33,018:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.gandi.net:443
2022-07-25 13:03:34,459:DEBUG:urllib3.connectionpool:https://api.gandi.net:443 "GET /v5/livedns/domains/subdomain.example.com HTTP/1.1" 404 108
2022-07-25 13:03:34,462:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.gandi.net:443
2022-07-25 13:03:34,706:DEBUG:urllib3.connectionpool:https://api.gandi.net:443 "GET /v5/livedns/domains/example.com HTTP/1.1" 200 270
2022-07-25 13:03:34,708:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.gandi.net:443
2022-07-25 13:03:34,934:DEBUG:urllib3.connectionpool:https://api.gandi.net:443 "GET /v5/livedns/domains/example.com/records/_acme-challenge.subdomain/TXT HTTP/1.1" 200 200
2022-07-25 13:03:34,936:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.gandi.net:443
2022-07-25 13:03:35,391:DEBUG:urllib3.connectionpool:https://api.gandi.net:443 "PUT /v5/livedns/domains/example.com/records/_acme-challenge.subdomain/TXT HTTP/1.1" 400 151
2022-07-25 13:03:35,392:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: <No reason given>
2022-07-25 13:03:35,393:ERROR:certbot._internal.renewal:Failed to renew certificate subdomain.example.com with error: An error occurred adding the DNS TXT record: <No reason given>
Turns out, Gandi changed their behaviour with "linked zones".
If you have multiple domains using a linked zone, you no longer can use the LiveDNS API to update them. This used to work before.
I contacted Gandi about this, their response:
I'm coming back to your regarding your request about linked zone ; dev team answered that this is the normal expected behavior when a linked zone.
So, I'm sorry but we won't change anything on our side, you'll have to unlink domains
So, not a bug in certbot-plugin-gandi. It might be useful to mention this limitation in the README.md
Thanks!