Summary
Error messages could be more detailed in order to help system administrators quickly resolve issues.
See also this short documentation I wrote about this subject: https://github.com/Leading-Works-SaRL/certbot-plugin-gandi/wiki/Troubleshooting
Reproducible steps
- Configure
Gandi.net, certbot, and certbot-plugin-gandi so that the generation of a letsencrypt certificate works;
- Go on the
Gandi.net platform, regenerate/rotate the Gandi API Key;
- Do not update the configuration on the server that uses
certbot;
- Attempt to renew the certificate(s) with:
certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;
- Following error message shows up (possibly per email too if you have it configured accordingly):
Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for "x.y.io";
- Inspection of logs under
/var/log/letsencrypt/letsencrypt.log shows that really it is about authentification, see HTTP Status Code 401:
2022-01-03 20:59:39,583:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:39,820:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/x.y.io HTTP/1.1" 401 264
2022-01-03 20:59:39,847:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,085:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/y.io HTTP/1.1" 401 264
2022-01-03 20:59:40,111:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,361:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/io HTTP/1.1" 401 264
2022-01-03 20:59:40,377:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for "x.y.io"
2022-01-03 20:59:40,392:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,630:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/y.z HTTP/1.1" 401 264
2022-01-03 20:59:40,655:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,896:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/io HTTP/1.1" 401 264
2022-01-03 20:59:40,911:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for "y.io"
2022-01-03 20:59:40,915:ERROR:certbot._internal.renewal:Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for "x.y.io"
SHOULD Behaviour
- Configure
Gandi.net, certbot, and certbot-plugin-gandi so that the generation of a letsencrypt certificate works;
- Go on the
Gandi.net platform, regenerate/rotate the Gandi API Key;
- Do not update the configuration on the server that uses
certbot;
- Attempt to renew the certificate(s) with:
certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;
- Following error message shows up (possibly per email too if you have it configured accordingly):
Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: 401 Unauthorized (bad api key?);
- Further inspection of the logs shows the error message from the Gandi.net API (format can be modfied, not necessary in JSON format):
{"object": "HTTPUnauthorized", "cause": "Unauthorized", "code": 401, "message": "The server could not verify that you authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad api key), or your access token has expired"}Furthermore, the Wiki page of the plugin may also document common errors and remediations in a Troubleshooting page.
The Wiki page may be replaced by a TROUBLESHOOTING.md or COMMON_ERRORS.md file committed with the code.
Thank you for the plugin and your time.
Summary
Error messages could be more detailed in order to help system administrators quickly resolve issues.
See also this short documentation I wrote about this subject: https://github.com/Leading-Works-SaRL/certbot-plugin-gandi/wiki/Troubleshooting
Reproducible steps
Gandi.net,certbot, andcertbot-plugin-gandiso that the generation of a letsencrypt certificate works;Gandi.netplatform, regenerate/rotate the Gandi API Key;certbot;certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for "x.y.io";/var/log/letsencrypt/letsencrypt.logshows that really it is about authentification, see HTTP Status Code 401:SHOULD Behaviour
Gandi.net,certbot, andcertbot-plugin-gandiso that the generation of a letsencrypt certificate works;Gandi.netplatform, regenerate/rotate the Gandi API Key;certbot;certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: 401 Unauthorized (bad api key?);{"object": "HTTPUnauthorized", "cause": "Unauthorized", "code": 401, "message": "The server could not verify that you authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad api key), or your access token has expired"}Furthermore, the Wiki page of the plugin may also document common errors and remediations in a Troubleshooting page.
The Wiki page may be replaced by a TROUBLESHOOTING.md or COMMON_ERRORS.md file committed with the code.
Thank you for the plugin and your time.