GoDaddy DNS challenge does not work

[atsage]

I tried setting the Propagation Seconds the whole way up to 90 seconds and it still fails with the following error:

Error: Command failed: /opt/certbot/bin/certbot certonly --non-interactive --cert-name "npm-11" --agree-tos --email "email" --domains "domain" --authenticator dns-godaddy --dns-godaddy-credentials "/etc/letsencrypt/credentials/credentials-11" --dns-godaddy-propagation-seconds 90
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-godaddy, Installer None
Performing the following challenges:
dns-01 challenge for domain
Waiting 90 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain domain
dns-01 challenge for domain
Cleaning up challenges
Some challenges have failed.

    at ChildProcess.exithandler (node:child_process:326:12)
    at ChildProcess.emit (node:events:369:20)
    at maybeClose (node:internal/child_process:1067:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)

I can see that the API was logged in to in my security settings but it doesn't appear that any DNS values are updated.

Related to this: would be nice to get a --test-cert option for testing purposes. I got rate limited at one point.

[chaptergy]

Could you check if inside your container the file /var/log/letsencrypt/letsencrypt.log provides any more information after you try to perform the challenge?

[atsage]

Doesn't seem to provide anything useful other than it's interesting it says "No renewals were attempted"

2021-06-02 17:35:34,192:DEBUG:certbot._internal.main:certbot version: 1.15.0
2021-06-02 17:35:34,192:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2021-06-02 17:35:34,193:DEBUG:certbot._internal.main:Arguments: ['--non-interactive', '--quiet', '--config', '/etc/letsencrypt.ini', '--preferred-challenges', 'dns,http', '--disable-hook-validation']
2021-06-02 17:35:34,193:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-dns-godaddy:dns-godaddy,PluginEntryPoint#dns-godaddy,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-06-02 17:35:34,240:DEBUG:certbot._internal.log:Root logging level set at 30
2021-06-02 17:35:34,241:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-06-02 17:35:34,244:DEBUG:certbot.display.util:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2021-06-02 17:35:34,244:DEBUG:certbot.display.util:Notifying user: No renewals were attempted.
2021-06-02 17:35:34,245:DEBUG:certbot.display.util:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2021-06-02 17:35:34,245:DEBUG:certbot._internal.renewal:no renewal failures

I should add that I am able to renew with DNS challenges using acme.sh on another server.

[apainter2]

What is the log output from the acme.sh on the other server?

But that being said, using AMCE.sh on another server is not using NPM, which unfortunately would not be a fully supportable solution. But, let's see if we can help out....

Also, you would have to find a way of transferring the resulting LE certificate, keys and chain from the other server to the correct NPM-xxxx directory within the npmData directory or docker volume.

[atsage]

There's not much in the output of acme, just says the cert has been renewed successfully. I just mention it because I know the API key/secret is valid and works with at least the acme script. I would like to use NPM to manage everything so if I can't get it working I'll probably just continue my manual setup with NGINX container/config files and acme.sh. NPM looks nice and I definitely would like to get it working. It looks like @miigotu created the plugin, maybe he can help?

[miigotu]

The format of the credentials file for the plugin and acme.sh is different. I'm not at my PC, but check the readme for the plugin. Also, propagation might need to be much higher, even up to 3600.

[atsage]

The problem with going over 90 seconds is the connection gets terminated and fails anyway. I don't have any issues with default on acme.sh which is around 20 seconds so 90 should be more than enough. Are you able to renew from the NPM interface using your plugin?

[miigotu]

We aren't using node, we are using pure python.

[chaptergy]

We aren't using node, we are using pure python.

NPM = NginxProxyManager in this case, not Node Package Manager.

[miigotu]

We aren't using node, we are using pure python.

NPM = NginxProxyManager in this case, not Node Package Manager.

My bad lol, I have so many things going on at once.

[miigotu]

The problem with going over 90 seconds is the connection gets terminated and fails anyway. I don't have any issues with default on acme.sh which is around 20 seconds so 90 should be more than enough. Are you able to renew from the NPM interface using your plugin?

I haven't tried my plugin with npm, because when I created the plugin npm obviously did not have support for it. It was only tested via certbot. I was waiting for a new hassio_addons docker image with support for it to test it out.

[atsage]

The problem with going over 90 seconds is the connection gets terminated and fails anyway. I don't have any issues with default on acme.sh which is around 20 seconds so 90 should be more than enough. Are you able to renew from the NPM interface using your plugin?

I haven't tried my plugin with npm, because when I created the plugin npm obviously did not have support for it. It was only tested via certbot. I was waiting for a new hassio_addons docker image with support for it to test it out.

Docker image is up and ready now. That is how I installed.

[miigotu]

The problem with going over 90 seconds is the connection gets terminated and fails anyway. I don't have any issues with default on acme.sh which is around 20 seconds so 90 should be more than enough. Are you able to renew from the NPM interface using your plugin?

I haven't tried my plugin with npm, because when I created the plugin npm obviously did not have support for it. It was only tested via certbot. I was waiting for a new hassio_addons docker image with support for it to test it out.

Docker image is up and ready now. That is how I installed.

Not for hassio, since April 30th https://github.com/hassio-addons/addon-nginx-proxy-manager/tree/v0.11.0

[atsage]

The problem with going over 90 seconds is the connection gets terminated and fails anyway. I don't have any issues with default on acme.sh which is around 20 seconds so 90 should be more than enough. Are you able to renew from the NPM interface using your plugin?

I haven't tried my plugin with npm, because when I created the plugin npm obviously did not have support for it. It was only tested via certbot. I was waiting for a new hassio_addons docker image with support for it to test it out.

Docker image is up and ready now. That is how I installed.

Not for hassio, since April 30th https://github.com/hassio-addons/addon-nginx-proxy-manager/tree/v0.11.0

Oh, I thought you meant this repository. Looks like that is managed by someone else. Might have to raise an issue over there for them to update.

[chaptergy]

Maybe related to https://github.com/jc21/nginx-proxy-manager/issues/1119?

[atsage]

Maybe related to #1119?

I'm not getting that error specifically. The log just says "Some challenges have failed" and "No renewals were attempted" with no explanation as to what or why.

[chaptergy]

That could be because you encountered it during a renewal, and the linked issue is about creating a certificate. You can go ahead and execute pip install certbot --upgrade inside the container, and then see if that resolved your issue.

[atsage]

I'm trying to create new certificate though, so maybe that is the issue.

[chaptergy]

Ah, I misinterpreted the one log line about no renewals needed, sorry. Have you tried updating certbot as I mentioned above anyways? And have you tried increasing the propagation seconds, to see if that works? (If you set the propagation seconds very high, the http connection might time out before the wait is over)

[atsage]

I had to go back to my previous setup for now and it may be a couple days until I can get a test server set up for this but I'll let you know. As for propagation, acme uses 20 seconds and that's never failed me. Godaddy is pretty quick with propagation. I did try with up to 90 seconds but as you said any more than that and connections start to get terminated.

[miigotu]

There is a PR open on the plugin, I'll try and get to check it out soon and see if it helps.

[github-actions[bot]]

Issue is now considered stale. If you want to keep it open, please comment :+1: