search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
22.05k stars 2.54k forks source link

Internal Error with netcup and DNS Challenge #1706

Open TWART016 opened 2 years ago

TWART016 commented 2 years ago

Describe the bug I want to access my internal password management (vaultwarden) with NPM. Therefore I created in Netcup an A-Record with Destination my internal IP 192.168.178.15. Also I added a TXT entry with Destination: pw-local.MYDOMAIN.

In NPM I created a proxy host and Forward to my password management. In SSL I want to create a certificate with Use a DNS Challenge. I selected netcup as the provider and set dns_netcup_customer_id , dns_netcup_api_key and dns_netcup_api_password. After save I get a Internal Error Message.

In Docker Logs I see

[12/30/2021] [4:20:50 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-47" --agree-tos --email "MY-EMAIL" --domains "pw-local.MYDOMAIN" --authenticator dns-netcup --dns-netcup-credentials "/etc/letsencrypt/credentials/credentials-47"

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Inside letsencrypt.log: "Incorrect TXT record \"pw-local.mydomain.de\" found at _acme-challenge.pw-local.mydomain.de",

Nginx Proxy Manager Version 2.9.13

Operating System Ubuntu 18.04.4 LTS (Bionic Beaver) with Docker

Edit: If I add the domain to an other proxy host in NGINX the website can be opend but of couse with an certificate error. Without a certificate it is not possible to access the website.

chaptergy commented 2 years ago

What do the certbot logs say? (see https://github.com/jc21/nginx-proxy-manager/issues/1271#user-content-certificate-error)

TWART016 commented 2 years ago

Do you mean the log from /var/log/letsencrypt/letsencrypt.log ?

chaptergy commented 2 years ago

Yes.

TWART016 commented 2 years ago

Here is the log

2021-12-30 19:11:59,904:DEBUG:certbot._internal.main:certbot version: 1.22.0
2021-12-30 19:11:59,905:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2021-12-30 19:11:59,905:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--cert-name', 'npm-54', '--agree-tos', '--email', 'MY-EMAIL', '--domains', 'pw-local.MYDOMAIN', '--authenticator', 'dns-netcup', '--dns-netcup-credentials', '/etc/letsencrypt/credentials/credentials-54']
2021-12-30 19:11:59,907:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-dns-netcup:dns-netcup,PluginEntryPoint#dns-netcup,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-12-30 19:11:59,944:DEBUG:certbot._internal.log:Root logging level set at 30
2021-12-30 19:11:59,946:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-netcup and installer None
2021-12-30 19:11:59,953:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-netcup
Description: Obtain certificates using a DNS TXT record (if you are using netcup for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-netcup = certbot_dns_netcup:Authenticator
Initialized: <certbot_dns_netcup.Authenticator object at 0x7faa6b035048>
Prep: True
2021-12-30 19:11:59,954:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_netcup.Authenticator object at 0x7faa6b035048> and installer None
2021-12-30 19:11:59,954:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-netcup, Installer None
2021-12-30 19:11:59,974:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/123184766', new_authzr_uri=None, terms_of_service=None), 76b38ddd92b11008964617588dcc1dde, Meta(creation_dt=datetime.datetime(2021, 5, 11, 23, 40, 9, tzinfo=<UTC>), creation_host='eb50e0a13986', register_to_eff=None))>
2021-12-30 19:11:59,975:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-12-30 19:11:59,979:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-12-30 19:12:00,480:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-12-30 19:12:00,481:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 30 Dec 2021 18:12:00 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "g3sn83eQ5X0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-12-30 19:12:00,482:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for pw-local.MYDOMAIN
2021-12-30 19:12:00,543:DEBUG:certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/1984_key-certbot.pem
2021-12-30 19:12:00,602:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/1984_csr-certbot.pem
2021-12-30 19:12:00,604:DEBUG:acme.client:Requesting fresh nonce
2021-12-30 19:12:00,604:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-12-30 19:12:00,754:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-12-30 19:12:00,755:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 30 Dec 2021 18:12:00 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001Ht8h3JrE16E4RqdHfYvZyyUrZRa9A1j0p6JfDPqi464
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2021-12-30 19:12:00,755:DEBUG:acme.client:Storing nonce: 0001Ht8h3JrE16E4RqdHfYvZyyUrZRa9A1j0p6JfDPqi464
2021-12-30 19:12:00,755:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "pw-local.MYDOMAIN"\n    }\n  ]\n}'
2021-12-30 19:12:00,758:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIzMTg0NzY2IiwgIm5vbmNlIjogIjAwMDFIdDhoM0pyRTE2RTRScWRIZll2Wnl5VXJaUmE5QTFqMHA2SmZEUHFpNDY0IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "K2gfmAqUuq25cIMqmmUs15HiuuViJDt8zZ3079hSfDRFpPKTWQ-AKoRbCD8qOsJeA6VARfW4pH1YCaqUMBuiYY6AEWuCdVRUUL7gqxLQPS339kv_-DdTWGfoB_W6NM5evdusInT9kOSdYxN6j2xDMybCyrT1xvX-LIxZHGXSp93i_rIoCXNuZWrHe5n_N9ByFa47L-K-GgdVENtc9yaKis7m7YhGLMoTQqOVQnICD_r2bLh_ScCk6-h0gvZO3XALvyU8uT-MgazLBLHW3Ufea6LHfl1PLZzrOLcGckHKy7NxVg0uwWaExv-o46URjYmWtOQRAoSmzhNoprkx3N2EFw",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInB3LWxvY2FsLnR3aG9tZS5kZSIKICAgIH0KICBdCn0"
}
2021-12-30 19:12:00,937:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 341
2021-12-30 19:12:00,938:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 30 Dec 2021 18:12:00 GMT
Content-Type: application/json
Content-Length: 341
Connection: keep-alive
Boulder-Requester: 123184766
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/123184766/51365826560
Replay-Nonce: 0001kC4klKwPnSpGxE5ADgF0mwX88ezFoYSifxnK18xckyA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2022-01-06T18:12:00Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "pw-local.MYDOMAIN"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/63454505270"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/123184766/51365826560"
}
2021-12-30 19:12:00,938:DEBUG:acme.client:Storing nonce: 0001kC4klKwPnSpGxE5ADgF0mwX88ezFoYSifxnK18xckyA
2021-12-30 19:12:00,939:DEBUG:acme.client:JWS payload:
b''
2021-12-30 19:12:00,941:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/63454505270:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIzMTg0NzY2IiwgIm5vbmNlIjogIjAwMDFrQzRrbEt3UG5TcEd4RTVBRGdGMG13WDg4ZXpGb1lTaWZ4bksxOHhja3lBIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MzQ1NDUwNTI3MCJ9",
  "signature": "IG52_OrewDE_vgi5V36TqttJz55NJIjfeTfINNM00iYQGGWnIklhiIp29rPjUGGbau2a3Orcq9-0SlsyTFXkTa7VXdlxBsRflLXgcUS0ot9RKg3xPoINm4uZzVsV1Egl2RWORYHZIIx_5Ho-9P1kuveoJXt5CgEaT_tNlYcmHYHSiyL91njiwCGpjGeGKGvbZXU09rfpDIDVYtrZFYKLjvbjovAdvuQR2CE72qRPJk6suK4PLMxKZVfubon-XNYSGjY1aP9bsJb1cLTgWpVW8h4tF1dexF8mGRe1E4UDhQKECP-vga63ZOc5GFGijdkqRQi8ss9useCVEGWaUbxEkw",
  "payload": ""
}
2021-12-30 19:12:01,095:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/63454505270 HTTP/1.1" 200 799
2021-12-30 19:12:01,096:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 30 Dec 2021 18:12:01 GMT
Content-Type: application/json
Content-Length: 799
Connection: keep-alive
Boulder-Requester: 123184766
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001dlK6kFYCSIfS-CZSp6k-JeqmzF7LXQouCrBwSD27SuM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "pw-local.MYDOMAIN"
  },
  "status": "pending",
  "expires": "2022-01-06T18:12:00Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/63454505270/IJpq3A",
      "token": "PnQ-9yfbSFqqlB7l554FX6c42_Gp6-kwVZRakCgd8gs"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/63454505270/OVgjzg",
      "token": "PnQ-9yfbSFqqlB7l554FX6c42_Gp6-kwVZRakCgd8gs"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/63454505270/TeXa2Q",
      "token": "PnQ-9yfbSFqqlB7l554FX6c42_Gp6-kwVZRakCgd8gs"
    }
  ]
}
2021-12-30 19:12:01,096:DEBUG:acme.client:Storing nonce: 0001dlK6kFYCSIfS-CZSp6k-JeqmzF7LXQouCrBwSD27SuM
2021-12-30 19:12:01,097:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-12-30 19:12:01,098:INFO:certbot._internal.auth_handler:dns-01 challenge for pw-local.MYDOMAIN
2021-12-30 19:12:01,100:DEBUG:lexicon.providers.netcup:login({})
2021-12-30 19:12:01,103:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:01,215:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 228
2021-12-30 19:12:01,219:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'pw-local.MYDOMAIN'})
2021-12-30 19:12:01,222:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:01,328:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 188
2021-12-30 19:12:01,331:DEBUG:lexicon.providers.netcup:login({})
2021-12-30 19:12:01,333:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:01,455:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 228
2021-12-30 19:12:01,458:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'MYDOMAIN'})
2021-12-30 19:12:01,462:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:01,619:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 231
2021-12-30 19:12:01,621:DEBUG:lexicon.providers.netcup:infoDnsRecords({'domainname': 'MYDOMAIN'})
2021-12-30 19:12:01,626:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:01,775:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 556
2021-12-30 19:12:01,778:DEBUG:lexicon.providers.netcup:list_records: []
2021-12-30 19:12:01,778:DEBUG:lexicon.providers.netcup:updateDnsRecords({'domainname': 'MYDOMAIN', 'dnsrecordset': {'dnsrecords': [{'type': 'TXT', 'hostname': '_acme-challenge.pw-local', 'destination': '2NBiB4cFU1DhLuTbcruAEusKe0rQiUxSHbrA5FmA2no'}]}})
2021-12-30 19:12:01,781:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:01,963:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 630
2021-12-30 19:12:01,967:DEBUG:lexicon.providers.netcup:create_record: True
2021-12-30 19:12:01,968:DEBUG:certbot._internal.display.obj:Notifying user: Waiting 10 seconds for DNS changes to propagate
2021-12-30 19:12:11,975:DEBUG:acme.client:JWS payload:
b'{}'
2021-12-30 19:12:11,978:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/63454505270/OVgjzg:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIzMTg0NzY2IiwgIm5vbmNlIjogIjAwMDFkbEs2a0ZZQ1NJZlMtQ1pTcDZrLUplcW16RjdMWFFvdUNyQndTRDI3U3VNIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My82MzQ1NDUwNTI3MC9PVmdqemcifQ",
  "signature": "SKOK8Q9OVA5QFJvF7MUcwLRQ2W8ROqvO4TNDj-dmMVMmTUQR9eVIyIbfsTnv0JnPkKYifxKoq0Uhj2zR1oyzzX9W1SJamZKm42JL-PzbIl74XZuuIh6lUr2Kfp59u0AlCG7SmzOgjfaX_v8JiTzo2JO3WAQds95VK6ubRB04Qc0NLFRazAqmZ8VZ0Rszb1-fnCMPjWeh75FdVlB4J94zltGBHy2AyJeNr9ejNRJ7iSQu-7ezpq3ksZH2SyDLtxr-pgK-jIg-058PsEVY_rAPb2FXcfPS7jIB83OV3nKjHc8J69Y1IacTprFjZ05JoKEPGEUyQ46YSC5oflGIqu_6eg",
  "payload": "e30"
}
2021-12-30 19:12:12,140:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/63454505270/OVgjzg HTTP/1.1" 200 185
2021-12-30 19:12:12,141:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 30 Dec 2021 18:12:12 GMT
Content-Type: application/json
Content-Length: 185
Connection: keep-alive
Boulder-Requester: 123184766
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/63454505270>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/63454505270/OVgjzg
Replay-Nonce: 00015aiLQ3YBDwgPmuKYvwxLBcvPd7RMVOcfvxzbZZZELd0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/63454505270/OVgjzg",
  "token": "PnQ-9yfbSFqqlB7l554FX6c42_Gp6-kwVZRakCgd8gs"
}
2021-12-30 19:12:12,141:DEBUG:acme.client:Storing nonce: 00015aiLQ3YBDwgPmuKYvwxLBcvPd7RMVOcfvxzbZZZELd0
2021-12-30 19:12:12,142:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-12-30 19:12:13,143:DEBUG:acme.client:JWS payload:
b''
2021-12-30 19:12:13,145:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/63454505270:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIzMTg0NzY2IiwgIm5vbmNlIjogIjAwMDE1YWlMUTNZQkR3Z1BtdUtZdnd4TEJjdlBkN1JNVk9jZnZ4emJaWlpFTGQwIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MzQ1NDUwNTI3MCJ9",
  "signature": "Vzw4RH_ozwN-mYCh30yD41Gi2DlevWIrPUw6hSFMaJ10wtJkcapJSwiESV6llZx7BSXi-OEEjEcEB9p1jI3Xq2IqauL73fQd-ikFb_zmjVlivB1ctXWYLhDG3uqRQFRY9uah59WbGCvqmKkye_BbVx0MSYq6byulPearhtQqfv4bliw22MCYsckCGY2XOq0erOMmDIviFGCm7-uZml58Av2AmvFKwyZAlzMUx1rUfAQZ_A87VhpCllD5MpAooJ32Rz5CCYwYEEcPu4D_-LFemtZsTrnadNAP85U5WMnHuEVctCE69cKMwXE9UB8bTTdwv05HDFzFfnY_Tp7Vyk-aoQ",
  "payload": ""
}
2021-12-30 19:12:13,299:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/63454505270 HTTP/1.1" 200 630
2021-12-30 19:12:13,300:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 30 Dec 2021 18:12:13 GMT
Content-Type: application/json
Content-Length: 630
Connection: keep-alive
Boulder-Requester: 123184766
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002mzyGvUaEzF2zq8T9kNtnXjSAg5p7N5kKhweHg-WKETI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "pw-local.MYDOMAIN"
  },
  "status": "invalid",
  "expires": "2022-01-06T18:12:00Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Incorrect TXT record \"pw-local.MYDOMAIN\" found at _acme-challenge.pw-local.MYDOMAIN",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/63454505270/OVgjzg",
      "token": "PnQ-9yfbSFqqlB7l554FX6c42_Gp6-kwVZRakCgd8gs",
      "validated": "2021-12-30T18:12:12Z"
    }
  ]
}
2021-12-30 19:12:13,300:DEBUG:acme.client:Storing nonce: 0002mzyGvUaEzF2zq8T9kNtnXjSAg5p7N5kKhweHg-WKETI
2021-12-30 19:12:13,300:INFO:certbot._internal.auth_handler:Challenge failed for domain pw-local.MYDOMAIN
2021-12-30 19:12:13,301:INFO:certbot._internal.auth_handler:dns-01 challenge for pw-local.MYDOMAIN
2021-12-30 19:12:13,301:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: dns-netcup). The Certificate Authority reported these problems:
  Domain: pw-local.MYDOMAIN
  Type:   unauthorized
  Detail: Incorrect TXT record "pw-local.MYDOMAIN" found at _acme-challenge.pw-local.MYDOMAIN

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-netcup. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-netcup-propagation-seconds (currently 10 seconds).

2021-12-30 19:12:13,303:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 105, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 205, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-12-30 19:12:13,303:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-12-30 19:12:13,303:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-12-30 19:12:13,304:DEBUG:lexicon.providers.netcup:login({})
2021-12-30 19:12:13,307:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:13,431:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 228
2021-12-30 19:12:13,434:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'pw-local.MYDOMAIN'})
2021-12-30 19:12:13,437:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:13,563:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 188
2021-12-30 19:12:13,565:DEBUG:lexicon.providers.netcup:login({})
2021-12-30 19:12:13,568:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:13,687:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 228
2021-12-30 19:12:13,690:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'MYDOMAIN'})
2021-12-30 19:12:13,693:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:13,855:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 231
2021-12-30 19:12:13,858:DEBUG:lexicon.providers.netcup:infoDnsRecords({'domainname': 'MYDOMAIN'})
2021-12-30 19:12:13,861:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:14,018:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 609
2021-12-30 19:12:14,021:DEBUG:lexicon.providers.netcup:delete_records: ['46085145']
2021-12-30 19:12:14,022:DEBUG:lexicon.providers.netcup:updateDnsRecords({'domainname': 'MYDOMAIN', 'dnsrecordset': {'dnsrecords': [{'id': '46085145', 'hostname': '_acme-challenge.pw-local.MYDOMAIN', 'type': 'TXT', 'priority': '0', 'destination': '2NBiB4cFU1DhLuTbcruAEusKe0rQiUxSHbrA5FmA2no', 'deleterecord': True, 'state': 'unknown'}]}})
2021-12-30 19:12:14,025:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:14,201:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 574
2021-12-30 19:12:14,204:DEBUG:lexicon.providers.netcup:delete_record: True
2021-12-30 19:12:14,204:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1632, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1491, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 139, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 424, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 476, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 105, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 205, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-12-30 19:12:14,206:ERROR:certbot._internal.log:Some challenges have failed.

Is the destination in Netcup correct pw-local.MYDOMAIN? Do I need a token there?

chaptergy commented 2 years ago

Hm, it's weird that it is an incorrect TXT record and not just no record at all. Have you tried increasing the propagation seconds? By default they seem to be just 10 seconds which might not be enough.

TWART016 commented 2 years ago

I set propagation to 300 seconds but it runs into a timeout.

What should be the TXT record look like?

sumadark commented 2 years ago

Hi everybody,

I have a similar issue, trying to get a new certificate for a subdomainn here is the content of letsencrypt.log :

2022-01-13 09:57:12,250:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1632, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1472, in certonly
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/plugins/selection.py", line 210, in choose_configurator_plugins
    req_auth, req_inst = cli_plugin_requests(config)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/plugins/selection.py", line 305, in cli_plugin_requests
    req_auth = set_configurator(req_auth, "dns-cloudflare")
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/plugins/selection.py", line 276, in set_configurator
    raise errors.PluginSelectionError(msg.format(repr(previously), repr(now)))
certbot.errors.PluginSelectionError: Too many flags setting configurators/installers/authenticators 'webroot' -> 'dns-cloudflare'
2022-01-13 09:57:12,251:ERROR:certbot._internal.log:Too many flags setting configurators/installers/authenticators 'webroot' -> 'dns-cloudflare'

Here is my docker compose : 

version: '2'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    environment:
      DB_MYSQL_HOST: "db"
      DB_MYSQL_PORT: 3306
      DB_MYSQL_USER: "npm"
      DB_MYSQL_PASSWORD: "npm"
      DB_MYSQL_NAME: "npm"
      DNS_CLOUDFLARE_CREDENTIALS: "/cloudflare.ini"

    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
      - ./log:/var/log/letsencrypt
      - ./letsencrypt.ini:/etc/letsencrypt.ini:rw
      - ./cloudflare.ini:/cloudflare.ini:ro
  db:
    ports:
      - '3307:3306'
    image: 'mariadb'
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: 'npm'
      MYSQL_DATABASE: 'npm'
      MYSQL_USER: 'npm'
      MYSQL_PASSWORD: 'npm'
    volumes:
      - ./data/mysql:/var/lib/mysql

If someone has an idea about this issue, I would be very glad to read it. Thanks !

chaptergy commented 2 years ago

@sumadark Your problem has nothing to do with the problem discussed in this issue, you are not even using netcup as the domain provider. And I'm pretty sure your issue is due to your own custom letsencrypt.ini and maybe in conjunction with the cloudflare.ini, not sure what that is for. Though we cannot provide support for that.

sumadark commented 2 years ago

@sumadark Your problem has nothing to do with the problem discussed in this issue, you are not even using netcup as the domain provider. And I'm pretty sure your issue is due to your own custom letsencrypt.ini and maybe in conjunction with the cloudflare.ini, not sure what that is for. Though we cannot provide support for that.

Thanks for your reply...

nickibyte commented 2 years ago

This might be a bit late, but for the sake of maybe closing the issue here is what I found when fixing a similar problem with the DNS challenge for the provider netcup:

Also I added a TXT entry with Destination: pw-local.MYDOMAIN.

I believe the reason the DNS challenge failed with the "Incorrect TXT record" error is that @TWART016 manually created the _acme-challenge.pw-local.mydomain.de TXT record with the destination pw-local.MYDOMAIN. This record will be automatically created by certbot with a string it gets from Let's Encrypt as the destination and will be deleted after the DNS challenge has been completed. That is why the API key and password are needed, to create/delete this TXT record.

So to fix the issue with the DNS challenge:

  1. Delete the manually created _acme-challenge.pw-local.mydomain.de TXT record
  2. Redo the DNS challenge with the Propagation Seconds set to 480 (this number worked for me, the default was way to short and I got a "No TXT record" error)

After 8-10 minutes you should have your certificate.

LukasOchmann commented 1 year ago

I have an simular issue, and i tried to set the propagation 480 but that runs in a timeout then ... Is there a way to increase the timeout? I can see that certbot is createing the __acme-challenge.<subdomain> as a TXT record in netcup.

LukasOchmann commented 1 year ago

The Content of the log-file /var/log/letsencrypt/letsencrypt.log:

Certbot failed to authenticate some domains (authenticator: dns-netcup). The Certificate Authority reported these problems:
  Domain: home.<domain>.de
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.home.<domain>.de - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-netcup. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-netcup-propagation-seconds (currently 480 seconds).

2023-03-26 15:06:27,010:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-03-26 15:06:27,010:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-03-26 15:06:27,010:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-03-26 15:06:27,014:DEBUG:lexicon.providers.netcup:login({})
2023-03-26 15:06:27,017:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2023-03-26 15:06:27,145:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 229
2023-03-26 15:06:27,149:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'home.<domain>.de'})
2023-03-26 15:06:27,153:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2023-03-26 15:06:27,277:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 187
2023-03-26 15:06:27,281:DEBUG:lexicon.providers.netcup:login({})
2023-03-26 15:06:27,285:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2023-03-26 15:06:27,413:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 229
2023-03-26 15:06:27,417:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': '<domain>.de'})
2023-03-26 15:06:27,421:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2023-03-26 15:06:27,562:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 241
2023-03-26 15:06:27,566:DEBUG:lexicon.providers.netcup:infoDnsRecords({'domainname': '<domain>.de'})
2023-03-26 15:06:27,570:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2023-03-26 15:06:27,700:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 458
2023-03-26 15:06:27,704:DEBUG:lexicon.providers.netcup:delete_records: ['69102461']
2023-03-26 15:06:27,704:DEBUG:lexicon.providers.netcup:updateDnsRecords({'domainname': '<domain>.de', 'dnsrecordset': {'dnsrecords': [{'id': '69102461', 'hostname': '_acme-challenge.home.<domain>.de', 'type': 'TXT', 'priority': '0', 'destination': '<TXT_RECORD-entry', 'deleterecord': True, 'state': 'yes'}]}})
2023-03-26 15:06:27,708:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2023-03-26 15:06:27,872:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 411
2023-03-26 15:06:27,876:DEBUG:lexicon.providers.netcup:delete_record: True
2023-03-26 15:06:27,877:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1597, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-03-26 15:06:27,880:ERROR:certbot._internal.log:Some challenges have failed.
bernhardkaindl commented 10 months ago

Same here. I opened https://github.com/coldfix/certbot-dns-netcup/issues/28 to let https://github.com/coldfix/certbot-dns-netcup pick a default time which should work. I needs to be above 600 as the zone reload time of Netcup is 10 Minutes, confirmed by many in Netcup's customer forum.

@LukasOchmann https://pypi.org/project/certbot-dns-netcup/ says at least 600 seconds is needed for Netcup (and likely even then may need some tries), and 900 seconds should really work.

On the Nginx-proxy-manager side, the Nginx-proxy-manager Web UI should be fixed to not time out after just a minute to allow for longer DNS Challenge propagation times:

Currently, it shows a red error bar long before that, but certbot thankfully continue to wait for 900 seconds and finishes its work.

While waiting, to check the status, you can open a shell in the container and run tail -f /tmp/letsencrypt-log/letsencrypt.log

After you see the successfully certbot completion in the log, just reload the Nginx Proxy Manager web UI and you should see your proxy as Online.

https://github.com/coldfix/certbot-dns-netcup

See https://github.com/coldfix/certbot-dns-netcup/issues/28

Update: As confirmed in German forum discussions in forum.netcup.de, the observation of customers is that Netcup runs the actual DNS zone updates every 15 minutes, apparently on a cron-like schedule each hour, seemingly like starting at minute 00, 15, 30 and 45.

github-actions[bot] commented 2 months ago

Issue is now considered stale. If you want to keep it open, please comment :+1: