search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
22.08k stars 2.54k forks source link

Netcup DNS challange fails #2201

Closed zinnchen closed 2 years ago

zinnchen commented 2 years ago

Checklist

Describe the bug I try to create a let's encrypt certificate via DNS challange on netcup. npm/certbot creates the TXT record for domain successfully. BUT the problem ist, that the name of the TXT record which is created by npm is not the same as the one expected by certbot. Let's say I want to create a cert for test.mydomain.com, a TXT record with name '_acme-challenge.test' is created in netcup DNS section of mydomain.com. The problem is, that acme client is looking for a TXT record with name '_acme-challenge.test.mydomain.com' which of course fails. Extract of letsencrypt log: "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.test.mydomain.com - check that a DNS record exists for this domain",

Nginx Proxy Manager Version v2.9.18

To Reproduce Steps to reproduce the behavior:

  1. Go to 'SSL -> Add SSL certificate -> Let's encrypt...'
  2. Enter domain
  3. Tick 'Use DNS Challenge"
  4. Select 'netcup' as DNS Provider
  5. Enter credentials
  6. Agree to TOS
  7. Click on 'Save'
  8. See error 'Internal Error'

Log Entries npm log 

[8/16/2022] [11:52:24 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[8/16/2022] [11:52:24 AM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates via netcup for Cert #40: test.mydomain.com
[8/16/2022] [11:52:24 AM] [SSL      ] › ℹ  info      Command: mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo 'dns_netcup_customer_id=******
dns_netcup_api_key=******
dns_netcup_api_password=******' > '/etc/letsencrypt/credentials/credentials-40' && chmod 600 '/etc/letsencrypt/credentials/credentials-40' && pip install certbot-dns-netcup~=1.0.0  && certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-40" --agree-tos --email "user@mydomain.com" --domains "test.mydomain.com" --authenticator dns-netcup --dns-netcup-credentials "/etc/letsencrypt/credentials/credentials-40"
[8/16/2022] [11:52:39 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[8/16/2022] [11:52:39 AM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-40" --agree-tos --email "user@mydomain.com" --domains "test.mydomain.com" --authenticator dns-netcup --dns-netcup-credentials "/etc/letsencrypt/credentials/credentials-40"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

lertsencrypt log

2022-08-16 11:52:25,570:DEBUG:certbot._internal.main:certbot version: 1.29.0
2022-08-16 11:52:25,570:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2022-08-16 11:52:25,570:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--cert-name', 'npm-40', '--agree-tos', '--email', 'user@mydomain.com', '--domains', 'test.mydomain.com', '--authenticator', 'dns-netcup', '--dns-netcup-credentials', '/etc/letsencrypt/credentials/credentials-40']
2022-08-16 11:52:25,570:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-dns-netcup:dns-netcup,PluginEntryPoint#dns-netcup,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-08-16 11:52:25,582:DEBUG:certbot._internal.log:Root logging level set at 30
2022-08-16 11:52:25,584:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-netcup and installer None
2022-08-16 11:52:25,588:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-netcup
Description: Obtain certificates using a DNS TXT record (if you are using netcup for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-netcup = certbot_dns_netcup:Authenticator
Initialized: <certbot_dns_netcup.Authenticator object at 0x14eb0b950e48>
Prep: True
2022-08-16 11:52:25,588:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_netcup.Authenticator object at 0x14eb0b950e48> and installer None
2022-08-16 11:52:25,588:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-netcup, Installer None
2022-08-16 11:52:25,632:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/431593990', new_authzr_uri=None, terms_of_service=None), a4604543ed6931ac2cb3d28b8ec1ab8e, Meta(creation_dt=datetime.datetime(2022, 3, 1, 13, 0, 57, tzinfo=<UTC>), creation_host='f191680a08e4', register_to_eff=None))>
2022-08-16 11:52:25,632:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-08-16 11:52:25,634:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-08-16 11:52:26,111:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2022-08-16 11:52:26,111:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 16 Aug 2022 09:52:26 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
  "ttZo2W64DnY": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2022-08-16 11:52:26,112:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for test.mydomain.com
2022-08-16 11:52:26,121:DEBUG:certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/0038_key-certbot.pem
2022-08-16 11:52:26,128:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0038_csr-certbot.pem
2022-08-16 11:52:26,129:DEBUG:acme.client:Requesting fresh nonce
2022-08-16 11:52:26,129:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2022-08-16 11:52:26,280:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-08-16 11:52:26,281:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 16 Aug 2022 09:52:26 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 01016LcXvnsYiON8VsLk5kxW89n9alkBfqydUh5-vRjRvW0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2022-08-16 11:52:26,281:DEBUG:acme.client:Storing nonce: 01016LcXvnsYiON8VsLk5kxW89n9alkBfqydUh5-vRjRvW0
2022-08-16 11:52:26,281:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "test.mydomain.com"\n    }\n  ]\n}'
2022-08-16 11:52:26,283:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDMxNTkzOTkwIiwgIm5vbmNlIjogIjAxMDE2TGNYdm5zWWlPTjhWc0xrNWt4Vzg5bjlhbGtCZnF5ZFVoNS12UmpSdlcwIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "aVa3JRiYm0wbZLpKsfOLwzaviboMeoPxKcujkwLbSuPZcKlb2qeVuJkqeSEyeOpznodRK_iwo6qNaU-lyCv3MPjyL0x4VZnMzxZ_oke63dB_ZNKKmv5WHE_u9rHuYqbGcLRoYrsJcbZJxCsSQulebmJCn1x0ZtNUqtm9MzqFQFmSqCGqYDDjJ9z7R6iaThCWDiJTFfhwi8LtyQBEbW2biJe7LM1Ll3IZ-gg_O94uFSo4G-BOaTs2RexFmB1uXdL4joShJLs4V_kgcUsxm83FJfAIH_q8_5BoPPlp513sZUBU6MoJbtI-sC5CL9SJRPPgSX6wD4BbuvyPPDdotg-YkQ",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInRlc3QuanNnaC5kZSIKICAgIH0KICBdCn0"
}
2022-08-16 11:52:26,611:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 337
2022-08-16 11:52:26,611:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Tue, 16 Aug 2022 09:52:26 GMT
Content-Type: application/json
Content-Length: 337
Connection: keep-alive
Boulder-Requester: 431593990
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/431593990/############
Replay-Nonce: 01018B40Oi8kpngTmpFLllE6IHXEnCgNStw2VJLsFuPFp68
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2022-08-23T09:52:26Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "test.mydomain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/************"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/431593990/############"
}
2022-08-16 11:52:26,611:DEBUG:acme.client:Storing nonce: 01018B40Oi8kpngTmpFLllE6IHXEnCgNStw2VJLsFuPFp68
2022-08-16 11:52:26,611:DEBUG:acme.client:JWS payload:
b''
2022-08-16 11:52:26,612:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/************:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDMxNTkzOTkwIiwgIm5vbmNlIjogIjAxMDE4QjQwT2k4a3BuZ1RtcEZMbGxFNklIWEVuQ2dOU3R3MlZKTHNGdVBGcDY4IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xNDI2NTU1MDgyOTcifQ",
  "signature": "UbLtB8STqR9YpzC1Sd7IfMKL1UDpk8iSA2CR45q447hWIsvPNkQCyimwVsuQUV6kCtwz9_GZZ1pVB-0yctpD17TSSICnbpF1YCsjEcWAEAOZOYSDU-lktDj4l7WhkkrW06TsgjUxo5tYrUnCC2N5sKoknD5QP9KsXRlDu41PA-acvjLhp7-dZgpo5dnlv_5Bn_4LAsb5jmgAjWn8dElwCxD4HIuTlhDGs0FNQEA9eNxkS2pTG044rCOvLOG32QITq-6vxrD-5RXG7aERBmJayiM1Nxr-xmUnLWQgyl7W5WtDxFHiIVCCPsMckwYTDz0mdmhKN7esXzW2dfADSVPrOA",
  "payload": ""
}
2022-08-16 11:52:26,779:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/************ HTTP/1.1" 200 796
2022-08-16 11:52:26,780:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 16 Aug 2022 09:52:26 GMT
Content-Type: application/json
Content-Length: 796
Connection: keep-alive
Boulder-Requester: 431593990
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102fiKTukzM0wtBKt9VlX-oyYEik5CW4qvVaWAxbQi0f1o
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "test.mydomain.com"
  },
  "status": "pending",
  "expires": "2022-08-23T09:52:26Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/************/fqw2dg",
      "token": "NYWkr0qcF3y7MRgW7DlnaK47lRoOxsNiMPJC6P_K9Yg"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/************/cPgvJg",
      "token": "NYWkr0qcF3y7MRgW7DlnaK47lRoOxsNiMPJC6P_K9Yg"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/************/Oa4uHg",
      "token": "NYWkr0qcF3y7MRgW7DlnaK47lRoOxsNiMPJC6P_K9Yg"
    }
  ]
}
2022-08-16 11:52:26,780:DEBUG:acme.client:Storing nonce: 0102fiKTukzM0wtBKt9VlX-oyYEik5CW4qvVaWAxbQi0f1o
2022-08-16 11:52:26,780:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-08-16 11:52:26,780:INFO:certbot._internal.auth_handler:dns-01 challenge for test.mydomain.com
2022-08-16 11:52:26,782:DEBUG:lexicon.providers.netcup:login({})
2022-08-16 11:52:26,783:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2022-08-16 11:52:26,887:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 225
2022-08-16 11:52:26,888:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'test.mydomain.com'})
2022-08-16 11:52:26,889:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2022-08-16 11:52:26,990:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 186
2022-08-16 11:52:26,991:DEBUG:lexicon.providers.netcup:login({})
2022-08-16 11:52:26,992:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2022-08-16 11:52:27,094:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 228
2022-08-16 11:52:27,096:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'mydomain.com'})
2022-08-16 11:52:27,097:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2022-08-16 11:52:27,259:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 240
2022-08-16 11:52:27,261:DEBUG:lexicon.providers.netcup:infoDnsRecords({'domainname': 'mydomain.com'})
2022-08-16 11:52:27,262:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2022-08-16 11:52:27,408:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 303
2022-08-16 11:52:27,410:DEBUG:lexicon.providers.netcup:list_records: []
2022-08-16 11:52:27,410:DEBUG:lexicon.providers.netcup:updateDnsRecords({'domainname': 'mydomain.com', 'dnsrecordset': {'dnsrecords': [{'type': 'TXT', 'hostname': '_acme-challenge.test', 'destination': 'i3p5Aq5H_XKShs_z8Hz0IEEOKzEJQt1dG3ewoILXzus'}]}})
2022-08-16 11:52:27,411:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2022-08-16 11:52:27,672:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 396
2022-08-16 11:52:27,673:DEBUG:lexicon.providers.netcup:create_record: True
2022-08-16 11:52:27,674:DEBUG:certbot._internal.display.obj:Notifying user: Waiting 10 seconds for DNS changes to propagate
2022-08-16 11:52:37,684:DEBUG:acme.client:JWS payload:
b'{}'
2022-08-16 11:52:37,685:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/************/cPgvJg:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDMxNTkzOTkwIiwgIm5vbmNlIjogIjAxMDJmaUtUdWt6TTB3dEJLdDlWbFgtb3lZRWlrNUNXNHF2VmFXQXhiUWkwZjFvIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xNDI2NTU1MDgyOTcvY1BndkpnIn0",
  "signature": "XpLFmK0BLZGxniu5pSrKQdQ9AJUdh-ktaj2mbhCXPprJJxk2L3mGlfOMZf4L29y_83U-RN3UVVg_b0Krh5NR48QcVZAsd7Llz8s2YEzotZb9NeiKdbm5ZjRaSd9IabZVPRTdXcWtJvTX6FGZo6qnEjKE_bykScokxIH6ugkEpJEKxJBiiR_zfE01yuuMHpfV-R4jg3ymX5jZOvILAxrJOsaZDeyny4erhkC0SRsKdQLtPw8_xuAgpFQMu0uCKl9-39UhUXolyadvMvzvyy9NmZxujw11QD5_-dLsW9PHR3WVuJZ9X9a1BLjluX61cgmuTkWJvqBISx5Rmegi9B1j9A",
  "payload": "e30"
}
2022-08-16 11:52:37,890:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/************/cPgvJg HTTP/1.1" 200 186
2022-08-16 11:52:37,890:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 16 Aug 2022 09:52:37 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 431593990
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/************>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/************/cPgvJg
Replay-Nonce: 0102NhZqZSgLw3tCCyqPpl4O7T3BYsnqHnV2j7zbOpnay_g
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/************/cPgvJg",
  "token": "NYWkr0qcF3y7MRgW7DlnaK47lRoOxsNiMPJC6P_K9Yg"
}
2022-08-16 11:52:37,890:DEBUG:acme.client:Storing nonce: 0102NhZqZSgLw3tCCyqPpl4O7T3BYsnqHnV2j7zbOpnay_g
2022-08-16 11:52:37,891:INFO:certbot._internal.auth_handler:Waiting for verification...
2022-08-16 11:52:38,892:DEBUG:acme.client:JWS payload:
b''
2022-08-16 11:52:38,893:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/************:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDMxNTkzOTkwIiwgIm5vbmNlIjogIjAxMDJOaFpxWlNnTHczdENDeXFQcGw0TzdUM0JZc25xSG5WMmo3emJPcG5heV9nIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xNDI2NTU1MDgyOTcifQ",
  "signature": "CfDYfhu0OJ85eExY-OVqsXutCGbxtQRlgq_0HyF49vsmwk7oml82DpMKJHgpHV8Bg183cjafzRHmSBzDeqB0VrwMsj1YDivtnJiRF6XprqEzYFvOtCV8eEC4dPqKJtb78d4iklXbL9MshayDFHu3L8JCWo5lF1Npp9AKQatxZ8VC3vz4lhLWv8IxF1EMgraAH5Qi54LKTw3U-bPjoKKIw3h7s4kK-wHPXVx8pycgrwXN3lq9gxEa6iC7tPw3c-OabK80xspDhbLG7imWKfIwwkyjmvPS7wLt7pmrVP4hXCuDS0HzWPKUc8mbR41YYN5roEodlXkkbycn_8GM_IxgFg",
  "payload": ""
}
2022-08-16 11:52:39,074:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/************ HTTP/1.1" 200 647
2022-08-16 11:52:39,075:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 16 Aug 2022 09:52:38 GMT
Content-Type: application/json
Content-Length: 647
Connection: keep-alive
Boulder-Requester: 431593990
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101U2Fy6CUALWttSOKW-OIbnYbKQQU3XhhHCW97EJjdpV8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "test.mydomain.com"
  },
  "status": "invalid",
  "expires": "2022-08-23T09:52:26Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.test.mydomain.com - check that a DNS record exists for this domain",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/************/cPgvJg",
      "token": "NYWkr0qcF3y7MRgW7DlnaK47lRoOxsNiMPJC6P_K9Yg",
      "validated": "2022-08-16T09:52:37Z"
    }
  ]
}
2022-08-16 11:52:39,075:DEBUG:acme.client:Storing nonce: 0101U2Fy6CUALWttSOKW-OIbnYbKQQU3XhhHCW97EJjdpV8
2022-08-16 11:52:39,075:INFO:certbot._internal.auth_handler:Challenge failed for domain test.mydomain.com
2022-08-16 11:52:39,075:INFO:certbot._internal.auth_handler:dns-01 challenge for test.mydomain.com
2022-08-16 11:52:39,075:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: dns-netcup). The Certificate Authority reported these problems:
  Domain: test.mydomain.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.test.mydomain.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-netcup. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-netcup-propagation-seconds (currently 10 seconds).

2022-08-16 11:52:39,076:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-08-16 11:52:39,076:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-08-16 11:52:39,076:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-08-16 11:52:39,076:DEBUG:lexicon.providers.netcup:login({})
2022-08-16 11:52:39,077:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2022-08-16 11:52:39,179:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 227
2022-08-16 11:52:39,180:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'test.mydomain.com'})
2022-08-16 11:52:39,181:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2022-08-16 11:52:39,281:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 189
2022-08-16 11:52:39,282:DEBUG:lexicon.providers.netcup:login({})
2022-08-16 11:52:39,283:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2022-08-16 11:52:39,402:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 229
2022-08-16 11:52:39,404:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'mydomain.com'})
2022-08-16 11:52:39,404:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2022-08-16 11:52:39,535:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 239
2022-08-16 11:52:39,536:DEBUG:lexicon.providers.netcup:infoDnsRecords({'domainname': 'mydomain.com'})
2022-08-16 11:52:39,537:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2022-08-16 11:52:39,686:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 376
2022-08-16 11:52:39,687:DEBUG:lexicon.providers.netcup:delete_records: ['57787050']
2022-08-16 11:52:39,687:DEBUG:lexicon.providers.netcup:updateDnsRecords({'domainname': 'mydomain.com', 'dnsrecordset': {'dnsrecords': [{'id': '57787050', 'hostname': '_acme-challenge.test.mydomain.com', 'type': 'TXT', 'priority': '0', 'destination': 'i3p5Aq5H_XKShs_z8Hz0IEEOKzEJQt1dG3ewoILXzus', 'deleterecord': True, 'state': 'unknown'}]}})
2022-08-16 11:52:39,688:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2022-08-16 11:52:39,866:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 322
2022-08-16 11:52:39,867:DEBUG:lexicon.providers.netcup:delete_record: True
2022-08-16 11:52:39,867:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1744, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1591, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 530, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 442, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-08-16 11:52:39,868:ERROR:certbot._internal.log:Some challenges have failed.

Expected behavior the certificate is created successfully

Screenshots none

Operating System unraid

Additional context none

the1ts commented 2 years ago

I don't think the DNS problem is that its adding in the domain in one location (NPM) and not when in the DNS provider. When in the DNS provider, the .mydomain.com is added by default since that is the DNS zonefile you are in. I think since the start of your log and the end of your log is only 34 seconds, the DNS entry is not getting into the DNS servers in time for letsencrypt to find them before the time out expires and its abandoned. I suggest you add a value of 60 or 120 into the propagation seconds to allow netcup longer to get the DNS entry from the web api to the DNS sever.

zinnchen commented 2 years ago

@the1ts thanks for the fast feedback. I already tried 120 (and much more) seconds in some tests before. In these cases I saw the TXT entry in the netcup webUI. But always the short term: _acme-challenge.test I checked with 120s again, but without success (and same error)

the1ts commented 2 years ago

Taking a look at the certbot-dns-netcup, there its recommended to use 600+, seems netcup have a hugely slow DNS update process.

zinnchen commented 2 years ago

wow, that (700s) worked. Thank you so much @the1ts. I couldn't imagine netcup is that slow.