Closed xairam closed 3 weeks ago
Cerbot version is 2.11.0 Plugin: Version: 0.1.1 Name: dns-lexicon Version: 3.17.0
The delegated option is set due to this: https://github.com/certbot/certbot/commit/cf4f07d17e22924f7d7d3f41a09136df22981765
The only time you should be seeing a 403
error with the PDNS API is when the API Key is wrong or missing. PDNS does not use the 403
error code in any other situation.
So my guess would be that the API key is either wrong or missing in your PDNS config.
Actually if I manually do a request to the api with the same api key to dns.example.com. I get 403 error, since the zone does not exist. On the other hand same request(same api key) just changing dns.example.com to example.com works fine. I am using Powerdnsadmin in the frontend but seems like this isnt the problem more like this(And using *.example.com to get a wildcard certificate works flawlessly with the correct zone:
Do you know if I can set an option to reverse that or do I have to change it back in the source?
It seems the option can't be temporarily set back, so you'd have to mess around with the certbot code.
Also, I have to correct my earlier statement. I confused the 401
and 403
error codes. The PDNS API actually never sends an 403
error.
You mentioned PowerDNS-Admin. That could explain why you're getting 403
errors because PowerDNS-Admin has a more elaborate permissions management built in that will send out 403
errors if you don't have permissions set up correctly.
You could test running this plugin directly against the PDNS API. If what I mentioned above is the issue I'm pretty sure it will fix it.
Well I guess your right. With direct pdns APi hit it works. Sry for the trouble and thanks for the help.
I thinkt the problem is with the 403(cant give permission on a non existing zone) error from PowerdnsAdmin and lexicon/certbot is trying to check if zone exists for delegation. Well I try to get it to work besides giving the API-Key full admin rights.
Hello I just was wondering why I cannot get a certificate for my subdomain. This is my command
certbot --authenticator 'dns-pdns' --dns-pdns-credentials '/home/certbot/pdns-credentials.ini' certonly --debug-challenges -d dns.example.com
The corresponding error:
Error determining zone identifier for app.openvault.online: '403 Client Error: FORBIDDEN for url: http://pdns-server/api/v1/servers/localhost/zones/dns.example.com'.
and its clearly not working since the zone is not delegated. In the API reuqest it should be just example.com.
So I was looking threough the cerbot logs and found the error:
2024-07-14 12:45:32,749:DEBUG:root:Actual zone name resolved for domain app.example.com: example.com 2024-07-14 12:45:32,750:DEBUG:root:Override resolved zone name because --delegated option is set: app.example.com
I dont know why the delegated option is set, I am just using the default settings
my workaround is using wildcard certifacate now, maybe someone can hel me there.