validation fails, maybe the check is to fast?

[Zjemm]

Hi, there

i'm trying your script, but it fails (see below)

the TXT record gets created but it fails to verify (nxdomain) if i leave out the clean up, the records stays there.

if i run the script again just to test what is says it fails saying the TXT value is wrong (of course, be cause it was the value of the previos try)

so the second test it does not say NXdomain, so i believe the validattion is to quick.

any thoughts on this?

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Requesting a certificate for test1.blah.net Performing the following challenges: dns-01 challenge for test1.blah.net Running manual-auth-hook command: auth-transip.sh Hook '--manual-auth-hook' for test1.blah.net ran with output: JWT: xxxxx Hook '--manual-auth-hook' for test1.blah.net ran with error output: INFO:Authenticating. INFO:Creating record for _acme-challenge.test1.blah.net Waiting for verification... Challenge failed for domain test1.blah.net dns-01 challenge for test1.blah.net

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems: Domain: test1.blah.net Type: dns Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.test1.blah.net - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Cleaning up challenges Running manual-cleanup-hook command: cleanup-transip.sh Hook '--manual-cleanup-hook' for test1.blah.net ran with error output: INFO:Removing record _acme-challenge.test1.blah.net Some challenges have failed.

[Zjemm]

i have added a sleep timer:

def ensure_txt_record(self, domain, name, value):
    existing_record = self._get_txt_record(domain, name)
    if existing_record is None:
        self._logger.info("Creating record for %s.%s" % (name, domain))
    else:
        self._logger.info("Updating record for %s.%s" % (name, domain))

    record = {
            'dnsEntry': {
                'name': name,
                'expire': 60,  # 1 minute is minimum.
                'type': 'TXT',
                'content': value,
            }
    }
    self._rest_call(
            'POST' if existing_record is None else 'PATCH',
            self.DNS_URL % domain,
            body=record, extra_headers=self._get_auth_headers())
            **time.sleep(30)**

now the result is this:

Hook '--manual-auth-hook' for test2.blah.net ran with error output: INFO:Authenticating. INFO:Creating record for _acme-challenge.test2.blah.net Waiting for verification... Cleaning up challenges Running manual-cleanup-hook command: cleanup-transip.sh Hook '--manual-cleanup-hook' for test2.blah.net reported error code 1 Hook '--manual-cleanup-hook' for test2.blah.net ran with error output: Traceback (most recent call last): File "certbot-dns-transip.py", line 171, in t.remove_txt_record(domain, name) ^^^^^^^^^^^^^^^^^^^ AttributeError: 'TransipClient' object has no attribute 'remove_txt_record'. Did you mean: 'ensure_txt_record'?

Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/test2.blah.net/fullchain.pem Key is saved at: /etc/letsencrypt/live/test2.blah.net/privkey.pem

so the certificate is there, but now the txt record did not get cleaned

[mvschaik]

Hi Zjemm,

Thanks for your report! Haven't seen this happening myself, but adding a sleep timer doesn't seem like a bad idea. (You probably broke the remove_txt_record function in the process, maybe indentation?)

Apparently it might take some time for the changes through the API to propagate to the name servers? I think LetsEncrypt checks the authoritative NS, so it's probably not a caching issue. I can add a check this weekend.

[Zjemm]

Hi @mvschaik

Thanks for getting back. Indeed the sleep timer solves the issue, and by adding that, it did broke the remove function.... i'll have to check if identation is the issue, i'm not a python guy myself....so you you have a better fix, let me know

Also, for this to run automatically with the certbot service, how would i approach that? i have the files in my home dir, so i changed all the paths in the scripts to the home dir for testing, but i want to run this automatically with all the scripts in the correct place.
It might be better to save the file in the lets encrypt dir?

Any suggestions on that?

How does certbot renew with the hooks?

[mvschaik]

Turned out I actually had a "sleep 30" in my validation hook script! So I apparently did run into this before. I've now updated the script to wait until the DNS record is updated, so that shouldn't be necessary anymore. Please give it a try!

As for how to run this, you can basically organize however you want. In my case I have this repository checked out in my home dir, and have the hook scripts in my letsencrypt dir. But I could very well imagine that the certbot-dns-transip.py could also be moved to the letsencrypt dir, or on Linux in for instance /opt or something.

[Zjemm]

thanks, ill test it this week and let you know