search

oGGy990 / certbot-dns-inwx

INWX DNS authenticator plugin for certbot
Apache License 2.0
105 stars 16 forks source link

more helpful error messages when calling domain info #28

Closed leegarrett closed 1 week ago

leegarrett commented 1 year ago

When updating my certifcate via this plugin I encountered this error:

# /usr/bin/certbot -v renew 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-inwx, Installer None
Renewing an existing certificate for example.com and *.example.com
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.com
Cleaning up challenges
Encountered exception during recovery: certbot.errors.PluginError: Unable to determine base domain for _acme-challenge.example.com using names: ['_acme-challenge.example.com', 'example.com', 'com'].
Failed to renew certificate example.com with error: Unable to determine base domain for _acme-challenge.example.com using names: ['_acme-challenge.example.com', 'example.com', 'com'].

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /etc/letsencrypt/post-hook.sh
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The corresponding code looks like this: https://github.com/oGGy990/certbot-dns-inwx/blob/c3952fd8179690a679c69c61149206f363c23bce/certbot_dns_inwx/dns_inwx.py#L199-L211

After running certbot with the python debugger I got a more helpful error:

 python3 -m pdb /usr/bin/certbot -v renew 
> /usr/bin/certbot(3)<module>()
-> import re
(Pdb) b /usr/local/lib/python3.11/dist-packages/certbot_dns_inwx/dns_inwx.py:202
Breakpoint 1 at /usr/local/lib/python3.11/dist-packages/certbot_dns_inwx/dns_inwx.py:202
(Pdb) c
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-inwx, Installer None
Renewing an existing certificate for example.com and *.example.com
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.com
> /usr/local/lib/python3.11/dist-packages/certbot_dns_inwx/dns_inwx.py(202)_find_domain()
-> info = self.inwx.domain.info({'domain': guess})['resData']
(Pdb) self.inwx.domain.info({'domain': guess})['resData']
*** NameError: ('There was a problem: Authorization error (Error code 2201)', {'code': 2201, 'msg': 'Authorization error', 'reasonCode': 'Error_PermissionDenied', 'reason': 'You do not have the required permissions for this command.', 'details': [{'code': 'ACCOUNT_PERMISSION_DENIED', 'msg': "You haven't the required permissions for executing that command"}], 'svTRID': '20230904-<REDACTED>', 'runtime': 0.0057})
(Pdb)

Hmm, so it's a permission error with my credentials. Would be nice if the error from calling self.inwx.domain.info() would actually output those errors instead of silencing them.

oGGy990 commented 1 week ago

Hey everyone,

the newly released version 3.0.0 is only relying on the nameserver API endpoints now. So from now on, only the 'DNS management' / 'DNS Verwaltung' role is required. I've also added a remark about that to any authorization error messages, to the README and generally improved error reporting.