obynio
commented
5 years ago Try running it as root. Otherwise I do not have enough details to get a clue of what happens, look for the logs in /var/log/letsencrypt.
Closed monsterbitar closed 4 years ago
obynio
commented
5 years ago Try running it as root. Otherwise I do not have enough details to get a clue of what happens, look for the logs in /var/log/letsencrypt.
monsterbitar
commented
4 years ago Thank you for pointing me to the log files. From them, I can see that certbot is talking with letsencrypt to get nonces several times and that part doesn't seem to be having any problems, but when it's time to set the challenge TXT entry, gandi returns 403:
2019-07-14 18:45:47,936:DEBUG:acme.client:Storing nonce: Sg3zadheCWhDeXMdpvrQnfNGL2GZ0hfSsew-JR-nNQg 2019-07-14 18:45:47,937:INFO:certbot.auth_handler:Performing the following challenges: 2019-07-14 18:45:47,938:INFO:certbot.auth_handler:dns-01 challenge for silverblood.se 2019-07-14 18:45:47,938:INFO:certbot.auth_handler:dns-01 challenge for silverblood.se 2019-07-14 18:45:47,952:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net 2019-07-14 18:45:48,410:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/silverblood.se HTTP/1.1" 200 527 2019-07-14 18:45:48,417:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net 2019-07-14 18:45:48,801:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/zones/5f331fe8-9f1c-11e9-8e35-00163ee24379/records/_acme-challenge/TXT HTTP/1.1" 403 112 2019-07-14 18:45:48,808:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net 2019-07-14 18:45:49,187:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "PUT /api/v5/zones/5f331fe8-9f1c-11e9-8e35-00163ee24379/records/_acme-challenge/TXT HTTP/1.1" 403 112 2019-07-14 18:45:49,196:DEBUG:certbot.error_handler:Encountered exception: Traceback (most recent call last): File "/usr/lib64/python3.5/site-packages/certbot/auth_handler.py", line 69, in handle_authorizations resps = self.auth.perform(achalls) File "/usr/lib64/python3.5/site-packages/certbot/plugins/dns_common.py", line 58, in perform self._perform(domain, validation_domain_name, validation) File "/root/.local/lib64/python3.5/site-packages/certbot_plugin_gandi/main.py", line 50, in _perform raise errors.PluginError('An error occurred adding the DNS TXT record: {0}'.format(error)) certbot.errors.PluginError: An error occurred adding the DNS TXT record: Access was denied to this resource.
2019-07-14 18:45:49,196:DEBUG:certbot.error_handler:Calling registered functions
2019-07-14 18:45:49,196:INFO:certbot.auth_handler:Cleaning up challenges
2019-07-14 18:45:49,204:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net
2019-07-14 18:45:49,662:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/silverblood.se HTTP/1.1" 200 527
2019-07-14 18:45:49,670:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net
2019-07-14 18:45:50,141:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/zones/5f331fe8-9f1c-11e9-8e35-00163ee24379/records/_acme-challenge/TXT HTTP/1.1" 403 112
2019-07-14 18:45:50,149:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net
2019-07-14 18:45:50,601:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "PUT /api/v5/zones/5f331fe8-9f1c-11e9-8e35-00163ee24379/records/_acme-challenge/TXT HTTP/1.1" 403 112
2019-07-14 18:45:50,605:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Access was denied to this resource.
2019-07-14 18:45:50,614:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net
2019-07-14 18:45:51,157:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/silverblood.se HTTP/1.1" 200 527
2019-07-14 18:45:51,165:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net
2019-07-14 18:45:51,593:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/zones/5f331fe8-9f1c-11e9-8e35-00163ee24379/records/_acme-challenge/TXT HTTP/1.1" 403 112
2019-07-14 18:45:51,601:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net
2019-07-14 18:45:52,006:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "PUT /api/v5/zones/5f331fe8-9f1c-11e9-8e35-00163ee24379/records/_acme-challenge/TXT HTTP/1.1" 403 112
2019-07-14 18:45:52,010:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Access was denied to this resource.
2019-07-14 18:45:52,011:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.5/certbot", line 11, in
obynio
commented
4 years ago 403 meaning Forbidden, it is a problem with your Gandi account configuration and not the plugin. You may not have full access on that domain or your API key is wrong.
monsterbitar
commented
4 years ago On my gandi account, I have regenerated the API key and re-entered into the gandi.ini file, and the domain was transferred to gandi and set to use gandis livedns.
Is there any particular settings for the domain that needs to be done, or should the API key for the account overall be all that is needed?
obynio
commented
4 years ago The only requirement is using the Gandi LiveDNS as nameserver. If you just transfered your domaines, there is a high probability that your nameserver is still configured toward your previous provider, which is causing the issue. You need to switch the nameservers of your domain towards the Gandi LiveDNS.
monsterbitar
commented
4 years ago The transfer and configuration of to livedns was done 9 days ago.
Is there anyway that I could get more debug information on the calls to gandi without doing network inspection?
obynio
commented
4 years ago Appart from the logs from certbot, I don't know. You can try requesting the endpoints on your side and test them with basic curl queries https://doc.livedns.gandi.net/
Be aware that this plugin is not officially supported by Gandi when requesting their support. I will close this issue as I'm unable to reproduce it and logs seems to show this is not a plugin issue.
monsterbitar
commented
4 years ago I tested a couple of curl calls with the APIKEY and could create and remove a zone.
I don't know exactly what a zone is or how it works, but I didn't have one to being with and I don't have one at the moment - and I noticed this:
https://github.com/obynio/certbot-plugin-gandi/pull/7
Which seems to reference using this plugin in with a domain directly rather than zone. Looking at the debug logs for this issue I see that the requests that fail both go to
/api/v5/zones/5f331fe8-9f1c-11e9-8e35-00163ee24379/
Is this a newly created zone? Where did it get a zone uuid if I had no zones to begin with?
monsterbitar
commented
4 years ago I read through the commit changes and they seemed small, so I decided to try them out:
IMPORTANT NOTES:
Seems to be working fine when using in domain rather than zone configuration.
obynio
commented
4 years ago Nice job, it seems I was wrong. I totally forgot about this PR, I will take a closer look at it 🙂
The steps to install and configure this plugin seems fairly straight forward. I've installed it with pip3 (as a --user), certbot plugins lists it, and I've put the API key into gandi.ini (no quotes, direcctly after certbot_plugin_gandi:dns_api_key=).
I forgot to chmod it at first, but got a reminder when I ran it for the first time, so 600 it is.
Now I'm stuck with the topic error (access denied to resource) and I don't know where to look for logs / more information.
on the admin panel at gandi I see no entries, and I got a relatively new version of certbot (tried with 0.28 and 0.35).
Any ideas how to get this working?