search

obynio / certbot-plugin-gandi

Certbot plugin for authentication using Gandi LiveDNS
https://pypi.org/project/certbot-plugin-gandi/
MIT License
194 stars 27 forks source link

Detailed error messages for humans. #33

Open soriyath opened 2 years ago

soriyath commented 2 years ago

Summary

Error messages could be more detailed in order to help system administrators quickly resolve issues.

See also this short documentation I wrote about this subject: https://github.com/Leading-Works-SaRL/certbot-plugin-gandi/wiki/Troubleshooting

Reproducible steps

  1. Configure Gandi.net, certbot, and certbot-plugin-gandi so that the generation of a letsencrypt certificate works;
  2. Go on the Gandi.net platform, regenerate/rotate the Gandi API Key;
  3. Do not update the configuration on the server that uses certbot;
  4. Attempt to renew the certificate(s) with: certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;
  5. Following error message shows up (possibly per email too if you have it configured accordingly): Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for "x.y.io";
  6. Inspection of logs under /var/log/letsencrypt/letsencrypt.log shows that really it is about authentification, see HTTP Status Code 401:
2022-01-03 20:59:39,583:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:39,820:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/x.y.io HTTP/1.1" 401 264
2022-01-03 20:59:39,847:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,085:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/y.io HTTP/1.1" 401 264
2022-01-03 20:59:40,111:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,361:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/io HTTP/1.1" 401 264
2022-01-03 20:59:40,377:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for "x.y.io"
2022-01-03 20:59:40,392:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,630:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/y.z HTTP/1.1" 401 264
2022-01-03 20:59:40,655:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,896:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/io HTTP/1.1" 401 264
2022-01-03 20:59:40,911:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for "y.io"
2022-01-03 20:59:40,915:ERROR:certbot._internal.renewal:Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for "x.y.io"

SHOULD Behaviour

  1. Configure Gandi.net, certbot, and certbot-plugin-gandi so that the generation of a letsencrypt certificate works;
  2. Go on the Gandi.net platform, regenerate/rotate the Gandi API Key;
  3. Do not update the configuration on the server that uses certbot;
  4. Attempt to renew the certificate(s) with: certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;
  5. Following error message shows up (possibly per email too if you have it configured accordingly): Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: 401 Unauthorized (bad api key?);
  6. Further inspection of the logs shows the error message from the Gandi.net API (format can be modfied, not necessary in JSON format):
{"object": "HTTPUnauthorized", "cause": "Unauthorized", "code": 401, "message": "The server could not verify that you authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad api key), or your access token has expired"}

Furthermore, the Wiki page of the plugin may also document common errors and remediations in a Troubleshooting page. The Wiki page may be replaced by a TROUBLESHOOTING.md or COMMON_ERRORS.md file committed with the code.

Thank you for the plugin and your time.