Configure Gandi.net, certbot, and certbot-plugin-gandi so that the generation of a letsencrypt certificate works;
Go on the Gandi.net platform, regenerate/rotate the Gandi API Key;
Do not update the configuration on the server that uses certbot;
Attempt to renew the certificate(s) with: certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;
Following error message shows up (possibly per email too if you have it configured accordingly): Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for "x.y.io";
Inspection of logs under /var/log/letsencrypt/letsencrypt.log shows that really it is about authentification, see HTTP Status Code 401:
2022-01-03 20:59:39,583:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:39,820:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/x.y.io HTTP/1.1" 401 264
2022-01-03 20:59:39,847:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,085:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/y.io HTTP/1.1" 401 264
2022-01-03 20:59:40,111:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,361:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/io HTTP/1.1" 401 264
2022-01-03 20:59:40,377:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for "x.y.io"
2022-01-03 20:59:40,392:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,630:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/y.z HTTP/1.1" 401 264
2022-01-03 20:59:40,655:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,896:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/io HTTP/1.1" 401 264
2022-01-03 20:59:40,911:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for "y.io"
2022-01-03 20:59:40,915:ERROR:certbot._internal.renewal:Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for "x.y.io"
SHOULD Behaviour
Configure Gandi.net, certbot, and certbot-plugin-gandi so that the generation of a letsencrypt certificate works;
Go on the Gandi.net platform, regenerate/rotate the Gandi API Key;
Do not update the configuration on the server that uses certbot;
Attempt to renew the certificate(s) with: certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;
Following error message shows up (possibly per email too if you have it configured accordingly): Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: 401 Unauthorized (bad api key?);
Further inspection of the logs shows the error message from the Gandi.net API (format can be modfied, not necessary in JSON format):
{"object": "HTTPUnauthorized", "cause": "Unauthorized", "code": 401, "message": "The server could not verify that you authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad api key), or your access token has expired"}
Furthermore, the Wiki page of the plugin may also document common errors and remediations in a Troubleshooting page.
The Wiki page may be replaced by a TROUBLESHOOTING.md or COMMON_ERRORS.md file committed with the code.
Summary
Error messages could be more detailed in order to help system administrators quickly resolve issues.
See also this short documentation I wrote about this subject: https://github.com/Leading-Works-SaRL/certbot-plugin-gandi/wiki/Troubleshooting
Reproducible steps
Gandi.net
,certbot
, andcertbot-plugin-gandi
so that the generation of a letsencrypt certificate works;Gandi.net
platform, regenerate/rotate the Gandi API Key;certbot
;certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory
;Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for "x.y.io"
;/var/log/letsencrypt/letsencrypt.log
shows that really it is about authentification, see HTTP Status Code 401:SHOULD Behaviour
Gandi.net
,certbot
, andcertbot-plugin-gandi
so that the generation of a letsencrypt certificate works;Gandi.net
platform, regenerate/rotate the Gandi API Key;certbot
;certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory
;Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: 401 Unauthorized (bad api key?)
;Furthermore, the Wiki page of the plugin may also document common errors and remediations in a Troubleshooting page. The Wiki page may be replaced by a TROUBLESHOOTING.md or COMMON_ERRORS.md file committed with the code.
Thank you for the plugin and your time.