Certificate for subdomain only

vquie commented 5 years ago

Hello,

is it possible to get a single certificate for a subdomain only, eg. mx.sub.example.com? It looks like I would need to setup a powerdns zone for sub.example.com. At least the error says that the plugin couldn't find the zone.

Regards, Vitali

splashx commented 5 years ago

@vquiering I have tested issuing certificates for test.randomname.something.example.com where only something.example.com existed as zone. So I don't think there is a limitation. Could you please double-check and/or send more detailed info (like certbot logs with --debug)?

vquie commented 5 years ago

@splashx I just tried to issue test.vq.example.com, the zone is vq.example.com.

2019-10-17 10:31:40,837:INFO:certbot.auth_handler:Performing the following challenges:
2019-10-17 10:31:40,837:INFO:certbot.auth_handler:dns-01 challenge for test.vq.example.com
2019-10-17 10:31:40,841:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): pdns01.local
2019-10-17 10:31:40,848:DEBUG:requests.packages.urllib3.connectionpool:http://pdns01.local:8081 "GET /api/v1/servers/localhost/zones/test.vq.example.com. HTTP/1.1" 404 9
2019-10-17 10:31:40,849:DEBUG:lexicon.providers.powerdns:response: Not Found
2019-10-17 10:31:40,850:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "build/bdist.linux-x86_64/egg/certbot/auth_handler.py", line 69, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "build/bdist.linux-x86_64/egg/certbot/plugins/dns_common.py", line 58, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/local/lib/python2.7/dist-packages/certbot_dns_powerdns/dns_powerdns.py", line 55, in _perform
    domain, validation_name, validation)
  File "build/bdist.linux-x86_64/egg/certbot/plugins/dns_common_lexicon.py", line 40, in add_txt_record
    self._find_domain_id(domain)
  File "build/bdist.linux-x86_64/egg/certbot/plugins/dns_common_lexicon.py", line 95, in _find_domain_id
    raise result
PluginError: Error determining zone identifier for test.vq.example.com: 404 Client Error: Not Found for url: http://pdns01.local:8081/api/v1/servers/localhost/zones/test.vq.example.com..

It only works if I issue wildcard plus domain of the existing zone.

splashx commented 5 years ago

I've noticed this http://pdns01.local:8081/api/v1/servers/localhost/zones/test.vq.example.com.. has two dots at the end. Is it really so?

splashx commented 5 years ago

Also, can you do a pip freeze - I suspect this relates to the version of Lexicon being used.

vquie commented 5 years ago

I've noticed the two dots in the exception too.

# pip freeze | grep dns-lexicon
dns-lexicon==3.3.3

vquie commented 5 years ago

I just update to 3.3.4. Still the same issue.

# pip freeze | grep dns-lexicon
dns-lexicon==3.3.4

splashx commented 5 years ago

@vquiering could you please try this and report back? I'm also using dns-lexicon==3.3.4 but I'm unable to replicate

certbot --debug \
--authenticator certbot-dns-powerdns:dns-powerdns \
--certbot-dns-powerdns:dns-powerdns-credentials ~/pdns-credentials.ini \
--certbot-dns-powerdns:dns-powerdns-propagation-seconds 60 \
--non-interactive \
--agree-tos \
--email "something@example.org" \
--domains test.vq.example.com  \
certonly

also the output of:

curl -s -H "X-API-Key: $API_KEY"  \
http://pdns01.local:8081/api/v1/servers/localhost/zones/vq.example.com. | jq '.soa_edit'

curl -s -H "X-API-Key: $API_KEY"  \
http://pdns01.local:8081/api/v1/servers/localhost/zones/vq.example.com. | jq '.soa_edit_api'
"DEFAULT"

Here is my test env if you wish to replicate:

$ pip freeze
acme==0.39.0
asn1crypto==1.2.0
certbot==0.39.0
certbot-dns-powerdns==0.1.1
certifi==2019.9.11
cffi==1.13.0
chardet==3.0.4
ConfigArgParse==0.15.1
configobj==5.0.6
cryptography==2.7
distro==1.4.0
dns-lexicon==3.3.4
dnspython==1.16.0
future==0.18.0
idna==2.8
josepy==1.2.0
mock==3.0.5
parsedatetime==2.4
pycparser==2.19
pyOpenSSL==19.0.0
pyRFC3339==1.1
pytz==2019.3
PyYAML==5.1.2
requests==2.22.0
requests-file==1.4.3
requests-toolbelt==0.9.1
six==1.12.0
tldextract==2.2.2
urllib3==1.25.6
zope.component==4.5
zope.deferredimport==4.3.1
zope.deprecation==4.4.0
zope.event==4.4
zope.hookable==4.2.0
zope.interface==4.6.0
zope.proxy==4.3.2

vquie commented 5 years ago

@splashx There you go.

$ certbot --debug --authenticator certbot-dns-powerdns:dns-powerdns --certbot-dns-powerdns:dns-powerdns-credentials /etc/letsencrypt/pdns.config --certbot-dns-powerdns:dns-powerdns-propagation-seconds 60 --domains test.vq.example.com certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator certbot-dns-powerdns:dns-powerdns, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for test.vq.example.com
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/dist-packages/certbot/main.py", line 1378, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python2.7/dist-packages/certbot/main.py", line 1265, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/local/lib/python2.7/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/local/lib/python2.7/dist-packages/certbot/client.py", line 405, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/local/lib/python2.7/dist-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python2.7/dist-packages/certbot/client.py", line 384, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 69, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/dns_common.py", line 58, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/local/lib/python2.7/dist-packages/certbot_dns_powerdns/dns_powerdns.py", line 55, in _perform
    domain, validation_name, validation)
  File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/dns_common_lexicon.py", line 40, in add_txt_record
    self._find_domain_id(domain)
  File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/dns_common_lexicon.py", line 95, in _find_domain_id
    raise result
PluginError: Error determining zone identifier for test.vq.example.com: 404 Client Error: Not Found for url: http://pdns01.local:8081/api/v1/servers/localhost/zones/test.vq.example.com..
Please see the logfiles in /var/log/letsencrypt for more details.

$ curl -s -H "X-API-Key: super-secret-key" http://pdns01.local:8081/api/v1/servers/localhost/zones/vq.example.com. | jq '.soa_edit'
""

$ curl -s -H "X-API-Key: super-secret-key" http://pdns01.local:8081/api/v1/servers/localhost/zones/vq.example.com. | jq '.soa_edit_api'
"DEFAULT"

my env

$ pip freeze
acme==0.39.0
asn1crypto==1.2.0
backports-abc==0.5
blinker==1.3
bzr-etckeeper==0.0.0
certbot==0.39.0
certbot-dns-powerdns==0.1.1
certbot-dns-rfc2136==0.39.0
certifi==2019.9.11
cffi==1.13.0
chardet==3.0.4
CherryPy==3.5.0
ConfigArgParse==0.15.1
configobj==5.0.6
croniter==0.3.12
crypto==1.4.1
cryptography==2.8
distro==1.4.0
dns-lexicon==3.3.4
dnspython==1.16.0
duplicity==0.7.11
enum34==1.1.6
funcsigs==1.0.2
future==0.18.1
futures==3.0.5
gitdb2==2.0.0
GitPython==2.1.1
httplib2==0.9.2
hvac==0.7.0
idna==2.8
ipaddress==1.0.22
Jinja2==2.9.4
josepy==1.2.0
keyring==10.1
keyrings.alt==1.3
lockfile==0.12.2
logstash-formatter==0.5.16
logstash-handler==0.1.0
M2Crypto==0.24.0
Mako==1.0.6
MarkupSafe==0.23
mock==3.0.5
msgpack-python==0.4.8
mysqlclient==1.3.7
Naked==0.1.31
netaddr==0.7.19
oauthlib==2.0.1
paramiko==2.0.0
parsedatetime==2.4
progressbar==2.3
psutil==5.0.1
pyasn1==0.1.9
pycparser==2.19
pycrypto==2.6.1
pycurl==7.43.0
pygobject==3.22.0
PyJWT==1.4.2
pyOpenSSL==19.0.0
pyRFC3339==1.1
python-apt==1.4.0b3
python-dateutil==2.5.3
python-debian==0.1.30
python-debianbts==2.6.1
python-logstash==0.4.6
pytz==2019.3
pyxdg==0.25
PyYAML==5.1.2
pyzmq==16.0.2
reportbug==6.6.3
repoze.lru==0.6
requests==2.22.0
requests-file==1.4.3
requests-toolbelt==0.9.1
Routes==2.3.1
salt==2018.3.4
SecretStorage==2.3.1
shellescape==3.4.1
singledispatch==3.4.0.3
six==1.12.0
smmap2==2.0.1
systemd-python==233
tldextract==2.2.2
tornado==4.4.3
urllib3==1.25.6
virtualenv==15.1.0
WebOb==1.6.2
zope.component==4.5
zope.deferredimport==4.3.1
zope.deprecation==4.4.0
zope.event==4.4
zope.hookable==4.2.0
zope.interface==4.6.0
zope.proxy==4.3.2

splashx commented 5 years ago

OK, I see why this is failing now.

PowerDNS changed the API from 4.1 to 4.2 when a GET is done in a zone which doesn't exist.

In 4.1 this was 422 Client Error: Unprocessable Entity for url:
In 4.2 this is 404 Client Error: Not Found for url:

I'll take a look on how to keep this compatible to both versions - and if not, what to do from there.

vquie commented 5 years ago

Works like a charm, thank you very much.

splashx commented 5 years ago

@vquiering live now on 0.2.0

pan-net-security / certbot-dns-powerdns

Certificate for subdomain only #5