Closed nullromo closed 1 year ago
Whats the contents of the azure ini file? The fixes in 2.2.0b0 should fix this as there were issues where the first domain was selected for subdomains as it was a suffix, the changes in 2.2.0b0 should make it so that it picks the most specific domain. Certbot itself should really be >= 2.0.0 now, as there was a major release a few months ago.
The file .certbot_credentials.ini
contains
dns_azure_sp_client_id = xxx
dns_azure_sp_client_secret = xxx
dns_azure_tenant_id = xxx
dns_azure_zone1 = mywebsite.com:/subscriptions/xxx/resourceGroups/myResourceGroup
Both the DNS zones are in the same resource group. Do I need to add some kind of configuration for the second DNS zone? I didn't have to do that before, so I'm wondering if maybe there was a recent API change on the Azure side.
Yeah you need an entry for each domain.
E.g.
dns_azure_zone1 = example.com:/subscriptions/aaa/resourceGroups/dns1
dns_azure_zone2 = subdomain.example.com:/subscriptions/aaa/resourceGroups/dns1
I'd suggest using 2.2.0b0 (else you'll then get the domain ordering bug)
To add to this, I've released 2.2.0 formally now.
Adding another line in the .ini
file did the trick, thanks. Not sure why it worked before with only one zone listed, but I got it set up correctly now on version 2.2.0 installed via pip.
Nice :tada:
I am trying to renew a certificate, and the DNS TXT record is not getting set for one of my two DNS zones. There have been some other similar resolved issues (#9, #35) but I'm still having a problem.
n.b. some information is redacted below and I changed the domain name to
mywebsite
.I have 2 Azure DNS Zones,
mywebsite.com
andpages.mywebsite.com
. When I look on the Azure dashboard, I can see two DNS TXT records getting added to themywebsite.com
zone, but I don't see any records forpages.mywebsite.com
. See screenshots below.mywebsite.com
DNS Zonepages.mywebsite.com
DNS Zonesudo /usr/local/bin/certbot certificates
OutputExpand
``` - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found the following certs: Certificate Name: mywebsite.com Serial Number: xxx Key Type: RSA Domains: *.mywebsite.com *.pages.mywebsite.com Expiry Date: 2023-06-13 23:02:30+00:00 (VALID: 1 day) Certificate Path: /etc/letsencrypt/live/mywebsite.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/mywebsite.com/privkey.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ```sudo /usr/local/bin/certbot renew --dry-run
OutputExpand
``` Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/mywebsite.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Simulating renewal of an existing certificate for *.mywebsite.com and *.pages.mywebsite.com Waiting 10 seconds for DNS changes to propagate Certbot failed to authenticate some domains (authenticator: dns-azure). The Certificate Authority reported these problems: Domain: pages.mywebsite.com Type: unauthorized Detail: No TXT record found at _acme-challenge.pages.mywebsite.com Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-azure. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-azure-propagation-seconds (currently 10 seconds). Failed to renew certificate mywebsite.com with error: Some challenges have failed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All simulated renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/mywebsite.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. ```As you can see, the
mywebsite.com
zone has 2 entries, one called_acme-challenge
and one called_acme-challenge.pages
. I'm pretty sure the_acme-challenge.pages
one is supposed to be in the other DNS zone.I'm not sure how to set up the configuration to fix this. I have had these certificates auto-renewing via a cron job for over a year, so I'm not sure why it failed now.
I have been changing around my certbot and certbot-dns-azure versions to try to fix this. I started today on certbot version 1.14.0 and certbot-dns-azure version 1.0.1, but I tried updating to the latest (certbot 2.6.0 and certbot-dns-azure 2.1.0). I also tried updating to certbot-dns-azure 2.2.0b0, which reverted my certbot to 2.6.0... Not sure what version to use now.