Closed nullromo closed 1 year ago
terricain
commented
1 year ago Whats the contents of the azure ini file? The fixes in 2.2.0b0 should fix this as there were issues where the first domain was selected for subdomains as it was a suffix, the changes in 2.2.0b0 should make it so that it picks the most specific domain. Certbot itself should really be >= 2.0.0 now, as there was a major release a few months ago.
nullromo
commented
1 year ago The file .certbot_credentials.ini contains
dns_azure_sp_client_id = xxx
dns_azure_sp_client_secret = xxx
dns_azure_tenant_id = xxx
dns_azure_zone1 = mywebsite.com:/subscriptions/xxx/resourceGroups/myResourceGroupBoth the DNS zones are in the same resource group. Do I need to add some kind of configuration for the second DNS zone? I didn't have to do that before, so I'm wondering if maybe there was a recent API change on the Azure side.
terricain
commented
1 year ago Yeah you need an entry for each domain.
E.g.
dns_azure_zone1 = example.com:/subscriptions/aaa/resourceGroups/dns1
dns_azure_zone2 = subdomain.example.com:/subscriptions/aaa/resourceGroups/dns1I'd suggest using 2.2.0b0 (else you'll then get the domain ordering bug)
terricain
commented
1 year ago To add to this, I've released 2.2.0 formally now.
nullromo
commented
1 year ago Adding another line in the .ini file did the trick, thanks. Not sure why it worked before with only one zone listed, but I got it set up correctly now on version 2.2.0 installed via pip.
terricain
commented
1 year ago Nice :tada:
I am trying to renew a certificate, and the DNS TXT record is not getting set for one of my two DNS zones. There have been some other similar resolved issues (#9, #35) but I'm still having a problem.
n.b. some information is redacted below and I changed the domain name to
mywebsite.I have 2 Azure DNS Zones,
mywebsite.comandpages.mywebsite.com. When I look on the Azure dashboard, I can see two DNS TXT records getting added to themywebsite.comzone, but I don't see any records forpages.mywebsite.com. See screenshots below.mywebsite.comDNS Zonepages.mywebsite.comDNS Zonesudo /usr/local/bin/certbot certificatesOutputExpand
``` - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found the following certs: Certificate Name: mywebsite.com Serial Number: xxx Key Type: RSA Domains: *.mywebsite.com *.pages.mywebsite.com Expiry Date: 2023-06-13 23:02:30+00:00 (VALID: 1 day) Certificate Path: /etc/letsencrypt/live/mywebsite.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/mywebsite.com/privkey.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ```sudo /usr/local/bin/certbot renew --dry-runOutputExpand
``` Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/mywebsite.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Simulating renewal of an existing certificate for *.mywebsite.com and *.pages.mywebsite.com Waiting 10 seconds for DNS changes to propagate Certbot failed to authenticate some domains (authenticator: dns-azure). The Certificate Authority reported these problems: Domain: pages.mywebsite.com Type: unauthorized Detail: No TXT record found at _acme-challenge.pages.mywebsite.com Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-azure. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-azure-propagation-seconds (currently 10 seconds). Failed to renew certificate mywebsite.com with error: Some challenges have failed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All simulated renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/mywebsite.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. ```As you can see, the
mywebsite.comzone has 2 entries, one called_acme-challengeand one called_acme-challenge.pages. I'm pretty sure the_acme-challenge.pagesone is supposed to be in the other DNS zone.I'm not sure how to set up the configuration to fix this. I have had these certificates auto-renewing via a cron job for over a year, so I'm not sure why it failed now.
I have been changing around my certbot and certbot-dns-azure versions to try to fix this. I started today on certbot version 1.14.0 and certbot-dns-azure version 1.0.1, but I tried updating to the latest (certbot 2.6.0 and certbot-dns-azure 2.1.0). I also tried updating to certbot-dns-azure 2.2.0b0, which reverted my certbot to 2.6.0... Not sure what version to use now.