search

troykelly / hassio-addons-letsencrypt-lexicon

Home Assistant Addon that provides Let's Encrypt with Lexicon
Apache License 2.0
5 stars 2 forks source link

Error message "deploy_challenge hook returned with non-zero exit code" #30

Closed jb773 closed 1 year ago

jb773 commented 1 year ago

Problem/Motivation

I am trying to set up Let's Encrypt via DNS-01 authentication method on Cloudflare. When I try to set up my config with Cloudflare as DNS provider (not proxied) I get the error as below.

Expected behavior

I expect it to authenticate with Cloudflare.

Actual behavior

I get the error message: "deploy_challenge hook returned with non-zero exit code"

Steps to reproduce

Use the below configuration in HASS Add-On:

Certificate File - fullchain.pem DNS Configuration:

email: me@gmail.com
domains:
  - mydomain.com
dns:
  provider: dns-cloudflare
  cloudflare_auth_username: me@gmail.com
  cloudflare_auth_token: [Cloudflare API token]

Domains: mydomain.com Email Address: me@gmail.com Key File: privkey.pem Update Delay: 30

Full Error Message

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/00-banner.sh
-----------------------------------------------------------
 Add-on: Let's Encrypt with Lexicon
 Manage certificate from Let's Encrypt using Lexicon DNS
-----------------------------------------------------------
 Add-on version: 3.0.2
 You are running the latest version of this add-on.
 System: Home Assistant OS 9.0  (amd64 / qemux86-64)
 Home Assistant Core: 2022.9.7
 Home Assistant Supervisor: 2023.03.1
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
cont-init: info: /etc/cont-init.d/00-banner.sh exited 0
cont-init: info: running /etc/cont-init.d/01-log-level.sh
cont-init: info: /etc/cont-init.d/01-log-level.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun certificates (no readiness notification)
s6-rc: info: service legacy-services successfully started
[21:14:23] INFO: Starting Certificate Refresh...
[21:14:23] INFO: Seconds between each refresh is set to: 86400
[21:14:39] INFO: [mydomain_com]:    mydomain.com
[21:14:39] INFO: Requesting domains from LetsEncrypt
# Home Assistant Domains
# Provider: null
mydomain.com > mydomain_com
# END Home Assistant Domains
# INFO: Using main config file /etc/dehydrated/config
Processing mydomain.com
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for mydomain.com
 + 1 pending challenge(s)
 + Deploying challenge tokens...
deploy_challenge called: mydomain.com, [redacted]
usage: lexicon [-h] [--version] [--delegated DELEGATED]
               [--config-dir CONFIG_DIR]
               {aliyun,aurora,auto,azure,cloudflare,cloudns,cloudxns,conoha,constellix,ddns,digitalocean,dinahosting,directadmin,dnsimple,dnsmadeeasy,dnspark,dnspod,dreamhost,dynu,easydns,easyname,euserv,exoscale,gandi,gehirn,glesys,godaddy,googleclouddns,gransy,gratisdns,henet,hetzner,hostingde,hover,infoblox,infomaniak,internetbs,inwx,joker,linode,linode4,localzone,luadns,memset,misaka,mythicbeasts,namecheap,namecom,namesilo,netcup,nfsn,njalla,nsone,oci,onapp,online,ovh,plesk,pointhq,porkbun,powerdns,rackspace,rage4,rcodezero,route53,safedns,sakuracloud,softlayer,transip,ultradns,valuedomain,vercel,vultr,webgo,yandex,yandexcloud,zeit,zilore,zonomi}
               ...
lexicon: error: argument provider_name: invalid choice: 'null' (choose from 'aliyun', 'aurora', 'auto', 'azure', 'cloudflare', 'cloudns', 'cloudxns', 'conoha', 'constellix', 'ddns', 'digitalocean', 'dinahosting', 'directadmin', 'dnsimple', 'dnsmadeeasy', 'dnspark', 'dnspod', 'dreamhost', 'dynu', 'easydns', 'easyname', 'euserv', 'exoscale', 'gandi', 'gehirn', 'glesys', 'godaddy', 'googleclouddns', 'gransy', 'gratisdns', 'henet', 'hetzner', 'hostingde', 'hover', 'infoblox', 'infomaniak', 'internetbs', 'inwx', 'joker', 'linode', 'linode4', 'localzone', 'luadns', 'memset', 'misaka', 'mythicbeasts', 'namecheap', 'namecom', 'namesilo', 'netcup', 'nfsn', 'njalla', 'nsone', 'oci', 'onapp', 'online', 'ovh', 'plesk', 'pointhq', 'porkbun', 'powerdns', 'rackspace', 'rage4', 'rcodezero', 'route53', 'safedns', 'sakuracloud', 'softlayer', 'transip', 'ultradns', 'valuedomain', 'vercel', 'vultr', 'webgo', 'yandex', 'yandexcloud', 'zeit', 'zilore', 'zonomi')
ERROR: deploy_challenge hook returned with non-zero exit code
[21:14:51] WARNING: certificate refresh crashed, halting add-on
s6-rc: info: service legacy-services: stopping
[21:14:51] INFO: certificate refresh stoped, restarting...
[21:14:51] INFO: certificate refresh stoped, restarting...
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
troykelly commented 1 year ago

I'm not able to reproduce it.

@jb773 can you confirm this is occurring every time, or it is transient?

Using configuration:

certfile: test-fullchain.pem
keyfile: test-privkey.pem
dns:
  provider: cloudflare
  cloudflare_auth_username: cloudflare.com@s.example.com
  cloudflare_auth_token: 44bfa8f4257b116a774424de18c08179
domains:
  - test001.example.com *.test001.example.com
  - test002.example.com
email: user@example.com
updatedelay: 30

I get

 Manage certificate from Let's Encrypt using Lexicon DNS
-----------------------------------------------------------
 Add-on version: 3.0.2
 You are running the latest version of this add-on.
 System: Home Assistant OS 9.5  (amd64 / qemux86-64)
 Home Assistant Core: 2023.3.4
 Home Assistant Supervisor: 2023.03.1
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
cont-init: info: /etc/cont-init.d/00-banner.sh exited 0
cont-init: info: running /etc/cont-init.d/01-log-level.sh
cont-init: info: /etc/cont-init.d/01-log-level.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun certificates (no readiness notification)
s6-rc: info: service legacy-services successfully started
[13:05:07] INFO: Starting Certificate Refresh...
[13:05:07] INFO: Seconds between each refresh is set to: 86400
[13:05:07] INFO: Set cloudflare_auth_token
[13:05:07] INFO: Set cloudflare_auth_username
[13:05:14] INFO: [test001_example_au]:  test001.example.com *.test001.example.com
[13:05:14] INFO: [test002_example_au]:  test002.example.com
[13:05:14] INFO: Requesting domains from LetsEncrypt
# Home Assistant Domains
# Provider: cloudflare
test001.example.com *.test001.example.com > test001_example_au
test002.example.com > test002_example_au
# END Home Assistant Domains
# INFO: Using main config file /etc/dehydrated/config
Processing test001.example.com with alternative names: *.test001.example.com 
 + Creating new directory /ssl/test001_example_au ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for test001.example.com
 + Handling authorization for test001.example.com
 + 2 pending challenge(s)
 + Deploying challenge tokens...
deploy_challenge called: test001.example.com, VGqVmAeebGR2OokBk0QCVPsoD2Hx41-YbIGQem5KyAs, CD8_YCNm9S-5EMvFf4pwhEqwUX3W6_huEGAxj9JbgGw
RESULT
------
True
30
29
28
27
26
25
24
23
22
21
20
19
18
17
16
15
14
13
12
11
10
9
8
7
6
5
4
3
2
1
deploy_challenge called: test001.example.com, kS2quHMX2A4yXTDi0mbSDkSGKu15WZJ7dysIsv4rv9k, lb8fAYfF6N_tH6usb0vTvWLExWCwSOH5tq5F_du7teo
RESULT
------
True
30
29
28
27
26
25
24
23
22
21
20
19
18
17
16
15
14
13
12
11
10
9
8
7
6
5
4
3
2
1
 + Responding to challenge for test001.example.com authorization...
 + Challenge is valid!
 + Responding to challenge for test001.example.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
clean_challenge called: test001.example.com, VGqVmAeebGR2OokBk0QCVPsoD2Hx41-YbIGQem5KyAs, CD8_YCNm9S-5EMvFf4pwhEqwUX3W6_huEGAxj9JbgGw
RESULT
------
True
clean_challenge called: test001.example.com, kS2quHMX2A4yXTDi0mbSDkSGKu15WZJ7dysIsv4rv9k, lb8fAYfF6N_tH6usb0vTvWLExWCwSOH5tq5F_du7teo
RESULT
------
True
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
deploy_cert called: test001.example.com, /ssl/test001_example_au/privkey.pem, /ssl/test001_example_au/cert.pem, /ssl/test001_example_au/fullchain.pem, /ssl/test001_example_au/chain.pem
 + Done!
Processing test002.example.com
 + Creating new directory /ssl/test002_example_au ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for test002.example.com
 + 1 pending challenge(s)
 + Deploying challenge tokens...
deploy_challenge called: test002.example.com, Qc2TNuFTYmPaNtw8RL3PYAhh1p6d3INJyFFpZv_qtMc, VeVOS4yMIjwv_DHSJdjENtMHCTiWIDvjyn2uLFeoRV8
RESULT
------
True
30
29
28
27
26
25
24
23
22
21
20
19
18
17
16
15
14
13
12
11
10
9
8
7
6
5
4
3
2
1
 + Responding to challenge for test002.example.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
clean_challenge called: test002.example.com, Qc2TNuFTYmPaNtw8RL3PYAhh1p6d3INJyFFpZv_qtMc, VeVOS4yMIjwv_DHSJdjENtMHCTiWIDvjyn2uLFeoRV8
RESULT
------
True
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
deploy_cert called: test002.example.com, /ssl/test002_example_au/privkey.pem, /ssl/test002_example_au/cert.pem, /ssl/test002_example_au/fullchain.pem, /ssl/test002_example_au/chain.pem
 + Done!
[13:07:43] INFO: Copying domains and keys
[13:07:43] INFO: Cleaning Up
# INFO: Using main config file /etc/dehydrated/config
[13:07:43] INFO: Certificates refreshed at @ 13:07:43
jb773 commented 1 year ago

OK, so good news is that I fixed my configuration. I did not realize that in Home Assistant you have to go to "Edit in YAML" to access the full configuration file. I had the DNS section nested underneath an existing DNS section since I was editing it in the default view. I also had the provider as "dns-cloudflare" instead of "cloudflare". So now I went to Edit in YAML and my configuration looks like yours. That part works fine.

The issue now is that I am getting a new error. Please see my configuration and the error:

Configuration in YAML:

certfile: fullchain.pem
dns:
  provider: cloudflare
  cloudflare_auth_username: me@gmail.com
  cloudflare_auth_token: [redacted]
domains:
  - mydomain.com
email: me@gmail.com
keyfile: privkey.pem
updatedelay: 30

Error Message

deploy_challenge called: mydomain.com, [redacted], [redacted]
Traceback (most recent call last):
  File "/usr/local/bin/lexicon", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.10/site-packages/lexicon/cli.py", line 131, in main
    results = client.execute()
  File "/usr/local/lib/python3.10/site-packages/lexicon/client.py", line 81, in execute
    self.provider.authenticate()
  File "/usr/local/lib/python3.10/site-packages/lexicon/providers/base.py", line 73, in authenticate
    self._authenticate()
  File "/usr/local/lib/python3.10/site-packages/lexicon/providers/cloudflare.py", line 48, in _authenticate
    payload = self._get("/zones", {"name": self.domain, "status": "active"})
  File "/usr/local/lib/python3.10/site-packages/lexicon/providers/base.py", line 173, in _get
    return self._request("GET", url, query_params=query_params)
  File "/usr/local/lib/python3.10/site-packages/lexicon/providers/cloudflare.py", line 204, in _request
    response.raise_for_status()
  File "/usr/local/lib/python3.10/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://api.cloudflare.com/client/v4/zones?name=mydomain.com&status=active
ERROR: deploy_challenge hook returned with non-zero exit code
[09:19:12] WARNING: certificate refresh crashed, halting add-on
s6-rc: info: service legacy-services: stopping
[09:19:12] INFO: certificate refresh stoped, restarting...
[09:19:12] INFO: certificate refresh stoped, restarting...
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
jb773 commented 1 year ago

Fixed it. This ultimately was a configuration issue. My Cloudflare token was a scoped API token and apparently Lexicon requires the zone ID and the Auth token. My issue was that I was using the username and the Auth token. Once I got rid of the username and added the zone ID, it started working!

Thanks again for this beautiful add on, such a great way to get Let's Encrypt working without opening ports for it!