Certbot with certbot-dns-ovh fails to identify subdomain zone

[miccgn]

Hi,

I first posted this at LE, but it looks like this more an issue for this issue tracker.

I chose OVH to provide the DNS zone for home.mkrebs.de, while mkrebs.de is hosted at a different DNS provider which does not offer API access.

Now when trying to register a certificate for server.home.mkrebs.de, certbot fails, as it tries to find the zone "mkrebs.de" at OVH, while the zone is named "home.mkrebs.de".

The version of my client is 2.7.0, installed via snapd on Debian Bookworm.

On a SSH shell, I run: sudo certbot certonly --dry-run --dns-ovh -d "server.home.mkrebs.de" --dns-ovh-credentials /etc/letsencrypt/ovh-api.ini

This produces the following output:
Unexpected error determining zone identifier for server.home.mkrebs.de: Domain mkrebs.de not found

From the source code of certbot-dns-ovh, I would assume that the plugin tries server.home.mkrebs.de, home.mkrebs.de, mkrebs.de, but I can't tell for sure. I already can rule out an authorization problem, as the API user has been provided with GET /domain/zone/* privileges (plus PUT/POST/DELETE).

With the ACME plugin, this works fine - but I would love to stick with Certbot.

[djcoster]

We have also encountered this same issue with the certbot-dns-nsone plugin.

We can see in older log files that this did in fact previously query the NS1 API to see if the domain existed and work its way up the sub-domains until it found one. It now only tries the second level domain. For example, if the -d is my.lab.house.example.com and the "zone" is house.example.com, this used to try lab.house.example.com, then house.example.com and find this is a zone and use it. Now the software ONLY tries example.com and none of the sub-domains. This has broken all of our certbot installs as they all use something like the example above.

[adferrand]

I look at it. Which version of certbot and plugin are you using ?

[adferrand]

Could you provide also the log you are mentionning ?

[djcoster]

This is the OS.

ubuntu@tester:~$ grep VER /etc/os-release
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy

Here are the commands used to install the software and the versions.

ubuntu@tester:~$ sudo snap install certbot --classic
certbot 2.7.1 from Certbot Project (certbot-eff✓) installed
ubuntu@tester:~$ sudo snap set certbot trust-plugin-with-root=ok
ubuntu@tester:~$ sudo snap install certbot-dns-nsone
certbot-dns-nsone 2.7.1 from Certbot Project (certbot-eff✓) installed
ubuntu@tester:~$ snap list certbot certbot-dns-nsone
Name               Version  Rev   Tracking       Publisher     Notes
certbot            2.7.1    3391  latest/stable  certbot-eff✓  classic
certbot-dns-nsone  2.7.1    2979  latest/stable  certbot-eff✓  -

The redacted log file is below.
Note that NS1 has the zones example.con AND sdom1.example.com (these are not the real zone names and have been modified in the log file below to be these) and the records must be added to the sdom1.example.com domain and this worked properly in certbot version 2.6.0. In older log files, the GET entries used to get called for each sub-domain as it walked up the names. For example, it would attempt sdom2.sdom1.example.com and find it doesn't exist, then attempt sdom1.example.com and find it does, and then use that domain. It now just tries example.com and none of the sub-domains.

2023-10-18 07:39:27,895:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 1485
2023-10-18 07:39:28,129:DEBUG:certbot._internal.main:certbot version: 2.7.1
2023-10-18 07:39:28,129:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/3391/bin/certbot
2023-10-18 07:39:28,129:DEBUG:certbot._internal.main:Arguments: ['-n', '--agree-tos', '--dns-nsone', '--dns-nsone-credentials', '/home/ubuntu/cm/.secrets/nsone.ini', '--config-dir', '/home/ubuntu/cm/letsencrypt/config', '--email', 'admin@example.com', '--logs-dir', '/home/ubuntu/cm/letsencrypt/logs', '--work-dir', '/home/ubuntu/cm/letsencrypt/work', '--test-cert', '-d', '*.sdom2.sdom1.example.com', '--preconfigured-renewal']
2023-10-18 07:39:28,129:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#dns-nsone,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-10-18 07:39:28,134:DEBUG:certbot._internal.log:Root logging level set at 30
2023-10-18 07:39:28,135:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-nsone and installer None
2023-10-18 07:39:28,135:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-nsone
Description: Obtain certificates using a DNS TXT record (if you are using NS1 for DNS).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='dns-nsone', value='certbot_dns_nsone._internal.dns_nsone:Authenticator', group='certbot.plugins')
Initialized: <certbot_dns_nsone._internal.dns_nsone.Authenticator object at 0xffff7e1a4670>
Prep: True
2023-10-18 07:39:28,135:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_nsone._internal.dns_nsone.Authenticator object at 0xffff7e1a4670> and installer None
2023-10-18 07:39:28,135:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-nsone, Installer None
2023-10-18 07:39:28,218:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2023-10-18 07:39:28,219:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2023-10-18 07:39:28,326:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 826
2023-10-18 07:39:28,326:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 18 Oct 2023 13:39:28 GMT
Content-Type: application/json
Content-Length: 826
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert",
  "xTalhvPZV5k": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2023-10-18 07:39:28,326:DEBUG:acme.client:Requesting fresh nonce
2023-10-18 07:39:28,326:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2023-10-18 07:39:28,343:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-10-18 07:39:28,343:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 18 Oct 2023 13:39:28 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: HzmSNKzxFkgCOuap268i2MbIB8ugJMM6tKBQAj0ikJ-tknlcujU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2023-10-18 07:39:28,344:DEBUG:acme.client:Storing nonce: HzmSNKzxFkgCOuap268i2MbIB8ugJMM6tKBQAj0ikJ-tknlcujU
2023-10-18 07:39:28,344:DEBUG:acme.client:JWS payload:
b'{\n  "contact": [\n    "mailto:admin@example.com"\n  ],\n  "termsOfServiceAgreed": true\n}'
2023-10-18 07:39:28,346:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-acct:
{
  "protected": "**REDACTED**",
  "signature": "**REDACTED**",
  "payload": "**REDACTED**"
}
2023-10-18 07:39:28,391:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-acct HTTP/1.1" 201 569
2023-10-18 07:39:28,391:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Wed, 18 Oct 2023 13:39:28 GMT
Content-Type: application/json
Content-Length: 569
Connection: keep-alive
Boulder-Requester: 122290654
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf>;rel="terms-of-service"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/acct/122290654
Replay-Nonce: Oaj3whhZYvawuuU2yNNGS1jqRKS3ouKXLno3y8SWJ5SQIzKlrw4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "key": {
    "kty": "RSA",
    "n": "**REDACTED**",
    "e": "AQAB"
  },
  "contact": [
    "mailto:admin@example.com"
  ],
  "initialIp": "68.69.167.246",
  "createdAt": "2023-10-18T13:39:28.364685823Z",
  "status": "valid"
}
2023-10-18 07:39:28,391:DEBUG:acme.client:Storing nonce: Oaj3whhZYvawuuU2yNNGS1jqRKS3ouKXLno3y8SWJ5SQIzKlrw4
2023-10-18 07:39:28,393:DEBUG:certbot._internal.display.obj:Notifying user: Account registered.
2023-10-18 07:39:28,393:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0xffff7b748e80>)>), contact=('mailto:admin@example.com',), agreement=None, status='valid', terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/122290654', new_authzr_uri=None, terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf'), dd35c46b0f63c6fd378b121d3559253a, Meta(creation_dt=datetime.datetime(2023, 10, 18, 13, 39, 28, tzinfo=<UTC>), creation_host='tester', register_to_eff=None))>
2023-10-18 07:39:28,394:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for *.sdom2.sdom1.example.com
2023-10-18 07:39:28,404:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "*.sdom2.sdom1.example.com"\n    }\n  ]\n}'
2023-10-18 07:39:28,405:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "**REDACTED**",
  "signature": "**REDACTED**",
  "payload": "**REDACTED**"
}
2023-10-18 07:39:28,463:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 368
2023-10-18 07:39:28,464:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Wed, 18 Oct 2023 13:39:28 GMT
Content-Type: application/json
Content-Length: 368
Connection: keep-alive
Boulder-Requester: 122290654
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/122290654/11660702514
Replay-Nonce: Oaj3whhZzPiKimrYvDRpj66CTK850kbd5CIGkdEVKzmL5BapcdU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2023-10-25T13:39:28Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.sdom2.sdom1.example.com"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8932347964"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/122290654/11660702514"
}
2023-10-18 07:39:28,464:DEBUG:acme.client:Storing nonce: Oaj3whhZzPiKimrYvDRpj66CTK850kbd5CIGkdEVKzmL5BapcdU
2023-10-18 07:39:28,464:DEBUG:acme.client:JWS payload:
b''
2023-10-18 07:39:28,466:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8932347964:
{
  "protected": "**REDACTED**",
  "signature": "**REDACTED**",
  "payload": ""
}
2023-10-18 07:39:28,488:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/8932347964 HTTP/1.1" 200 408
2023-10-18 07:39:28,488:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 18 Oct 2023 13:39:28 GMT
Content-Type: application/json
Content-Length: 408
Connection: keep-alive
Boulder-Requester: 122290654
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: HzmSNKzxV0UGUJH8-7VPibG5UkUlRmn1_tV1PtXxgvdP0VquoNo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "sdom2.sdom1.example.com"
  },
  "status": "pending",
  "expires": "2023-10-25T13:39:28Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8932347964/dGWRGA",
      "token": "**REDACTED**"
    }
  ],
  "wildcard": true
}
2023-10-18 07:39:28,489:DEBUG:acme.client:Storing nonce: HzmSNKzxV0UGUJH8-7VPibG5UkUlRmn1_tV1PtXxgvdP0VquoNo
2023-10-18 07:39:28,489:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-10-18 07:39:28,489:INFO:certbot._internal.auth_handler:dns-01 challenge for sdom2.sdom1.example.com
2023-10-18 07:39:28,519:DEBUG:filelock:Attempting to acquire lock 281472752585936 on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:39:28,519:DEBUG:filelock:Lock 281472752585936 acquired on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:39:28,519:DEBUG:filelock:Attempting to acquire lock 281472752744096 on /home/ubuntu/.lexicon_tld_set/urls/62bf135d1c2f3d4db4228b9ecaf507a2.tldextract.json.lock
2023-10-18 07:39:28,519:DEBUG:filelock:Lock 281472752744096 acquired on /home/ubuntu/.lexicon_tld_set/urls/62bf135d1c2f3d4db4228b9ecaf507a2.tldextract.json.lock
2023-10-18 07:39:28,520:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): publicsuffix.org:443
2023-10-18 07:39:28,597:DEBUG:urllib3.connectionpool:https://publicsuffix.org:443 "GET /list/public_suffix_list.dat HTTP/1.1" 200 81815
2023-10-18 07:39:28,605:DEBUG:filelock:Attempting to release lock 281472752744096 on /home/ubuntu/.lexicon_tld_set/urls/62bf135d1c2f3d4db4228b9ecaf507a2.tldextract.json.lock
2023-10-18 07:39:28,606:DEBUG:filelock:Lock 281472752744096 released on /home/ubuntu/.lexicon_tld_set/urls/62bf135d1c2f3d4db4228b9ecaf507a2.tldextract.json.lock
2023-10-18 07:39:28,617:DEBUG:filelock:Attempting to release lock 281472752585936 on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:39:28,617:DEBUG:filelock:Lock 281472752585936 released on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:39:28,645:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.nsone.net:443
2023-10-18 07:39:28,884:DEBUG:urllib3.connectionpool:https://api.nsone.net:443 "GET /v1/zones/example.com HTTP/1.1" 200 None
2023-10-18 07:39:28,929:DEBUG:filelock:Attempting to acquire lock 281472754417232 on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:39:28,930:DEBUG:filelock:Lock 281472754417232 acquired on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:39:28,931:DEBUG:filelock:Attempting to release lock 281472754417232 on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:39:28,931:DEBUG:filelock:Lock 281472754417232 released on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:39:28,963:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.nsone.net:443
2023-10-18 07:39:29,158:DEBUG:urllib3.connectionpool:https://api.nsone.net:443 "GET /v1/zones/example.com HTTP/1.1" 200 None
2023-10-18 07:39:29,167:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.nsone.net:443
2023-10-18 07:39:29,489:DEBUG:urllib3.connectionpool:https://api.nsone.net:443 "GET /v1/zones/example.com/_acme-challenge.sdom2.sdom1.example.com/TXT HTTP/1.1" 404 None
2023-10-18 07:39:29,494:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.nsone.net:443
2023-10-18 07:39:30,927:DEBUG:urllib3.connectionpool:https://api.nsone.net:443 "PUT /v1/zones/example.com/_acme-challenge.sdom2.sdom1.example.com/TXT HTTP/1.1" 200 None
2023-10-18 07:39:30,935:DEBUG:lexicon._private.providers.nsone:create_record: True
2023-10-18 07:39:30,937:DEBUG:certbot._internal.display.obj:Notifying user: Waiting 30 seconds for DNS changes to propagate
2023-10-18 07:40:01,043:DEBUG:acme.client:JWS payload:
b'{}'
2023-10-18 07:40:01,053:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8932347964/dGWRGA:
{
  "protected": "**REDACTED**",
  "signature": "**REDACTED**",
  "payload": "**REDACTED**"
}
2023-10-18 07:40:01,087:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/8932347964/dGWRGA HTTP/1.1" 200 192
2023-10-18 07:40:01,088:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 18 Oct 2023 13:40:01 GMT
Content-Type: application/json
Content-Length: 192
Connection: keep-alive
Boulder-Requester: 122290654
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8932347964>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8932347964/dGWRGA
Replay-Nonce: Oaj3whhZ8Ssq_2-RPR5zlRtVlvWYbk9ZHnTZpMpDhQdTwR2xseU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8932347964/dGWRGA",
  "token": "**REDACTED**"
}
2023-10-18 07:40:01,088:DEBUG:acme.client:Storing nonce: Oaj3whhZ8Ssq_2-RPR5zlRtVlvWYbk9ZHnTZpMpDhQdTwR2xseU
2023-10-18 07:40:01,089:INFO:certbot._internal.auth_handler:Waiting for verification...
2023-10-18 07:40:02,164:DEBUG:acme.client:JWS payload:
b''
2023-10-18 07:40:02,170:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8932347964:
{
  "protected": "**REDACTED**",
  "signature": "**REDACTED**",
  "payload": ""
}
2023-10-18 07:40:02,198:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/8932347964 HTTP/1.1" 200 702
2023-10-18 07:40:02,199:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 18 Oct 2023 13:40:02 GMT
Content-Type: application/json
Content-Length: 702
Connection: keep-alive
Boulder-Requester: 122290654
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: HzmSNKzxYtXgw5apkSdOVG-4hMCwNTmpdUJWKnLN0oAmO0f7GtI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "sdom2.sdom1.example.com"
  },
  "status": "invalid",
  "expires": "2023-10-25T13:39:28Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Incorrect TXT record \"kXxnND0BtsCyCYvmwutceeaMhh5EP4L1KqUrf0d4lM0\" found at _acme-challenge.sdom2.sdom1.example.com",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8932347964/dGWRGA",
      "token": "0tDWOAcULwgKl6q1O-C_bK5lz5z6CdlTjNal14ZJHTA",
      "validated": "2023-10-18T13:40:01Z"
    }
  ],
  "wildcard": true
}
2023-10-18 07:40:02,199:DEBUG:acme.client:Storing nonce: HzmSNKzxYtXgw5apkSdOVG-4hMCwNTmpdUJWKnLN0oAmO0f7GtI
2023-10-18 07:40:02,200:INFO:certbot._internal.auth_handler:Challenge failed for domain sdom2.sdom1.example.com
2023-10-18 07:40:02,200:INFO:certbot._internal.auth_handler:dns-01 challenge for sdom2.sdom1.example.com
2023-10-18 07:40:02,200:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: dns-nsone). The Certificate Authority reported these problems:
  Domain: sdom2.sdom1.example.com
  Type:   unauthorized
  Detail: Incorrect TXT record "kXxnND0BtsCyCYvmwutceeaMhh5EP4L1KqUrf0d4lM0" found at _acme-challenge.sdom2.sdom1.example.com

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-nsone. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-nsone-propagation-seconds (currently 30 seconds).

2023-10-18 07:40:02,206:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/3391/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/3391/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-10-18 07:40:02,206:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-10-18 07:40:02,206:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-10-18 07:40:02,243:DEBUG:filelock:Attempting to acquire lock 281472746382720 on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:40:02,243:DEBUG:filelock:Lock 281472746382720 acquired on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:40:02,244:DEBUG:filelock:Attempting to release lock 281472746382720 on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:40:02,245:DEBUG:filelock:Lock 281472746382720 released on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:40:02,268:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.nsone.net:443
2023-10-18 07:40:02,509:DEBUG:urllib3.connectionpool:https://api.nsone.net:443 "GET /v1/zones/example.com HTTP/1.1" 200 None
2023-10-18 07:40:02,543:DEBUG:filelock:Attempting to acquire lock 281472747028144 on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:40:02,543:DEBUG:filelock:Lock 281472747028144 acquired on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:40:02,543:DEBUG:filelock:Attempting to release lock 281472747028144 on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:40:02,543:DEBUG:filelock:Lock 281472747028144 released on /home/ubuntu/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-10-18 07:40:02,568:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.nsone.net:443
2023-10-18 07:40:02,737:DEBUG:urllib3.connectionpool:https://api.nsone.net:443 "GET /v1/zones/example.com HTTP/1.1" 200 None
2023-10-18 07:40:02,743:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.nsone.net:443
2023-10-18 07:40:02,923:DEBUG:urllib3.connectionpool:https://api.nsone.net:443 "GET /v1/zones/example.com/_acme-challenge.sdom2.sdom1.example.com/TXT HTTP/1.1" 200 None
2023-10-18 07:40:02,929:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.nsone.net:443
2023-10-18 07:40:03,129:DEBUG:urllib3.connectionpool:https://api.nsone.net:443 "DELETE /v1/zones/example.com/_acme-challenge.sdom2.sdom1.example.com/TXT HTTP/1.1" 200 3
2023-10-18 07:40:03,133:DEBUG:lexicon._private.providers.nsone:delete_record: True
2023-10-18 07:40:03,134:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/3391/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/3391/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/3391/lib/python3.8/site-packages/certbot/_internal/main.py", line 1873, in main
    return config.func(config, plugins)
  File "/snap/certbot/3391/lib/python3.8/site-packages/certbot/_internal/main.py", line 1600, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/snap/certbot/3391/lib/python3.8/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/snap/certbot/3391/lib/python3.8/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/snap/certbot/3391/lib/python3.8/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/certbot/3391/lib/python3.8/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/snap/certbot/3391/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/3391/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-10-18 07:40:03,142:ERROR:certbot._internal.log:Some challenges have failed.

[djcoster]

I have tied to look into where this got changed in the hope of providing some help to fix it, but could not figure out what changed exactly. It appears to be the change in install_requires from 'dns-lexicon>=3.2.1', to 'dns-lexicon>=3.14.1',. I just can't tell. Even though there is version newer dns_lexicon-3.16.0 version, the install appears to only have and use 3.14.1 and I could not find a way to force a newer version in order to see if that would fix the issue.

From this page user guide, I attempted setting export LEXICON_DELEGATED=**my_sub_domain** and then ran the certbot command and this makes it work. Telling me that this must be inside that package and not directly in the DNS plugins.

[djcoster]

Here is a snippet from an old log file where you can see what it did when it used to work.

2023-08-30 04:08:03,192:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.nsone.net:443
2023-08-30 04:08:03,340:DEBUG:urllib3.connectionpool:https://api.nsone.net:443 "GET /v1/zone/sdom2.sdom1.example.com HTTP/1.1" 404 None
2023-08-30 04:08:03,343:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.nsone.net:443
2023-08-30 04:08:09,565:DEBUG:urllib3.connectionpool:https://api.nsone.net:443 "GET /v1/zones/sdom1.example.com HTTP/1.1" 200 None
2023-08-30 04:08:09,569:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.nsone.net:443
2023-08-30 04:08:09,718:DEBUG:urllib3.connectionpool:https://api.nsone.net:443 "GET /v1/zones/sdom1.example.com/_acme-challenge.sdom2.sdom1.example.com/TXT HTTP/1.1" 404 None
2023-08-30 04:08:09,721:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.nsone.net:443
2023-08-30 04:08:11,148:DEBUG:urllib3.connectionpool:https://api.nsone.net:443 "PUT /v1/zones/sdom1.example.com/_acme-challenge.sdom2.sdom1.example.com/TXT HTTP/1.1" 200 None
2023-08-30 04:08:11,150:DEBUG:lexicon.providers.nsone:create_record: True

[npodbielski]

I had similar problem today "Unexpected error determining zone identifier for xxx.com"
Which is kinda strange because it was working for few months previously without issues.
I did upgrade Docker image I was using but still an issue.

I checked OVH panel and I had some errors there: 'Failed to adopt zone: xxx.com/IN: xxx.con/MX invalid CNAME' or something.

I corrected those and now I have following problem:

swag  | Requesting a certificate for xxx.com and *.xxx.com
swag  | Error adding TXT record: Expecting value: line 1 column 1 (char 0)
swag  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
swag  | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/ovh.ini file.

I was unable to figure out what is wrong but it seems either OVH changed something or there is a bug in plugin.
Right now i moved to http validation (only one subdomain) but it would be nice to have DNS which is much more flexible.

[ppascher]

Not sure if this is the right issue but I get the same error as @npodbielski trying to renew a domain plus one subdomain. This is with certbot version 2.6.0 from EPEL. Log shows the following:

2023-10-25 07:18:12,864:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-10-25 07:18:12,864:INFO:certbot._internal.auth_handler:dns-01 challenge for mydomain.com
2023-10-25 07:18:12,868:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): eu.api.ovh.com:443
2023-10-25 07:18:12,972:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "GET /1.0/auth/time HTTP/1.1" 200 10
2023-10-25 07:18:13,015:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "GET /1.0/domain/zone/ HTTP/1.1" 200 None
2023-10-25 07:18:13,083:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "GET /1.0/domain/zone/mydomain.com/status HTTP/1.1" 200 None
2023-10-25 07:18:13,153:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "GET /1.0/domain/zone/mydomain.com/record?fieldType=TXT&subDomain=_acme-challenge HTTP/1.1" 200 2
2023-10-25 07:18:13,154:DEBUG:lexicon.providers.ovh:list_records: []            
2023-10-25 07:18:13,299:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "POST /1.0/domain/zone/mydomain.com/record HTTP/1.1" 200 None
2023-10-25 07:18:13,435:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "POST /1.0/domain/zone/mydomain.com/refresh HTTP/1.1" 204 0
2023-10-25 07:18:13,438:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):                                              
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
    resps = self.auth.perform(achalls)                                          
  File "/usr/lib/python3.9/site-packages/certbot/plugins/dns_common.py", line 76, in perform
    self._perform(domain, validation_domain_name, validation)                   
  File "/usr/lib/python3.9/site-packages/certbot_dns_ovh/_internal/dns_ovh.py", line 60, in _perform
    self._get_ovh_client().add_txt_record(domain, validation_name, validation)  
  File "/usr/lib/python3.9/site-packages/certbot/plugins/dns_common_lexicon.py", line 50, in add_txt_record
    self.provider.create_record(rtype='TXT', name=record_name, content=record_content)
  File "/usr/lib/python3.9/site-packages/lexicon/providers/base.py", line 79, in create_record
    return self._create_record(rtype, name, content)                            
  File "/usr/lib/python3.9/site-packages/lexicon/providers/ovh.py", line 121, in _create_record
    self._post(f"/domain/zone/{domain}/refresh")                                
  File "/usr/lib/python3.9/site-packages/lexicon/providers/base.py", line 181, in _post
    return self._request("POST", url, data=data, query_params=query_params)     
  File "/usr/lib/python3.9/site-packages/lexicon/providers/ovh.py", line 252, in _request
    return result.json()                                                        
  File "/usr/lib/python3.9/site-packages/requests/models.py", line 900, in json 
    return complexjson.loads(self.text, **kwargs)                               
  File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads              
    return _default_decoder.decode(s)                                           
  File "/usr/lib64/python3.9/json/decoder.py", line 337, in decode              
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())                           
  File "/usr/lib64/python3.9/json/decoder.py", line 355, in raw_decode          
    raise JSONDecodeError("Expecting value", s, err.value) from None            
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)         
                                                                                
2023-10-25 07:18:13,438:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-10-25 07:18:13,438:INFO:certbot._internal.auth_handler:Cleaning up challenges

[bmw]

More and more reports of this have continued to come in with the most recent one being about DNSMadeEasy at #9818. We also have reports about this for NS1 above in this issue despite it initially being filed for OVH.

I personally found the cleaned up logs from #9818 to be particularly helpful. Why did the requested URLs change?

@adferrand, what's your schedule for doing free work on open source projects looking like for the next week or so? You're certainly more familiar with this stuff than me, but I can use some of my EFF time to start digging into this more deeply if that's at all desired.

[adferrand]

Hello @bmw, I have actually started to look at this issue last week, and I have some hypothesis. I will have some time this week to start fixing it, and the next week if needed.