[BUG] directadmin plugin: ValueError: too many values to unpack

[golles]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Since the 1st of April auto-renewal is failing for me (I just noticed today as I got an email from letsencrypt about my cert expiring within a week.

log/letsencrypt/letsencrypt.log.4.gz

<------------------------------------------------->
cronjob running on Sat Mar 30 02:08:00 CET 2024
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/redacted.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/redacted/fullchain.pem expires on 2024-04-30 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

log/letsencrypt/letsencrypt.log.3.gz

<------------------------------------------------->
cronjob running on Mon Apr  1 02:08:00 CEST 2024
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/redacted.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for redacted and *.redacted
Unsafe permissions on credentials configuration file: /config/dns-conf/directadmin.ini
Encountered exception during recovery: ValueError: too many values to unpack (expected 2)
Failed to renew certificate redacted with error: too many values to unpack (expected 2)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/redacted/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
<------------------------------------------------->

Manually attempt when attached to the container

root@fea77993fd66:/# certbot -v certonly --authenticator dns-directadmin --dns-directadmin-credentials /config/dns-conf/directadmin.ini --dns-directadmin-propagation-seconds 600 -d "redacted" -d "*.redacted"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-directadmin, Installer None
Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for redacted and *.redacted
Performing the following challenges:
dns-01 challenge for redacted
dns-01 challenge for redacted
Unsafe permissions on credentials configuration file: /config/dns-conf/directadmin.ini
Cleaning up challenges
Encountered exception during recovery: ValueError: too many values to unpack (expected 2)
An unexpected error occurred:
ValueError: too many values to unpack (expected 2)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

• I've double checked my directadmin.ini is like https://github.com/linuxserver/docker-swag/blob/master/root/defaults/dns-conf/directadmin.ini
• I've double checked that my account has the mentioned permissions
• I've reverted to a swag 2.9.0-ls292 before 1st of April

Expected Behavior

No response

Steps To Reproduce

I'm not sure, it started to happen from the 1st of April, see letsencrypt logs

Environment

- OS: Ubuntu 22.04.4 LTS
- How docker service was installed:
https://docs.docker.com/engine/install/ubuntu/
sudo apt install docker-compose

CPU architecture

x86-64

Docker creation

swag:
    container_name: swag
    restart: unless-stopped
    image: linuxserver/swag:latest
    cap_add:
      - NET_ADMIN
    volumes:
      - ${DATA_DIR:?error}/swag:/config
    ports:
      - 80:80
      - 443:443
    environment:
      - EMAIL=redacted
      - URL=redacted
      - SUBDOMAINS=wildcard
      - ONLY_SUBDOMAINS=false
      - VALIDATION=dns
      - DNSPLUGIN=directadmin
      - PROPAGATION=600
      - STAGING=false
      - DOCKER_MODS=linuxserver/mods:swag-dashboard|linuxserver/mods:swag-maxmind
      - MAXMINDDB_LICENSE_KEY=redacted
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Amsterdam

Container logs

Attaching to swag
�[36mswag                  |�[0m [mod-init] Running Docker Modification Logic
�[36mswag                  |�[0m [mod-init] Adding linuxserver/mods:swag-dashboard to container
�[36mswag                  |�[0m [mod-init] Downloading linuxserver/mods:swag-dashboard from lscr.io
�[36mswag                  |�[0m [mod-init] Installing linuxserver/mods:swag-dashboard
�[36mswag                  |�[0m [mod-init] linuxserver/mods:swag-dashboard applied to container
�[36mswag                  |�[0m [mod-init] Adding linuxserver/mods:swag-maxmind to container
�[36mswag                  |�[0m [mod-init] Downloading linuxserver/mods:swag-maxmind from lscr.io
�[36mswag                  |�[0m [mod-init] Installing linuxserver/mods:swag-maxmind
�[36mswag                  |�[0m [mod-init] linuxserver/mods:swag-maxmind applied to container
�[36mswag                  |�[0m [migrations] started
�[36mswag                  |�[0m [migrations] 01-nginx-site-confs-default: skipped
�[36mswag                  |�[0m [migrations] done
�[36mswag                  |�[0m ───────────────────────────────────────
�[36mswag                  |�[0m
�[36mswag                  |�[0m       ██╗     ███████╗██╗ ██████╗
�[36mswag                  |�[0m       ██║     ██╔════╝██║██╔═══██╗
�[36mswag                  |�[0m       ██║     ███████╗██║██║   ██║
�[36mswag                  |�[0m       ██║     ╚════██║██║██║   ██║
�[36mswag                  |�[0m       ███████╗███████║██║╚██████╔╝
�[36mswag                  |�[0m       ╚══════╝╚══════╝╚═╝ ╚═════╝
�[36mswag                  |�[0m
�[36mswag                  |�[0m    Brought to you by linuxserver.io
�[36mswag                  |�[0m ───────────────────────────────────────
�[36mswag                  |�[0m
�[36mswag                  |�[0m To support the app dev(s) visit:
�[36mswag                  |�[0m Certbot: https://supporters.eff.org/donate/support-work-on-certbot
�[36mswag                  |�[0m
�[36mswag                  |�[0m To support LSIO projects visit:
�[36mswag                  |�[0m https://www.linuxserver.io/donate/
�[36mswag                  |�[0m
�[36mswag                  |�[0m ───────────────────────────────────────
�[36mswag                  |�[0m GID/UID
�[36mswag                  |�[0m ───────────────────────────────────────
�[36mswag                  |�[0m
�[36mswag                  |�[0m User UID:    1000
�[36mswag                  |�[0m User GID:    1000
�[36mswag                  |�[0m ───────────────────────────────────────
�[36mswag                  |�[0m
�[36mswag                  |�[0m using keys found in /config/keys
�[36mswag                  |�[0m Variables set:
�[36mswag                  |�[0m PUID=1000
�[36mswag                  |�[0m PGID=1000
�[36mswag                  |�[0m TZ=Europe/Amsterdam
�[36mswag                  |�[0m URL=redacted
�[36mswag                  |�[0m SUBDOMAINS=wildcard
�[36mswag                  |�[0m EXTRA_DOMAINS=
�[36mswag                  |�[0m ONLY_SUBDOMAINS=false
�[36mswag                  |�[0m VALIDATION=dns
�[36mswag                  |�[0m CERTPROVIDER=
�[36mswag                  |�[0m DNSPLUGIN=directadmin
�[36mswag                  |�[0m EMAIL=redacted
�[36mswag                  |�[0m STAGING=false
�[36mswag                  |�[0m
�[36mswag                  |�[0m Using Let's Encrypt as the cert provider
�[36mswag                  |�[0m SUBDOMAINS entered, processing
�[36mswag                  |�[0m Wildcard cert for redacted will be requested
�[36mswag                  |�[0m E-mail address entered: redacted
�[36mswag                  |�[0m dns validation via directadmin plugin is selected
�[36mswag                  |�[0m Certificate exists; parameters unchanged; starting nginx
�[36mswag                  |�[0m The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
�[36mswag                  |�[0m **** Applying the SWAG dashboard mod... ****
�[36mswag                  |�[0m **** Adding goaccess to package install list ****
�[36mswag                  |�[0m **** adding libmaxminddb to package install list ****
�[36mswag                  |�[0m **** libmaxminddb already installed, skipping ****
�[36mswag                  |�[0m **** Applied the SWAG dashboard mod ****
�[36mswag                  |�[0m [pkg-install-init] **** Installing all mod packages ****
�[36mswag                  |�[0m fetch http://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
�[36mswag                  |�[0m fetch http://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
�[36mswag                  |�[0m (1/2) Installing goaccess (1.8.1-r0)
�[36mswag                  |�[0m (2/2) Installing libmaxminddb (1.7.1-r2)
�[36mswag                  |�[0m Executing busybox-1.36.1-r15.trigger
�[36mswag                  |�[0m OK: 202 MiB in 218 packages
�[36mswag                  |�[0m Applying the maxmind mod...
�[36mswag                  |�[0m Applied the maxmind mod
�[36mswag                  |�[0m [custom-init] No custom files found, skipping...
�[36mswag                  |�[0m [ls.io-init] done.
�[36mswag                  |�[0m Server ready

[golles]

certbot-dns-directadmin version 1.0.4 causes this issue and might even be troublesome...
That version is defined here: https://github.com/linuxserver/docker-swag/blob/master/package_versions.txt#L46

The release isn't listed (or has been removed) on the Github repo: https://github.com/cybercinch/certbot-dns-directadmin/releases
1.0.5 and 1.0.6 are released on the same day (see also: https://pypi.org/project/certbot-dns-directadmin/#history)

When attached to the container, I rolled back to version 1.0.3 with pip install -Iv certbot-dns-directadmin==1.0.3 (verified with pip list)

root@68b824a22913:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/redacted.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for redacted and *.redacted
Waiting 600 seconds for DNS changes to propagate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded: 
  /etc/letsencrypt/live/redacted/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

🎉🎉🎉

[golles]

Version 1.0.6 I can't install like this, it causes version conflicts

[aptalca]

Either the maintainer messed up the requirements or pip is having another issue:
https://ci.linuxserver.io/blue/organizations/jenkins/Docker-Pipeline-Builders%2Fdocker-swag/detail/master/720/pipeline/140#step-151-log-411

#10 41.16 INFO: pip is looking at multiple versions of certbot-dns-directadmin to determine which version is compatible with other requirements. This could take a while.
#10 41.16 Collecting certbot-dns-directadmin
#10 41.19   Downloading certbot_dns_directadmin-1.0.5-py3-none-any.whl.metadata (1.7 kB)
#10 41.21   Downloading certbot_dns_directadmin-1.0.4-py2.py3-none-any.whl.metadata (2.1 kB)

[thespad]

So, 1.0.4 doesn't exist... https://github.com/cybercinch/certbot-dns-directadmin/releases
1.0.9 is the latest release...
But 1.0.6 is the latest on pypi https://pypi.org/project/certbot-dns-directadmin/

[thespad]

Oh, he's using that stupid semantic-release bot that generates a new release for literally everything cybercinch/certbot-dns-directadmin@v1.0.8...v1.0.9

[aptalca]

1.0.6 requires an old version of acme and therefore certbot

Collecting certbot-dns-directadmin==1.0.6
  Using cached certbot_dns_directadmin-1.0.6-py3-none-any.whl.metadata (1.7 kB)
Collecting acme<2.0.0,>=1.32.0 (from certbot-dns-directadmin==1.0.6)
  Using cached acme-1.32.0-py3-none-any.whl.metadata (1.4 kB)
Collecting certbot<2.0.0,>=1.8.0 (from certbot-dns-directadmin==1.0.6)
  Using cached certbot-1.32.0-py3-none-any.whl.metadata (9.7 kB)

Current acme and certbot versions are 2.10.0

[golles]

Yes indeed

ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
certbot-dns-rfc2136 2.10.0 requires acme>=2.10.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-rfc2136 2.10.0 requires certbot>=2.10.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-dnsimple 2.10.0 requires acme>=2.10.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-dnsimple 2.10.0 requires certbot>=2.10.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-aliyun 2.0.0 requires acme>=2.0.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-aliyun 2.0.0 requires certbot>=2.0.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-google 2.10.0 requires acme>=2.10.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-google 2.10.0 requires certbot>=2.10.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-cloudflare 2.10.0 requires acme>=2.10.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-cloudflare 2.10.0 requires certbot>=2.10.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-godaddy 2.8.0 requires certbot>=2.8.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-gehirn 2.10.0 requires acme>=2.10.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-gehirn 2.10.0 requires certbot>=2.10.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-dnsmadeeasy 2.10.0 requires acme>=2.10.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-dnsmadeeasy 2.10.0 requires certbot>=2.10.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-luadns 2.10.0 requires acme>=2.10.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-luadns 2.10.0 requires certbot>=2.10.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-ovh 2.10.0 requires acme>=2.10.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-ovh 2.10.0 requires certbot>=2.10.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-linode 2.10.0 requires acme>=2.10.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-linode 2.10.0 requires certbot>=2.10.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-nsone 2.10.0 requires acme>=2.10.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-nsone 2.10.0 requires certbot>=2.10.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-sakuracloud 2.10.0 requires acme>=2.10.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-sakuracloud 2.10.0 requires certbot>=2.10.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-hetzner 2.0.0 requires certbot>=2.0.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-ionos 2024.1.8 requires certbot>=2.0.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-standalone 1.1 requires certbot>=2.1.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-digitalocean 2.10.0 requires acme>=2.10.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-digitalocean 2.10.0 requires certbot>=2.10.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-dynudns 0.0.6 requires acme>=2.0.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-dynudns 0.0.6 requires certbot>=2.0.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-route53 2.10.0 requires acme>=2.10.0, but you have acme 1.32.0 which is incompatible.
certbot-dns-route53 2.10.0 requires certbot>=2.10.0, but you have certbot 1.32.0 which is incompatible.
certbot-dns-azure 2.5.0 requires certbot<3.0,>=2.0, but you have certbot 1.32.0 which is incompatible.

[aptalca]

After seeing all that, I'm tempted to remove the plugin altogether. Don't want to risk it breaking other stuff.

[thespad]

Even in the latest release the requirement is still 1.8.0-2.0 https://github.com/cybercinch/certbot-dns-directadmin/blob/v1.0.9/pyproject.toml#L10C1-L10C19

[golles]

Would a downgrade to 1.0.3 be a temporary option? This seems to work fine.

What would be required to get that plugin in a better state? When I check it out in a codespace and change the versions to:

certbot = "^2.10.0"
acme = "^2.10.0"

The tests pass (haven't checked anything else)

[thespad]

1.0.3 seems to be from before they switched to Poetry, where the requirement was just >=1.8.0 https://github.com/cybercinch/certbot-dns-directadmin/blob/1.0.3/setup.py#L35-L37

[golles]

I've migrated my DNS settings to Cloudflare, so I no longer rely on the DirectAdmin plugin

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.