Fix issue caused by certbot-dns-godaddy version

[chenxingyu-cs]

Updated the version for certbot-dns-godaddy to 2.6.0

Fix #3159 and #3103

Got the idea from #3147 but that put the file in a wrong place

[nginxproxymanagerci]

Docker Image for build 1 is available on DockerHub as jc21/nginx-proxy-manager:github-pr-3165

Note: ensure you backup your NPM instance before testing this PR image! Especially if this PR contains database changes.

[stefanwerner87]

@chenxingyu-cs i tested your image. but somehow it is still not working for me with godaddy .. i receive following error (i removed my email and domain from the error message)

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-2" --agree-tos --email "..." --domains "..." --authenticator dns-godaddy --dns-godaddy-credentials "/etc/letsencrypt/credentials/credentials-2"
Traceback (most recent call last):
File "/usr/bin/certbot", line 5, in
from certbot.main import main
File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 6, in
from certbot._internal import main as internal_main
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 21, in
import josepy as jose
File "/opt/certbot/lib/python3.7/site-packages/josepy/init.py", line 40, in
from josepy.json_util import (
File "/opt/certbot/lib/python3.7/site-packages/josepy/json_util.py", line 14, in
from OpenSSL import crypto
File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/init.py", line 8, in
from OpenSSL import crypto, SSL
File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1517, in
class X509StoreFlags(object):
File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1537, in X509StoreFlags
CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

[wolviex]

pyOpenSSL < 22.0.0 seems to be incompatible since they hadn't pinned the cryptography package. Since the latest cryptography package was installed in version prior 22.0.0 they simply break. (josepy only requires ">=0.13")
Corresponding Github issue: pyca/pyopenssl#1143

Unfortunately this is stacked dependencies and beyond the scope of an NPM issue.

Workarounds include the following

1. from npm main branch, downgrade acme:
   /opt/certbot/bin/pip install acme==1.32.0
2. from this PR, upgrade pyopenssl:
   /opt/certbot/bin/pip install --upgrade pyopenssl

Since the issue doesn't appear to be NPM specific, and has more to do with the dependency chain from certbot-dns-godaddy -> certbot -> josepy -> pyopenssl -> cryptogaphy, I'm not sure if it makes sense to merge this PR without further research.

[GentleHoneyLover]

I can confirm that the workaround by @wolviex with upgrading pyopenssl package works on the jc21/nginx-proxy-manager:github-pr-3165 image.

Thanks!

[jc21]

I'm not a python guy in fact this dependency hell is one of the reasons it leaves a bad taste in my mouth.

That said, in your opinions, would it be worth adding those pip install/upgrade steps into the entire build? Will that have adverse affects on other certbot plugins?

[wolviex]

Dependency Hell indeed. Though TBF that's not unique to python ;)

There's a couple plugin conflicts in certbot-dns-plugins.js preventing from moving forward to 2.6.0, so I don't think you can push the certbot-dns-godaddy, regardless of the pyopenssl.

One where the version requirement is tied to the certbot version, but there is no v 2.6.0 for the plugin:
No matching distribution found for certbot-dns-cloudxns==2.6.0

One where it needs the older version of certbot:
certbot-dns-oci 0.3.6 depends on certbot<=1.15.0

And one that doesn't exist on pypi anymore ;)
No matching distribution found for certbot-dns-online~=0.0.8

When I get some time I'll do a dependency check with the acme downgrade, and see how that goes.

[AlmightyJojo]

Godaddy DNS. No issue on on 2.10.3. Issue on 2.10.4
Can also confirm fix Godaddy DNS challange:

jc21/nginx-proxy-manager:github-pr-3165
/opt/certbot/bin/pip install --upgrade pyopenssl

---

Unrelated observation of 2.10.4
Previous versions had ssl-ciphers.conf residing in /etc/nginx/conf.d/include
In 2.10.3 (forget if it changed after 2.9.x) it moved up directory to /etc/nginx/conf.d/
In 2.10.4 is back to /etc/nginx/conf.d/include

[belmont]

no fix for Godaddy, please make it work, i tested latest and also image: 'jc21/nginx-proxy-manager:github-pr-3165'
none are working but once i applied the following inside the contain to pr-3165 it worked for godaddy:

here is the fix:

cd /opt/certbot
/opt/certbot/bin/pip install certbot==2.6.0
/opt/certbot/bin/pip install -U certbot-dns-godaddy
. /opt/certbot/bin/activate && pip install --upgrade pyopenssl

and here is the error before the fix on jc21/nginx-proxy-manager:github-pr-3165

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-5" --agree-tos --email "XXXXXXXXXXXX" --domains "YYYYYYYY" --authenticator dns-godaddy --dns-godaddy-credentials "/etc/letsencrypt/credentials/credentials-5"
Traceback (most recent call last):
File "/usr/bin/certbot", line 5, in
from certbot.main import main
File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 6, in
from certbot._internal import main as internal_main
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 21, in
import josepy as jose
File "/opt/certbot/lib/python3.7/site-packages/josepy/init.py", line 40, in
from josepy.json_util import (
File "/opt/certbot/lib/python3.7/site-packages/josepy/json_util.py", line 14, in
from OpenSSL import crypto
File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/init.py", line 8, in
from OpenSSL import crypto, SSL
File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1517, in
class X509StoreFlags(object):
File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1537, in X509StoreFlags
CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

[mawarnes]

SSL certs renewal for godaddy dns broken in c21/nginx-proxy-manager:2.10.4,
I pulled down the docker jc21/nginx-proxy-manager:github-pr-3165
connected to the container, ran /opt/certbot/bin/pip install --upgrade pyopenssl
I can confirm that SSL certs renewal works for Godaddy DNS

many thanks

[jc21]

I've made significant changes to the project's dependencies. Of note:

• using latest debian distro
• python v3.11
• certbot v2.8.0

I've also changed the godaddy plugin version to be the same as certbot version, 2.8.0. Everything installs fine, so it's up to you guys to let me know if it's working as expected.

Try the github-develop docker tag, make sure you back up your data folders first.

@chenxingyu-cs, should you need additional python packages installed at the same time as the godaddy plugin, add to the dependencies value in global/certbot-dns-plugins.json:182. As an example:

//...
"dependencies": "pyopenssl~=23.3.0",
//...