You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Configure Gandi.net, certbot, and certbot-plugin-gandi so that the generation of a letsencrypt certificate works;
Go on the Gandi.net platform, regenerate/rotate the Gandi API Key;
Do not update the configuration on the server that uses certbot;
Attempt to renew the certificate(s) with: certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;
Following error message shows up (possibly per email too if you have it configured accordingly): Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for "x.y.io";
Inspection of logs under /var/log/letsencrypt/letsencrypt.log shows that really it is about authentification, see HTTP Status Code 401:
2022-01-03 20:59:39,583:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:39,820:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/x.y.io HTTP/1.1" 401 264
2022-01-03 20:59:39,847:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,085:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/y.io HTTP/1.1" 401 264
2022-01-03 20:59:40,111:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,361:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/io HTTP/1.1" 401 264
2022-01-03 20:59:40,377:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for"x.y.io"
2022-01-03 20:59:40,392:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,630:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/y.z HTTP/1.1" 401 264
2022-01-03 20:59:40,655:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,896:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/io HTTP/1.1" 401 264
2022-01-03 20:59:40,911:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for"y.io"
2022-01-03 20:59:40,915:ERROR:certbot._internal.renewal:Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for"x.y.io"
SHOULD Behaviour
Configure Gandi.net, certbot, and certbot-plugin-gandi so that the generation of a letsencrypt certificate works;
Go on the Gandi.net platform, regenerate/rotate the Gandi API Key;
Do not update the configuration on the server that uses certbot;
Attempt to renew the certificate(s) with: certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;
Following error message shows up (possibly per email too if you have it configured accordingly): Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: 401 Unauthorized (bad api key?);
Further inspection of the logs shows the error message from the Gandi.net API (format can be modfied, not necessary in JSON format):
{"object": "HTTPUnauthorized", "cause": "Unauthorized", "code": 401, "message": "The server could not verify that you authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad api key), or your access token has expired"}
Furthermore, the Wiki page of the plugin may also document common errors and remediations in a Troubleshooting page.
The Wiki page may be replaced by a TROUBLESHOOTING.md or COMMON_ERRORS.md file committed with the code.
Thank you for the plugin and your time.
The text was updated successfully, but these errors were encountered:
Summary
Error messages could be more detailed in order to help system administrators quickly resolve issues.
See also this short documentation I wrote about this subject: https://github.com/Leading-Works-SaRL/certbot-plugin-gandi/wiki/Troubleshooting
Reproducible steps
Gandi.net,certbot, andcertbot-plugin-gandiso that the generation of a letsencrypt certificate works;Gandi.netplatform, regenerate/rotate the Gandi API Key;certbot;certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for "x.y.io";/var/log/letsencrypt/letsencrypt.logshows that really it is about authentification, see HTTP Status Code 401:SHOULD Behaviour
Gandi.net,certbot, andcertbot-plugin-gandiso that the generation of a letsencrypt certificate works;Gandi.netplatform, regenerate/rotate the Gandi API Key;certbot;certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: 401 Unauthorized (bad api key?);{"object": "HTTPUnauthorized", "cause": "Unauthorized", "code": 401, "message": "The server could not verify that you authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad api key), or your access token has expired"}Furthermore, the Wiki page of the plugin may also document common errors and remediations in a Troubleshooting page.
The Wiki page may be replaced by a TROUBLESHOOTING.md or COMMON_ERRORS.md file committed with the code.
Thank you for the plugin and your time.
The text was updated successfully, but these errors were encountered: