Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Internal Error with netcup and DNS Challenge #1706

Open
TWART016 opened this issue Dec 30, 2021 · 14 comments
Open

Internal Error with netcup and DNS Challenge #1706

TWART016 opened this issue Dec 30, 2021 · 14 comments
Labels
bug

Comments

@TWART016
Copy link

TWART016 commented Dec 30, 2021
edited
Loading

Describe the bug
I want to access my internal password management (vaultwarden) with NPM. Therefore I created in Netcup an A-Record with Destination my internal IP 192.168.178.15. Also I added a TXT entry with Destination: pw-local.MYDOMAIN.

In NPM I created a proxy host and Forward to my password management. In SSL I want to create a certificate with Use a DNS Challenge. I selected netcup as the provider and set dns_netcup_customer_id , dns_netcup_api_key and dns_netcup_api_password. After save I get a Internal Error Message.

In Docker Logs I see

[12/30/2021] [4:20:50 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-47" --agree-tos --email "MY-EMAIL" --domains "pw-local.MYDOMAIN" --authenticator dns-netcup --dns-netcup-credentials "/etc/letsencrypt/credentials/credentials-47"

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Inside letsencrypt.log:
"Incorrect TXT record \"pw-local.mydomain.de\" found at _acme-challenge.pw-local.mydomain.de",

Nginx Proxy Manager Version
2.9.13

Operating System
Ubuntu 18.04.4 LTS (Bionic Beaver) with Docker

Edit: If I add the domain to an other proxy host in NGINX the website can be opend but of couse with an certificate error.
Without a certificate it is not possible to access the website.
@TWART016 TWART016 added the bug label Dec 30, 2021
@chaptergy
Copy link
Collaborator

What do the certbot logs say? (see #1271 (comment))

@TWART016
Copy link
Author

Do you mean the log from /var/log/letsencrypt/letsencrypt.log ?

@chaptergy
Copy link
Collaborator

Yes.

@TWART016
Copy link
Author

Here is the log

2021-12-30 19:11:59,904:DEBUG:certbot._internal.main:certbot version: 1.22.0
2021-12-30 19:11:59,905:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2021-12-30 19:11:59,905:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--cert-name', 'npm-54', '--agree-tos', '--email', 'MY-EMAIL', '--domains', 'pw-local.MYDOMAIN', '--authenticator', 'dns-netcup', '--dns-netcup-credentials', '/etc/letsencrypt/credentials/credentials-54']
2021-12-30 19:11:59,907:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-dns-netcup:dns-netcup,PluginEntryPoint#dns-netcup,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-12-30 19:11:59,944:DEBUG:certbot._internal.log:Root logging level set at 30
2021-12-30 19:11:59,946:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-netcup and installer None
2021-12-30 19:11:59,953:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-netcup
Description: Obtain certificates using a DNS TXT record (if you are using netcup for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-netcup = certbot_dns_netcup:Authenticator
Initialized: <certbot_dns_netcup.Authenticator object at 0x7faa6b035048>
Prep: True
2021-12-30 19:11:59,954:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_netcup.Authenticator object at 0x7faa6b035048> and installer None
2021-12-30 19:11:59,954:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-netcup, Installer None
2021-12-30 19:11:59,974:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/123184766', new_authzr_uri=None, terms_of_service=None), 76b38ddd92b11008964617588dcc1dde, Meta(creation_dt=datetime.datetime(2021, 5, 11, 23, 40, 9, tzinfo=<UTC>), creation_host='eb50e0a13986', register_to_eff=None))>
2021-12-30 19:11:59,975:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-12-30 19:11:59,979:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-12-30 19:12:00,480:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-12-30 19:12:00,481:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 30 Dec 2021 18:12:00 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "g3sn83eQ5X0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-12-30 19:12:00,482:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for pw-local.MYDOMAIN
2021-12-30 19:12:00,543:DEBUG:certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/1984_key-certbot.pem
2021-12-30 19:12:00,602:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/1984_csr-certbot.pem
2021-12-30 19:12:00,604:DEBUG:acme.client:Requesting fresh nonce
2021-12-30 19:12:00,604:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-12-30 19:12:00,754:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-12-30 19:12:00,755:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 30 Dec 2021 18:12:00 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001Ht8h3JrE16E4RqdHfYvZyyUrZRa9A1j0p6JfDPqi464
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2021-12-30 19:12:00,755:DEBUG:acme.client:Storing nonce: 0001Ht8h3JrE16E4RqdHfYvZyyUrZRa9A1j0p6JfDPqi464
2021-12-30 19:12:00,755:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "pw-local.MYDOMAIN"\n    }\n  ]\n}'
2021-12-30 19:12:00,758:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIzMTg0NzY2IiwgIm5vbmNlIjogIjAwMDFIdDhoM0pyRTE2RTRScWRIZll2Wnl5VXJaUmE5QTFqMHA2SmZEUHFpNDY0IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "K2gfmAqUuq25cIMqmmUs15HiuuViJDt8zZ3079hSfDRFpPKTWQ-AKoRbCD8qOsJeA6VARfW4pH1YCaqUMBuiYY6AEWuCdVRUUL7gqxLQPS339kv_-DdTWGfoB_W6NM5evdusInT9kOSdYxN6j2xDMybCyrT1xvX-LIxZHGXSp93i_rIoCXNuZWrHe5n_N9ByFa47L-K-GgdVENtc9yaKis7m7YhGLMoTQqOVQnICD_r2bLh_ScCk6-h0gvZO3XALvyU8uT-MgazLBLHW3Ufea6LHfl1PLZzrOLcGckHKy7NxVg0uwWaExv-o46URjYmWtOQRAoSmzhNoprkx3N2EFw",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInB3LWxvY2FsLnR3aG9tZS5kZSIKICAgIH0KICBdCn0"
}
2021-12-30 19:12:00,937:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 341
2021-12-30 19:12:00,938:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 30 Dec 2021 18:12:00 GMT
Content-Type: application/json
Content-Length: 341
Connection: keep-alive
Boulder-Requester: 123184766
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/123184766/51365826560
Replay-Nonce: 0001kC4klKwPnSpGxE5ADgF0mwX88ezFoYSifxnK18xckyA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2022-01-06T18:12:00Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "pw-local.MYDOMAIN"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/63454505270"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/123184766/51365826560"
}
2021-12-30 19:12:00,938:DEBUG:acme.client:Storing nonce: 0001kC4klKwPnSpGxE5ADgF0mwX88ezFoYSifxnK18xckyA
2021-12-30 19:12:00,939:DEBUG:acme.client:JWS payload:
b''
2021-12-30 19:12:00,941:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/63454505270:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIzMTg0NzY2IiwgIm5vbmNlIjogIjAwMDFrQzRrbEt3UG5TcEd4RTVBRGdGMG13WDg4ZXpGb1lTaWZ4bksxOHhja3lBIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MzQ1NDUwNTI3MCJ9",
  "signature": "IG52_OrewDE_vgi5V36TqttJz55NJIjfeTfINNM00iYQGGWnIklhiIp29rPjUGGbau2a3Orcq9-0SlsyTFXkTa7VXdlxBsRflLXgcUS0ot9RKg3xPoINm4uZzVsV1Egl2RWORYHZIIx_5Ho-9P1kuveoJXt5CgEaT_tNlYcmHYHSiyL91njiwCGpjGeGKGvbZXU09rfpDIDVYtrZFYKLjvbjovAdvuQR2CE72qRPJk6suK4PLMxKZVfubon-XNYSGjY1aP9bsJb1cLTgWpVW8h4tF1dexF8mGRe1E4UDhQKECP-vga63ZOc5GFGijdkqRQi8ss9useCVEGWaUbxEkw",
  "payload": ""
}
2021-12-30 19:12:01,095:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/63454505270 HTTP/1.1" 200 799
2021-12-30 19:12:01,096:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 30 Dec 2021 18:12:01 GMT
Content-Type: application/json
Content-Length: 799
Connection: keep-alive
Boulder-Requester: 123184766
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001dlK6kFYCSIfS-CZSp6k-JeqmzF7LXQouCrBwSD27SuM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "pw-local.MYDOMAIN"
  },
  "status": "pending",
  "expires": "2022-01-06T18:12:00Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/63454505270/IJpq3A",
      "token": "PnQ-9yfbSFqqlB7l554FX6c42_Gp6-kwVZRakCgd8gs"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/63454505270/OVgjzg",
      "token": "PnQ-9yfbSFqqlB7l554FX6c42_Gp6-kwVZRakCgd8gs"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/63454505270/TeXa2Q",
      "token": "PnQ-9yfbSFqqlB7l554FX6c42_Gp6-kwVZRakCgd8gs"
    }
  ]
}
2021-12-30 19:12:01,096:DEBUG:acme.client:Storing nonce: 0001dlK6kFYCSIfS-CZSp6k-JeqmzF7LXQouCrBwSD27SuM
2021-12-30 19:12:01,097:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-12-30 19:12:01,098:INFO:certbot._internal.auth_handler:dns-01 challenge for pw-local.MYDOMAIN
2021-12-30 19:12:01,100:DEBUG:lexicon.providers.netcup:login({})
2021-12-30 19:12:01,103:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:01,215:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 228
2021-12-30 19:12:01,219:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'pw-local.MYDOMAIN'})
2021-12-30 19:12:01,222:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:01,328:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 188
2021-12-30 19:12:01,331:DEBUG:lexicon.providers.netcup:login({})
2021-12-30 19:12:01,333:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:01,455:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 228
2021-12-30 19:12:01,458:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'MYDOMAIN'})
2021-12-30 19:12:01,462:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:01,619:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 231
2021-12-30 19:12:01,621:DEBUG:lexicon.providers.netcup:infoDnsRecords({'domainname': 'MYDOMAIN'})
2021-12-30 19:12:01,626:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:01,775:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 556
2021-12-30 19:12:01,778:DEBUG:lexicon.providers.netcup:list_records: []
2021-12-30 19:12:01,778:DEBUG:lexicon.providers.netcup:updateDnsRecords({'domainname': 'MYDOMAIN', 'dnsrecordset': {'dnsrecords': [{'type': 'TXT', 'hostname': '_acme-challenge.pw-local', 'destination': '2NBiB4cFU1DhLuTbcruAEusKe0rQiUxSHbrA5FmA2no'}]}})
2021-12-30 19:12:01,781:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:01,963:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 630
2021-12-30 19:12:01,967:DEBUG:lexicon.providers.netcup:create_record: True
2021-12-30 19:12:01,968:DEBUG:certbot._internal.display.obj:Notifying user: Waiting 10 seconds for DNS changes to propagate
2021-12-30 19:12:11,975:DEBUG:acme.client:JWS payload:
b'{}'
2021-12-30 19:12:11,978:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/63454505270/OVgjzg:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIzMTg0NzY2IiwgIm5vbmNlIjogIjAwMDFkbEs2a0ZZQ1NJZlMtQ1pTcDZrLUplcW16RjdMWFFvdUNyQndTRDI3U3VNIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My82MzQ1NDUwNTI3MC9PVmdqemcifQ",
  "signature": "SKOK8Q9OVA5QFJvF7MUcwLRQ2W8ROqvO4TNDj-dmMVMmTUQR9eVIyIbfsTnv0JnPkKYifxKoq0Uhj2zR1oyzzX9W1SJamZKm42JL-PzbIl74XZuuIh6lUr2Kfp59u0AlCG7SmzOgjfaX_v8JiTzo2JO3WAQds95VK6ubRB04Qc0NLFRazAqmZ8VZ0Rszb1-fnCMPjWeh75FdVlB4J94zltGBHy2AyJeNr9ejNRJ7iSQu-7ezpq3ksZH2SyDLtxr-pgK-jIg-058PsEVY_rAPb2FXcfPS7jIB83OV3nKjHc8J69Y1IacTprFjZ05JoKEPGEUyQ46YSC5oflGIqu_6eg",
  "payload": "e30"
}
2021-12-30 19:12:12,140:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/63454505270/OVgjzg HTTP/1.1" 200 185
2021-12-30 19:12:12,141:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 30 Dec 2021 18:12:12 GMT
Content-Type: application/json
Content-Length: 185
Connection: keep-alive
Boulder-Requester: 123184766
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/63454505270>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/63454505270/OVgjzg
Replay-Nonce: 00015aiLQ3YBDwgPmuKYvwxLBcvPd7RMVOcfvxzbZZZELd0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/63454505270/OVgjzg",
  "token": "PnQ-9yfbSFqqlB7l554FX6c42_Gp6-kwVZRakCgd8gs"
}
2021-12-30 19:12:12,141:DEBUG:acme.client:Storing nonce: 00015aiLQ3YBDwgPmuKYvwxLBcvPd7RMVOcfvxzbZZZELd0
2021-12-30 19:12:12,142:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-12-30 19:12:13,143:DEBUG:acme.client:JWS payload:
b''
2021-12-30 19:12:13,145:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/63454505270:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIzMTg0NzY2IiwgIm5vbmNlIjogIjAwMDE1YWlMUTNZQkR3Z1BtdUtZdnd4TEJjdlBkN1JNVk9jZnZ4emJaWlpFTGQwIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MzQ1NDUwNTI3MCJ9",
  "signature": "Vzw4RH_ozwN-mYCh30yD41Gi2DlevWIrPUw6hSFMaJ10wtJkcapJSwiESV6llZx7BSXi-OEEjEcEB9p1jI3Xq2IqauL73fQd-ikFb_zmjVlivB1ctXWYLhDG3uqRQFRY9uah59WbGCvqmKkye_BbVx0MSYq6byulPearhtQqfv4bliw22MCYsckCGY2XOq0erOMmDIviFGCm7-uZml58Av2AmvFKwyZAlzMUx1rUfAQZ_A87VhpCllD5MpAooJ32Rz5CCYwYEEcPu4D_-LFemtZsTrnadNAP85U5WMnHuEVctCE69cKMwXE9UB8bTTdwv05HDFzFfnY_Tp7Vyk-aoQ",
  "payload": ""
}
2021-12-30 19:12:13,299:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/63454505270 HTTP/1.1" 200 630
2021-12-30 19:12:13,300:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 30 Dec 2021 18:12:13 GMT
Content-Type: application/json
Content-Length: 630
Connection: keep-alive
Boulder-Requester: 123184766
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002mzyGvUaEzF2zq8T9kNtnXjSAg5p7N5kKhweHg-WKETI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "pw-local.MYDOMAIN"
  },
  "status": "invalid",
  "expires": "2022-01-06T18:12:00Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Incorrect TXT record \"pw-local.MYDOMAIN\" found at _acme-challenge.pw-local.MYDOMAIN",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/63454505270/OVgjzg",
      "token": "PnQ-9yfbSFqqlB7l554FX6c42_Gp6-kwVZRakCgd8gs",
      "validated": "2021-12-30T18:12:12Z"
    }
  ]
}
2021-12-30 19:12:13,300:DEBUG:acme.client:Storing nonce: 0002mzyGvUaEzF2zq8T9kNtnXjSAg5p7N5kKhweHg-WKETI
2021-12-30 19:12:13,300:INFO:certbot._internal.auth_handler:Challenge failed for domain pw-local.MYDOMAIN
2021-12-30 19:12:13,301:INFO:certbot._internal.auth_handler:dns-01 challenge for pw-local.MYDOMAIN
2021-12-30 19:12:13,301:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: dns-netcup). The Certificate Authority reported these problems:
  Domain: pw-local.MYDOMAIN
  Type:   unauthorized
  Detail: Incorrect TXT record "pw-local.MYDOMAIN" found at _acme-challenge.pw-local.MYDOMAIN

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-netcup. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-netcup-propagation-seconds (currently 10 seconds).

2021-12-30 19:12:13,303:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 105, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 205, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-12-30 19:12:13,303:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-12-30 19:12:13,303:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-12-30 19:12:13,304:DEBUG:lexicon.providers.netcup:login({})
2021-12-30 19:12:13,307:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:13,431:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 228
2021-12-30 19:12:13,434:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'pw-local.MYDOMAIN'})
2021-12-30 19:12:13,437:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:13,563:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 188
2021-12-30 19:12:13,565:DEBUG:lexicon.providers.netcup:login({})
2021-12-30 19:12:13,568:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:13,687:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 228
2021-12-30 19:12:13,690:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'MYDOMAIN'})
2021-12-30 19:12:13,693:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:13,855:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 231
2021-12-30 19:12:13,858:DEBUG:lexicon.providers.netcup:infoDnsRecords({'domainname': 'MYDOMAIN'})
2021-12-30 19:12:13,861:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:14,018:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 609
2021-12-30 19:12:14,021:DEBUG:lexicon.providers.netcup:delete_records: ['46085145']
2021-12-30 19:12:14,022:DEBUG:lexicon.providers.netcup:updateDnsRecords({'domainname': 'MYDOMAIN', 'dnsrecordset': {'dnsrecords': [{'id': '46085145', 'hostname': '_acme-challenge.pw-local.MYDOMAIN', 'type': 'TXT', 'priority': '0', 'destination': '2NBiB4cFU1DhLuTbcruAEusKe0rQiUxSHbrA5FmA2no', 'deleterecord': True, 'state': 'unknown'}]}})
2021-12-30 19:12:14,025:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2021-12-30 19:12:14,201:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 574
2021-12-30 19:12:14,204:DEBUG:lexicon.providers.netcup:delete_record: True
2021-12-30 19:12:14,204:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1632, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1491, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 139, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 424, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 476, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 105, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 205, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-12-30 19:12:14,206:ERROR:certbot._internal.log:Some challenges have failed.

Is the destination in Netcup correct pw-local.MYDOMAIN? Do I need a token there?

@chaptergy
Copy link
Collaborator

Hm, it's weird that it is an incorrect TXT record and not just no record at all. Have you tried increasing the propagation seconds? By default they seem to be just 10 seconds which might not be enough.

@TWART016
Copy link
Author

TWART016 commented Jan 1, 2022

I set propagation to 300 seconds but it runs into a timeout.

What should be the TXT record look like?

@sumadark
Copy link

sumadark commented Jan 13, 2022
edited by chaptergy
Loading

Hi everybody,

I have a similar issue, trying to get a new certificate for a subdomainn here is the content of letsencrypt.log :

2022-01-13 09:57:12,250:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1632, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1472, in certonly
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/plugins/selection.py", line 210, in choose_configurator_plugins
    req_auth, req_inst = cli_plugin_requests(config)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/plugins/selection.py", line 305, in cli_plugin_requests
    req_auth = set_configurator(req_auth, "dns-cloudflare")
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/plugins/selection.py", line 276, in set_configurator
    raise errors.PluginSelectionError(msg.format(repr(previously), repr(now)))
certbot.errors.PluginSelectionError: Too many flags setting configurators/installers/authenticators 'webroot' -> 'dns-cloudflare'
2022-01-13 09:57:12,251:ERROR:certbot._internal.log:Too many flags setting configurators/installers/authenticators 'webroot' -> 'dns-cloudflare'

Here is my docker compose :

version: '2'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    environment:
      DB_MYSQL_HOST: "db"
      DB_MYSQL_PORT: 3306
      DB_MYSQL_USER: "npm"
      DB_MYSQL_PASSWORD: "npm"
      DB_MYSQL_NAME: "npm"
      DNS_CLOUDFLARE_CREDENTIALS: "/cloudflare.ini"

    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
      - ./log:/var/log/letsencrypt
      - ./letsencrypt.ini:/etc/letsencrypt.ini:rw
      - ./cloudflare.ini:/cloudflare.ini:ro
  db:
    ports:
      - '3307:3306'
    image: 'mariadb'
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: 'npm'
      MYSQL_DATABASE: 'npm'
      MYSQL_USER: 'npm'
      MYSQL_PASSWORD: 'npm'
    volumes:
      - ./data/mysql:/var/lib/mysql

If someone has an idea about this issue, I would be very glad to read it. Thanks !

@chaptergy
Copy link
Collaborator

@sumadark Your problem has nothing to do with the problem discussed in this issue, you are not even using netcup as the domain provider. And I'm pretty sure your issue is due to your own custom letsencrypt.ini and maybe in conjunction with the cloudflare.ini, not sure what that is for. Though we cannot provide support for that.

@sumadark
Copy link

@sumadark Your problem has nothing to do with the problem discussed in this issue, you are not even using netcup as the domain provider. And I'm pretty sure your issue is due to your own custom letsencrypt.ini and maybe in conjunction with the cloudflare.ini, not sure what that is for. Though we cannot provide support for that.

Thanks for your reply...

@nickibyte
Copy link

This might be a bit late, but for the sake of maybe closing the issue here is what I found when fixing a similar problem with the DNS challenge for the provider netcup:

Also I added a TXT entry with Destination: pw-local.MYDOMAIN.

I believe the reason the DNS challenge failed with the "Incorrect TXT record" error is that @TWART016 manually created the _acme-challenge.pw-local.mydomain.de TXT record with the destination pw-local.MYDOMAIN. This record will be automatically created by certbot with a string it gets from Let's Encrypt as the destination and will be deleted after the DNS challenge has been completed. That is why the API key and password are needed, to create/delete this TXT record.

So to fix the issue with the DNS challenge:

  1. Delete the manually created _acme-challenge.pw-local.mydomain.de TXT record
  2. Redo the DNS challenge with the Propagation Seconds set to 480 (this number worked for me, the default was way to short and I got a "No TXT record" error)

After 8-10 minutes you should have your certificate.

@LukasOchmann
Copy link

I have an simular issue, and i tried to set the propagation 480 but that runs in a timeout then ... Is there a way to increase the timeout?
I can see that certbot is createing the __acme-challenge.<subdomain> as a TXT record in netcup.

@LukasOchmann
Copy link

The Content of the log-file /var/log/letsencrypt/letsencrypt.log:

Certbot failed to authenticate some domains (authenticator: dns-netcup). The Certificate Authority reported these problems:
  Domain: home.<domain>.de
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.home.<domain>.de - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-netcup. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-netcup-propagation-seconds (currently 480 seconds).

2023-03-26 15:06:27,010:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-03-26 15:06:27,010:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-03-26 15:06:27,010:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-03-26 15:06:27,014:DEBUG:lexicon.providers.netcup:login({})
2023-03-26 15:06:27,017:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2023-03-26 15:06:27,145:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 229
2023-03-26 15:06:27,149:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': 'home.<domain>.de'})
2023-03-26 15:06:27,153:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2023-03-26 15:06:27,277:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 187
2023-03-26 15:06:27,281:DEBUG:lexicon.providers.netcup:login({})
2023-03-26 15:06:27,285:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2023-03-26 15:06:27,413:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 229
2023-03-26 15:06:27,417:DEBUG:lexicon.providers.netcup:infoDnsZone({'domainname': '<domain>.de'})
2023-03-26 15:06:27,421:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2023-03-26 15:06:27,562:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 241
2023-03-26 15:06:27,566:DEBUG:lexicon.providers.netcup:infoDnsRecords({'domainname': '<domain>.de'})
2023-03-26 15:06:27,570:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2023-03-26 15:06:27,700:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 458
2023-03-26 15:06:27,704:DEBUG:lexicon.providers.netcup:delete_records: ['69102461']
2023-03-26 15:06:27,704:DEBUG:lexicon.providers.netcup:updateDnsRecords({'domainname': '<domain>.de', 'dnsrecordset': {'dnsrecords': [{'id': '69102461', 'hostname': '_acme-challenge.home.<domain>.de', 'type': 'TXT', 'priority': '0', 'destination': '<TXT_RECORD-entry', 'deleterecord': True, 'state': 'yes'}]}})
2023-03-26 15:06:27,708:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): ccp.netcup.net:443
2023-03-26 15:06:27,872:DEBUG:urllib3.connectionpool:https://ccp.netcup.net:443 "POST /run/webservice/servers/endpoint.php?JSON HTTP/1.1" 200 411
2023-03-26 15:06:27,876:DEBUG:lexicon.providers.netcup:delete_record: True
2023-03-26 15:06:27,877:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1597, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-03-26 15:06:27,880:ERROR:certbot._internal.log:Some challenges have failed.

@bernhardkaindl bernhardkaindl mentioned this issue Nov 15, 2023
Closed
@bernhardkaindl
Copy link

bernhardkaindl commented Nov 15, 2023
edited
Loading

Same here. I opened coldfix/certbot-dns-netcup#28 to let https://github.com/coldfix/certbot-dns-netcup pick a default time which should work. I needs to be above 600 as the zone reload time of Netcup is 10 Minutes, confirmed by many in Netcup's customer forum.

@LukasOchmann https://pypi.org/project/certbot-dns-netcup/ says at least 600 seconds is needed for Netcup (and likely even then may need some tries), and 900 seconds should really work.

On the Nginx-proxy-manager side, the Nginx-proxy-manager Web UI should be fixed to not time out after just a minute to allow for longer DNS Challenge propagation times:

Currently, it shows a red error bar long before that, but certbot thankfully continue to wait for 900 seconds and finishes its work.

While waiting, to check the status, you can open a shell in the container and run tail -f /tmp/letsencrypt-log/letsencrypt.log

After you see the successfully certbot completion in the log, just reload the Nginx Proxy Manager web UI and you should see your proxy as Online.

https://github.com/coldfix/certbot-dns-netcup

See coldfix/certbot-dns-netcup#28

Update: As confirmed in German forum discussions in forum.netcup.de, the observation of customers is that Netcup runs the actual DNS zone updates every 15 minutes, apparently on a cron-like schedule each hour, seemingly like starting at minute 00, 15, 30 and 45.

@github-actions GitHub Actions
Copy link

Issue is now considered stale. If you want to keep it open, please comment 👍

@github-actions github-actions bot added the stale label Jun 26, 2024
@github-actions github-actions bot removed the stale label Oct 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@LukasOchmann @nickibyte @chaptergy @TWART016 @bernhardkaindl @sumadark