adferrand / dnsrobocert Goto Github PK

View Code? Open in Web Editor NEW

549.0 14.0 88.0 1.82 MB

Orchestrate Certbot and Lexicon together to provide Let's Encrypt TLS certificates validated by DNS challenges

Home Page: https://dnsrobocert.readthedocs.io

License: MIT License

Shell 0.84% Dockerfile 2.19% Python 96.97%

docker letsencrypt lexicon dns dns-challenge ssl-certificate certbot ssl

dnsrobocert's People

Contributors

Stargazers

Watchers

Forkers

ackermann aaomidi rorpage drzraf dhenneke mgarmash borgified megamisan mdemerson tahoward taylorchristie mjclemente sugov5 maddsauer kabugyei 2hed fgebauer tinyu0 mgh87 solertis v-leonidovich tkhrl zenprocess mirzawaqasahmed forks beacloudgenius archrival-lnk liejuntao001 mika56 pmav99 unixorn facilitycompass alexkuzko vanthaiunghoa phplucas haohaolee tozapid carpe linuxmail phyrone dr-offig pascalandy yiprograms foxwoods369 patrickpissurno xuyan2018 nkamenik datoma digitalsparky a16bitsysop p3tecracknell cm2walki thamaraikrishnan dcharbonnier patoski wilj simhaonline swipswaps evilensky dfoxelf volatilezero 418sec jeimerson shakahl cooldil claudweb sergioaa muhlemmer mairas vineethmn jinx-heniux burkely-00orso69 atrawog cyberflamego skoobasteeve openssl-sg-insights v-killj0y uniun-technology renovate-bot lriley2020 jefferyq2

dnsrobocert's Issues

Seems with Transip TTL doesnt work

When using the following options:

docker run \
    --name letsencrypt-dns \
    --volume /etc/letsencrypt/domains.conf:/etc/letsencrypt/domains.conf \
	--volume /etc/letsencrypt/api.key:/etc/letsencrypt/api.key \
    --env 'LETSENCRYPT_USER_MAIL=xxxxxxx' \
    --env 'LEXICON_PROVIDER=transip' \
    --env 'LEXICON_TRANSIP_USERNAME=xxxxxx' \
    --env 'LEXICON_TRANSIP_AUTH_API_KEY=/etc/letsencrypt/api.key' \
	--env 'LEXICON_TRANSIP_TTL=1' \
	--env 'LEXICON_SLEEP_TIME=120' \
	--env 'LETSENCRYPT_STAGING=true' \
    adferrand/letsencrypt-dns

The TTL option is not set. It will create a TXT record with a TTL for 1 hour instead of 1 minute.
I've set the sleep time to 2 minutes, so it should pickup the TXT record. But for some reason the TTL isnt set correctly.

Supporting adding a new subdomain

In domains.conf if a sub domain is added to the file later the container doesn't handle that properly.

Is there a way we can handle that?

Authentication step hangs

I setup a letsencrypt-dns docker container on a server a few months ago, using the hetzner provider, and it is working fine.

Now i'm trying to setup another server (both Ubuntu bionic) similarly, and can't get it to work. It gets as far as "Running manual-auth-hook command: /var/lib/letsencrypt/hooks/authenticator.sh" and then just hangs.

If I open a shell in the container and try running lexicon from the cli, it similarly hangs. Whereas on the original server with the same command it happily retrieves domain info from hetzner.

Could it be that a later version of letsencrypt-dns or lexicon is not working with hetzner? Or is there something that needs to be set on the host computer to allow this to work? I believe I have configured the /etc/letsencrypt file permissions correctly on both, and have a valid domains.conf on both. In any case, what could be causing Lexicon to hang on one server but not the other?

Letsencrypt verification fails for wildcard certificates using namecheap provider

I'm trying to get a wildcard certificate for my domain.
I've replaced sensitive data below (like domain, api-key and api-username).
When my domain.conf looks like this:

*.example.com example.com

I get the following output:

#### Registering Let's Encrypt account if needed ####
Saving debug log to /var/log/letsencrypt/letsencrypt.log
IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
#### Creating missing certificates if needed (~1min for each) ####
>>> Creating a certificate for domain(s): -d *.example.com -d example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.com
Output from authenticator.sh:
Arguments: Namespace(action='create', auth_client_ip='127.0.0.1', auth_sandbox=False, auth_token=None, auth_username=None, content='CHALLENGE-01', delegated=None, domain='example.com', identifier=None, log_level='DEBUG', name='_acme-challenge.example.com.', priority=None, provider_name='namecheap', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=1 HTTP/1.1" 200 650
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=2 HTTP/1.1" 200 440
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 642
Remote: 3
To set: 4
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.setHosts HTTP/1.1" 200 432

Output from authenticator.sh:
Arguments: Namespace(action='create', auth_client_ip='127.0.0.1', auth_sandbox=False, auth_token=None, auth_username=None, content='CHALLENGE-02', delegated=None, domain='example.com', identifier=None, log_level='DEBUG', name='_acme-challenge.example.com.', priority=None, provider_name='namecheap', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=1 HTTP/1.1" 200 649
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=2 HTTP/1.1" 200 440
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 732
Remote: 4
To set: 5
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.setHosts HTTP/1.1" 200 433

Waiting for verification...
Cleaning up challenges
Output from cleanup.sh:
Arguments: Namespace(action='delete', auth_client_ip='127.0.0.1', auth_sandbox=False, auth_token=None, auth_username=None, content='CHALLENGE-01', delegated=None, domain='example.com', identifier=None, log_level='DEBUG', name='_acme-challenge.example.com.', priority=None, provider_name='namecheap', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=1 HTTP/1.1" 200 649
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=2 HTTP/1.1" 200 440
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 794
list_records: [{'type': 'TXT', 'name': '_acme-challenge.example.com', 'ttl': '1800', 'content': 'CHALLENGE-01', 'id': '136346101'}]
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 794
Remote: 5
To set: 4
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.setHosts HTTP/1.1" 200 431

Output from cleanup.sh:
Arguments: Namespace(action='delete', auth_client_ip='127.0.0.1', auth_sandbox=False, auth_token=None, auth_username=None, content='CHALLENGE-02', delegated=None, domain='example.com', identifier=None, log_level='DEBUG', name='_acme-challenge.example.com.', priority=None, provider_name='namecheap', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=1 HTTP/1.1" 200 649
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=2 HTTP/1.1" 200 440
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 732
list_records: [{'type': 'TXT', 'name': '_acme-challenge.example.com', 'ttl': '1800', 'content': 'CHALLENGE-02', 'id': '136346792'}]
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 732
Remote: 4
To set: 3
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.setHosts HTTP/1.1" 200 432

Failed authorization procedure. example.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "CHALLENGE-01" found at _acme-challenge.example.com
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: example.com
   Type:   unauthorized
   Detail: Incorrect TXT record
   "CHALLENGE-01" found at
   _acme-challenge.example.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
### Revoke and delete certificates if needed ####
### Reloading supervisord configuration ###

After changing the domain.conf to

*.example.com

everything works out fine:

#### Registering Let's Encrypt account if needed ####
Saving debug log to /var/log/letsencrypt/letsencrypt.log
There is an existing account; registration of a duplicate account with this command is currently unsupported.
#### Creating missing certificates if needed (~1min for each) ####
>>> Creating a certificate for domain(s): -d *.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
Output from authenticator.sh:
Arguments: Namespace(action='create', auth_client_ip='127.0.0.1', auth_sandbox=False, auth_token=None, auth_username=None, content='CHALLENGE-01', delegated=None, domain='example.com', identifier=None, log_level='DEBUG', name='_acme-challenge.example.com.', priority=None, provider_name='namecheap', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=1 HTTP/1.1" 200 648
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=2 HTTP/1.1" 200 441
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 641
Remote: 3
To set: 4
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.setHosts HTTP/1.1" 200 432

Waiting for verification...
Cleaning up challenges
Output from cleanup.sh:
Arguments: Namespace(action='delete', auth_client_ip='127.0.0.1', auth_sandbox=False, auth_token=None, auth_username=None, content='CHALLENGE-01', delegated=None, domain='example.com', identifier=None, log_level='DEBUG', name='_acme-challenge.example.com.', priority=None, provider_name='namecheap', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=1 HTTP/1.1" 200 650
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=2 HTTP/1.1" 200 440
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 732
list_records: [{'type': 'TXT', 'name': '_acme-challenge.example.com', 'ttl': '1800', 'content': 'CHALLENGE-01', 'id': '136348636'}]
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 732
Remote: 4
To set: 3
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.setHosts HTTP/1.1" 200 431

Running deploy-hook command: deploy-hook.sh
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-07-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

### Revoke and delete certificates if needed ####
### Reloading supervisord configuration ###

I'm not sure why this happens but it looks like the requests sent to letsencrypt and the verification arguments are overwriting each other before the verification of the first request finished.

One more thing, I started the container like this:

sudo docker run \
    -dit \
    --restart=always \
    --name letsencrypt-dnsbot \
    --volume /..blabla../domains.conf:/etc/letsencrypt/domains.conf \
    --volume /..blabla../data:/etc/letsencrypt \
    --env '[email protected]' \
    --env 'LEXICON_PROVIDER=namecheap' \
    --env 'LEXICON_NAMECHEAP_USERNAME=MY_USERNAME' \
    --env 'LEXICON_NAMECHEAP_TOKEN=MY_API_KEY' \
    --env 'LEXICON_NAMECHEAP_CLIENT_IP=MY_IP' \
    adferrand/letsencrypt-dns

but still the ClientIP sent to namecheap is127.0.0.1 in the logs.

I am not sure if I'm doing something wrong, could you help me out here?

Best regards & thank you in advance!

DNS provider per domain

All domains you may want to manage with this letsencrypt container might not use the same DNS provider... this doesn't seem to be managed by this image. Even if it doesn't seem very far from being possible.

The general idea would be to be able to provide a few configuration values for lexicon (let's say GANDI and OVH, and this is already possible thanks to your namespaced naming scheme for the environment variables), and thanks to a whois query on the domain, select the right provider for the domain.

How does that sound ?

Changes to domains.conf are not propagating into container

Changes to domains.conf are not propagating into container after start.

So when I've edited domains.conf -> new cert wasn't created so went and checked on what's in the container and domains.conf didnt have a new domain listed.

This is how I launch the container:

docker run -d \
    --name letsencrypt-dns \
    --restart=always \
    --volume /mnt/dockers/domains/domains.conf:/etc/letsencrypt/domains.conf \
    --volume /mnt/dockers/certs:/etc/letsencrypt \
    --env 'LETSENCRYPT_USER_MAIL=MY_EMAIL' \
    --env 'LEXICON_PROVIDER=MY_PROVIDER' \
    --env 'LEXICON_NAMESILO_USERNAME=MY_USERNAME' \
    --env 'LEXICON_NAMESILO_TOKEN=MY_TOKEN' \
    --env 'LEXICON_SLEEP_TIME=960' \
    adferrand/letsencrypt-dns

is it possible to configure /etc/letsencrypt/domains.conf to use some subdirectory like /etc/letsencrypt/domains/domains.conf ?

REQ: Per-key directories

Would it be possible to store keys in per-domain (+SANs) directories named with the primary domain? That way containers would only have access to the keys in that specific directory.

(I've only just read the README, so maybe this is already least necessary privilege?)

babel not found

While testing, letsencrypt suddenly stopped working. I think something changed while I was testing on some lower layer though since I am getting the following error:

letsencrypt-dns_1  | Hook command "/var/lib/letsencrypt/hooks/authenticator.sh" returned error code 1
letsencrypt-dns_1  | Error output from authenticator.sh:
letsencrypt-dns_1  | Traceback (most recent call last):
letsencrypt-dns_1  |   File "/usr/local/bin/lexicon", line 11, in <module>
letsencrypt-dns_1  |     sys.exit(main())
letsencrypt-dns_1  |   File "/usr/local/lib/python3.6/site-packages/lexicon/__main__.py", line 66, in main
letsencrypt-dns_1  |     parsed_args = MainParser().parse_args()
letsencrypt-dns_1  |   File "/usr/local/lib/python3.6/site-packages/lexicon/__main__.py", line 54, in MainParser
letsencrypt-dns_1  |     provider_module = importlib.import_module('lexicon.providers.' + provider)
letsencrypt-dns_1  |   File "/usr/local/lib/python3.6/importlib/__init__.py", line 126, in import_module
letsencrypt-dns_1  |     return _bootstrap._gcd_import(name[level:], package, level)
letsencrypt-dns_1  |   File "<frozen importlib._bootstrap>", line 994, in _gcd_import
letsencrypt-dns_1  |   File "<frozen importlib._bootstrap>", line 971, in _find_and_load
letsencrypt-dns_1  |   File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
letsencrypt-dns_1  |   File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
letsencrypt-dns_1  |   File "<frozen importlib._bootstrap_external>", line 678, in exec_module
letsencrypt-dns_1  |   File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
letsencrypt-dns_1  |   File "/usr/local/lib/python3.6/site-packages/lexicon/providers/dnsmadeeasy.py", line 10, in <module>
letsencrypt-dns_1  |     from babel.dates import format_date, format_datetime, format_time
letsencrypt-dns_1  | ModuleNotFoundError: No module named 'babel'

Unless I messed up somewhere, I think this is something that you can hopefully fix, please?

Test 2 Teams

Test

Live certificates symlinked into archive

I was trying to set up a named volume for the certificates, shared to another container, via certificates:/etc/letsencrypt/live, but it looks like the certificates in the live directory are just symlinks into the archive.

I can of course make the whole /etc/letsencrypt directory a named volume, but I was hoping to limit the part shared to the other container to just the live certificates, not the account info and all the other runtime details of docker-letsencrypt-dns. Could hard-links work here instead?

--force-renewal?

Hi, amazing project!
One question, did not find any info about how to force cert renewal (the --force-renewal param of certbot). Could be handy in staging mode for testing. Can this be done?

User and group owner variables are being ignored?

I've tried to set both the environment variable CERTS_USER_OWNER and CERTS_GROUP_OWNER to docker:users but it didn't do anything, the archive and live folders, along with the cert files inside them were still created with root:root.

I've also tried the corresponding docker and users IDs instead of the strings but it also didn't work...

drwxrwxrwx+ 1 root  root  72 Jan 19 23:20 accounts/
drwxr-x---  1 root  root  28 Jan 19 23:22 archive/
drwxrwxrwx+ 1 root  root  40 Jan 19 23:20 csr/
drwxrwxrwx+ 1 root  root  40 Jan 19 23:20 keys/
drwxr-x---  1 root  root  40 Jan 19 23:22 live/
drwxrwxrwx+ 1 root  root  38 Jan 19 23:22 renewal/
drwxrwxrwx+ 1 root  root  26 Jan 19 23:20 renewal-hooks/
-rwxrwxrwx+ 1 admin users 32 Jan 19 12:54 domains.conf*
-rwxrwxrwx+ 1 admin users 90 Jan 19 13:01 lexicon_cloudflare.yml*

Am I doing something wrong?

Discussion: docker-letsencrypt-dns V3

This project has been here for quite a while now. It has been designed with a very narrowed scope at the beginning, but you are more and more to use it, with more and more use cases really interesting to handle.

I can see that the initial design became a limitation for the container development. If I do not rethink things now, this design will be the main cause of complexity in the future.

Furthermore, since wildcard certificates are available with LetsEncrypt, managing theses certificates became critical. If I think my container helped a little on that matter, it is clearly not sufficient in term of interoperability with other services. An API is needed.

So I wrote a specification for a new version, with a heavy refactoring and a lot of new features. It is available here : Project V3 specifications.

Before starting to code, I would like your opinion about this specification, if you think it is a good design, what is missing and so on. Do not hesitate to post your comments on this issue !

Simultaneous waiting for several dns-challenges

I'm using DNS-provider located far away from Let's Encrypt servers (Yandex). So I have to use long waiting time, like 12 hours (LEXICON_SLEEP_TIME=43200) to update DNS records. And I need several wildcard domain names. So now it takes 12 hours for each. Could be logic refactored to start all challanges simultaneous and then wait LEXICON_SLEEP_TIME?

Merge private key and cert to PFX file after renewal

Your container is working perfectly fine with services that use separate private key and cert files. Unfortunately I also have a service that requires a PFX file. How would you approach this problem and automate the merge process after each renewal?

Support Cert Fileout names to be configurable.

Hi there, I'd like to be able to customize the naming convention your certs are deployed. Currently the format seems to be:

/etc/letsencrypt/live/$domain/cert.pem

In my setup, (I'm using https://github.com/jwilder/nginx-proxy), it expects a mounted volume using the format

/etc/nginx/certs/$domain.pem

If this was configurable, these two images would be compatible and I can build out something akin to https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion.

If not, my goal would be to fork this repo and modify these places. Would that be sufficient or are there other gotchas I need to be aware of?
https://github.com/adferrand/docker-letsencrypt-dns/search?q=.pem&unscoped_q=.pem

Restart Apache Outside a Container?

thank you for this little gem. Works like a charme!
how would i best go about reload apache outside a container (on the host bare bones machine)...

basically id need the docker to run "systemctl apache2 reload" on the host after a certificate has been renewed or created.

any help is appreciated.

Thank you.

Can't get ENV to pass through for PDNS

Hi,

I am having issues with environmental variables being passed through. If I connect to the container, I can echo my variables, and some are working, but not others:

I am presented with the following error from authentication.sh
Arguments: Namespace(action='create', auth_token=None, content='randomstringfromletsencrypt', delegated=None, domain='site.net', identifier=None, log_level='DEBUG', name='_acme-challenge.site.net.', pdns_server=None, pdns_server_id=None, priority=None, provider_name='powerdns', ttl=None, type='TXT')

As an example, I have tried to utilise the following for "auth_token":
LEXICON_POWERDNS_TOKEN
LEXICON_TOKEN
LEXICON_AUTH_TOKEN
LEXICON_POWERDNS_AUTH_TOKEN

And numerous other combinations, but it seems that nothing is picked up by the lexicon script(s). I can 'echo $LEXICON_TOKEN' etc, whilst in the docker, and it'll give the expected result.

The variables; LEXICON_PROVIDER, and LETSENCRYPT_USER_MAIL, are both being accepted by their respective clients. although probably user error, I see no area for community help, so I'm putting it to you here :)

Regards.

Mat

Wildcard certificates

As Let's Encrypt now supports wildcard certificates, adding this feature to docker-letsencrypt-dns might be a good idea. In order to request wildcard certificates, ACME v2 must be used. The minimum required version of certbot, that can use the new endpoint, is 0.22.0.

Example command: ./certbot-auto certonly --manual -d *.example.com -d example.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Source: https://community.letsencrypt.org/t/getting-wildcard-certificates-with-certbot/56285

README: ENV delta in the examples. Which one is the right one?

It's confusing to follow the cloudflare example. In this section:

https://github.com/adferrand/docker-letsencrypt-dns#configuring-dns-provider-and-authentication-to-dns-api

LEXICON_CLOUDFLARE_AUTH_USERNAME=my_cloudflare_email
LEXICON_CLOUDFLARE_AUTH_TOKEN=my_cloudflare_global_api_key

But then we can see:

https://github.com/adferrand/docker-letsencrypt-dns#run-the-container

LEXICON_CLOUDFLARE_USERNAME=my_cloudflare_email
LEXICON_CLOUDFLARE_TOKEN=my_cloudflare_global_api_key

My guess is that I should use this:

docker run \
  --name letsencrypt-dns \
  --volume /etc/letsencrypt/domains.conf:/etc/letsencrypt/domains.conf \
  --volume /etc/letsencrypt:/etc/letsencrypt
  --env '[email protected]' \
  --env '[email protected]' \
  --env 'LEXICON_CLOUDFLARE_AUTH_TOKEN=101010101010101010101010101010' \
  adferrand/letsencrypt-dns

Either ways, my guess is that there is confusion in the README.
Thanks!

Feature request: check for certificate before regenerating.

I have a slight problem that I noticed in developing an application using your great docker image. I hit the letsencrypt rate limit https://letsencrypt.org/docs/rate-limits/

Is it possible to skip generating a certificate if a valid certificate for the domain.conf domains is already present?

autocmd-containers doesn't work

I got the following error messages when I have autocmd-containers setting in my domains.conf

ERROR: /var/run/docker.sock socket is missing.
2018-07-18 06:32:01,287 INFO exited: mydomain.com_autocmd-containers (exit status 1; not expected)
2018-07-18 06:32:01,288 INFO gave up: mydomain.com_autocmd-containers entered FATAL state, too many start retries too quickly

Removes/ revokes certs after success

Not sure if there is a flag I missed; I am seeing an issue where after a successful cert it then revokes and deletes the cert.

Cannot use *.example.com example.com in a single line

When trying to use *.example.com example.com on a single line in domains.conf the letsencrypt-dns docker container complains of "sh unknown operand" in the logs and doesn't create any certificates. Should be easy to reproduce but if you need any more details let me know. I'm just using a work around in the mean time.

docker-compose.yml

How about expanding the support to http-01?

Although this repo is called docker-letsencrypt-dns, I am wondering if you can expand the support to include http challenge (or even tls).

It is because I could't find a repo or docker image that supports so many customization points and is under active development like this one~

After looking into the code, it seems what needed is to modify the line certbot certonly ... --preferred-challenges=dns ... to support http as well, e.g. --preferred-challenges=http --standalone

Cert automatically deleted

Hello,

After the cert has been successfully generated, it's directly deleted from what I see on the log.
The cert is not in the live dir when using a wildcard domain on ovh while a sub-domain work perfectly.

TXT record not set

I would like to setup signing with transip as DNS Provider. Unfortunately I get the following error:

2018-12-18 21:10:49,127:ERROR:certbot.hooks:Error output from cleanup.sh:
Traceback (most recent call last):
  File "/usr/local/bin/lexicon", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/lexicon/cli.py", line 98, in main
    results = client.execute()
  File "/usr/local/lib/python3.7/site-packages/lexicon/client.py", line 56, in execute
    self.provider.authenticate()
  File "/usr/local/lib/python3.7/site-packages/lexicon/providers/transip.py", line 64, in authenticate
    self.client.get_info(domain)
  File "/usr/local/lib/python3.7/site-packages/transip/service/domain.py", line 56, in get_info
    cookie = self.build_cookie(mode=MODE_RO, method='getInfo', parameters=[domain_name])
  File "/usr/local/lib/python3.7/site-packages/transip/client.py", line 155, in build_cookie
    signature = self._sign(message_to_sign)
  File "/usr/local/lib/python3.7/site-packages/transip/client.py", line 89, in _sign
    raise RuntimeError('The private key does not exist.')
RuntimeError: The private key does not exist.

Merging the cluster_config branch

Is the cluster_config branch containing PR #15 able to be merged into the master branch? Autorestarting of docker swarm services would be very useful.

Custom hook confusion

Hello... thanks for this project, it's been working great for me across many domains. :)

I'm just a little confused about the custom hook capabilities as described here.

It details creating a executable file named deploy-hook.sh, but doesn't mention where this file should be located?

Also the example shows setting the DEPLOY_HOOK env var to create-nginx-certs which doesn't seem to be a reference to the script name or anything in particular ?

And I guess finally, I see a directory named renewal-hooks with subdirectories of deploy, post, and pre, which I couldn't find documentation on. Are those used or involved in any way?

Any insight would be appreciated, and sorry if I've overlooked something. Thanks!

certbot: error: argument --cert-path: Not a directory

After successfully issuing certs, I see this being logged:

letsencrypt    | 2019-01-17 00:12:59 [21] | ### Revoke and delete certificates if needed ####
letsencrypt    | 2019-01-17 00:12:59 [21] | >>> Removing the certificate README
letsencrypt    | 2019-01-17 00:13:03 [21] | usage:
letsencrypt    | 2019-01-17 00:13:03 [21] |   certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
letsencrypt    | 2019-01-17 00:13:03 [21] | Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
letsencrypt    | 2019-01-17 00:13:03 [21] | it will attempt to use a webserver both for obtaining and installing the
letsencrypt    | 2019-01-17 00:13:03 [21] | certificate.
letsencrypt    | 2019-01-17 00:13:03 [21] | certbot: error: argument --cert-path: Not a directory
letsencrypt    | 2019-01-17 00:13:03 [21] | ### Reloading circusd configuration ###
letsencrypt    | 2019-01-17 00:13:04 [21] | ok

Documentation

Since I really appreciate the effort. I just wanted to let you know that there might me a mistake in your documentation. As it always says: "LEXICON_CLOUDFLARE_USER". Yet, it wants: "LEXICON_CLOUDFLARE_USERNAME", configured. At least that was for me the case.

Hosteurope

If I’m using hosteurope dns provider how can I understand the value of linode token :
– LEXICON_PROVIDER=hosteurope
– LEXICON_LINODE_TOKEN= (what should be the value here – value of txt dns record of my wildcard domain or what exactly? )
What If I want to have multiple different wildcard domains, for example – *.example1.org , *.example2.org etc. , is this possible ?

After that how to connect dockerized nginx-proxy to those ssl certs?

Different Domains

If I specify different domains in domains.conf, all certificates are created, but the TXT entries in the respective domains are missing.

# domains.conf example:
*.domain1.com domain1.com
*.domain2.com domain2.com
*.domain3.com domain3.com
...

If I enter only a single domain like one of the above, everything works great. I could observe that TXT entries appear during the process. When the process is over, they disappear again.

Any idea what I could have done wrong?

DNS TXT-record cleanup stage fails

DNS-01 challenge, Yandex DNS provider. TXT-record created, but not deleted.

For fail at certificate creation I blame slow DNS replication (looks like 70 seconds not enough).

I ran the command:

sudo docker run \
    --name letsencrypt-dns \
    --volume /srv/letsencrypt-dns:/etc/letsencrypt \
    --env 'LETSENCRYPT_USER_MAIL=*******' \
    --env 'LEXICON_PROVIDER=yandex' \
    --env 'LEXICON_SLEEP_TIME=70' \
    --env 'LEXICON_PROVIDER_OPTIONS=--auth-token=********************' \
    --env 'LETSENCRYPT_STAGING=true' \
    adferrand/letsencrypt-dns:latest

Output:

2019-08-17 16:51:42 circus[1] [INFO] Starting master on pid 1
2019-08-17 16:51:42 circus[1] [INFO] Arbiter now waiting for commands
2019-08-17 16:51:42 circus[1] [INFO] crond started
2019-08-17 16:51:42 circus[1] [INFO] watch-domains started
2019-08-17 16:51:42 [18] | #### Registering Let's Encrypt account if needed ####
2019-08-17 16:51:43 [18] | Saving debug log to /etc/letsencrypt/logs/letsencrypt.log
2019-08-17 16:51:44 [18] | IMPORTANT NOTES:
2019-08-17 16:51:44 [18] |  - Your account credentials have been saved in your Certbot
2019-08-17 16:51:44 [18] |    configuration directory at /etc/letsencrypt. You should make a
2019-08-17 16:51:44 [18] |    secure backup of this folder now. This configuration directory will
2019-08-17 16:51:44 [18] |    also contain certificates and private keys obtained by Certbot so
2019-08-17 16:51:44 [18] |    making regular backups of this folder is ideal.
2019-08-17 16:51:44 [18] | #### Clean autorestart/autocmd jobs
2019-08-17 16:51:44 [18] | #### Creating missing certificates if needed (~1min for each) ####
2019-08-17 16:51:44 [18] | >>> Creating a certificate for domain(s): -d *****************
2019-08-17 16:51:45 [18] | Saving debug log to /etc/letsencrypt/logs/letsencrypt.log
2019-08-17 16:51:45 [18] | Plugins selected: Authenticator manual, Installer None
2019-08-17 16:51:45 [18] | Obtaining a new certificate
2019-08-17 16:51:47 [18] | Performing the following challenges:
2019-08-17 16:51:47 [18] | dns-01 challenge for ***********
2019-08-17 16:51:47 [18] | Running manual-auth-hook command: /var/lib/letsencrypt/hooks/authenticator.sh
2019-08-17 16:53:00 [18] | Output from manual-auth-hook command authenticator.sh:
2019-08-17 16:53:00 [18] | RESULT
2019-08-17 16:53:00 [18] | ------
2019-08-17 16:53:00 [18] | True
2019-08-17 16:55:24 [18] | Waiting for verification...
2019-08-17 16:55:27 [18] | Challenge failed for domain ************
2019-08-17 16:55:30 [18] | dns-01 challenge for **********
2019-08-17 16:55:30 [18] | Cleaning up challenges
2019-08-17 16:55:30 [18] | Running manual-cleanup-hook command: /var/lib/letsencrypt/hooks/cleanup.sh
2019-08-17 16:55:31 [18] | manual-cleanup-hook command "/var/lib/letsencrypt/hooks/cleanup.sh" returned error code 1
2019-08-17 16:55:31 [18] | Error output from manual-cleanup-hook command cleanup.sh:
2019-08-17 16:55:31 [18] | Traceback (most recent call last):
2019-08-17 16:55:31 [18] |   File "/usr/local/bin/lexicon", line 10, in <module>
2019-08-17 16:55:31 [18] |     sys.exit(main())
2019-08-17 16:55:31 [18] |   File "/usr/local/lib/python3.7/site-packages/lexicon/cli.py", line 117, in main
2019-08-17 16:55:31 [18] |     results = client.execute()
2019-08-17 16:55:31 [18] |   File "/usr/local/lib/python3.7/site-packages/lexicon/client.py", line 87, in execute
2019-08-17 16:55:31 [18] |     return self.provider.delete_record(identifier, record_type, name, content)
2019-08-17 16:55:31 [18] |   File "/usr/local/lib/python3.7/site-packages/lexicon/providers/base.py", line 118, in delete_record
2019-08-17 16:55:31 [18] |     return self._delete_record(identifier=identifier, rtype=rtype, name=name, content=content)
2019-08-17 16:55:31 [18] |   File "/usr/local/lib/python3.7/site-packages/lexicon/providers/yandex.py", line 120, in _delete_record
2019-08-17 16:55:31 [18] |     records = self._list_records(rtype, name, content)
2019-08-17 16:55:31 [18] |   File "/usr/local/lib/python3.7/site-packages/lexicon/providers/yandex.py", line 76, in _list_records
2019-08-17 16:55:32 [18] |     'content': record['content'],
2019-08-17 16:55:32 [18] | KeyError: 'content'
2019-08-17 16:55:35 [18] | Some challenges have failed.
2019-08-17 16:55:35 [18] | IMPORTANT NOTES:
2019-08-17 16:55:35 [18] |  - The following errors were reported by the server:
2019-08-17 16:55:35 [18] |    Domain: **********
2019-08-17 16:55:35 [18] |    Type:   unauthorized
2019-08-17 16:55:35 [18] |    Detail: No TXT record found at _acme-challenge.**********
2019-08-17 16:55:35 [18] | md5sum: can't open '/etc/letsencrypt/live/*****/cert.pem': No such file or directory
2019-08-17 16:55:35 [18] | ### Revoke and delete certificates if needed ####
2019-08-17 16:55:35 [18] | ### Reloading circusd configuration ###
2019-08-17 16:55:35 [18] | ok
2019-08-17 17:00:30 circus[1] [INFO] Got signal SIG_WINCH

namecheap.ApiError: 2050900 - Please enter a fully qualified domain name.

I've got a problem with my namecheap domain. Tried downgrading to an older version but that didn't work. Maybe there were some recent changes to the namecheap api that didn't make it into lexicon yet? Anyhow, any help is much appreciated!

2019-12-03 15:10:58 [17] | >>> Creating a certificate for domain(s): -d *.example.org -d example.org
2019-12-03 15:10:59 [17] | Saving debug log to /etc/letsencrypt/logs/letsencrypt.log
2019-12-03 15:10:59 [17] | Plugins selected: Authenticator manual, Installer None
2019-12-03 15:10:59 [17] | Cert is due for renewal, auto-renewing...
2019-12-03 15:10:59 [17] | Renewing an existing certificate
2019-12-03 15:11:00 [17] | Performing the following challenges:
2019-12-03 15:11:00 [17] | dns-01 challenge for example.org
2019-12-03 15:11:00 [17] | dns-01 challenge for example.org
2019-12-03 15:11:00 [17] | Running manual-auth-hook command: /var/lib/letsencrypt/hooks/authenticator.sh
2019-12-03 15:11:04 [17] | Output from manual-auth-hook command authenticator.sh:
2019-12-03 15:11:04 [17] | Remote: 21
2019-12-03 15:11:04 [17] | To set: 22
2019-12-03 15:11:04 [17] | manual-auth-hook command "/var/lib/letsencrypt/hooks/authenticator.sh" returned error code 1
2019-12-03 15:11:04 [17] | Error output from manual-auth-hook command authenticator.sh:
2019-12-03 15:11:04 [17] | Traceback (most recent call last):
2019-12-03 15:11:04 [17] |   File "/usr/local/bin/lexicon", line 8, in <module>
2019-12-03 15:11:04 [17] |     sys.exit(main())
2019-12-03 15:11:04 [17] |   File "/usr/local/lib/python3.7/site-packages/lexicon/cli.py", line 117, in main
2019-12-03 15:11:04 [17] |     results = client.execute()
2019-12-03 15:11:04 [17] |   File "/usr/local/lib/python3.7/site-packages/lexicon/client.py", line 78, in execute
2019-12-03 15:11:04 [17] |     return self.provider.create_record(record_type, name, content)
2019-12-03 15:11:04 [17] |   File "/usr/local/lib/python3.7/site-packages/lexicon/providers/base.py", line 80, in create_record
2019-12-03 15:11:04 [17] |     return self._create_record(rtype, name, content)
2019-12-03 15:11:04 [17] |   File "/usr/local/lib/python3.7/site-packages/lexicon/providers/namecheap.py", line 201, in _create_record
2019-12-03 15:11:04 [17] |     self.client.domains_dns_addHost(self.domain, record)
2019-12-03 15:11:04 [17] |   File "/usr/local/lib/python3.7/site-packages/namecheap.py", line 388, in domains_dns_addHost
2019-12-03 15:11:04 [17] |     self._call("namecheap.domains.dns.setHosts", extra_payload)
2019-12-03 15:11:04 [17] |   File "/usr/local/lib/python3.7/site-packages/namecheap.py", line 144, in _call
2019-12-03 15:11:04 [17] |     xml = self._fetch_xml(pa
2019-12-03 15:11:04 [17] | yload, extra_payload)
2019-12-03 15:11:04 [17] |   File "/usr/local/lib/python3.7/site-packages/namecheap.py", line 137, in _fetch_xml
2019-12-03 15:11:04 [17] |     raise ApiError(error.attrib['Number'], error.text)
2019-12-03 15:11:04 [17] | namecheap.ApiError: 2050900 - Please enter a fully qualified domain name.
2019-12-03 15:11:04 [17] | Running manual-auth-hook command: /var/lib/letsencrypt/hooks/authenticator.sh
2019-12-03 15:11:07 [17] | Output from manual-auth-hook command authenticator.sh:
2019-12-03 15:11:07 [17] | Remote: 21
2019-12-03 15:11:07 [17] | To set: 22
2019-12-03 15:11:07 [17] | manual-auth-hook command "/var/lib/letsencrypt/hooks/authenticator.sh" returned error code 1
2019-12-03 15:11:07 [17] | Error output from manual-auth-hook command authenticator.sh:
2019-12-03 15:11:07 [17] | Traceback (most recent call last):
2019-12-03 15:11:07 [17] |   File "/usr/local/bin/lexicon", line 8, in <module>
2019-12-03 15:11:07 [17] |     sys.exit(main())
2019-12-03 15:11:07 [17] |   File "/usr/local/lib/python3.7/site-packages/lexicon/cli.py", line 117, in main
2019-12-03 15:11:07 [17] |     results = client.execute()
2019-12-03 15:11:07 [17] |   File "/usr/local/lib/python3.7/site-packages/lexicon/client.py", line 78, in execute
2019-12-03 15:11:07 [17] |     return self.provider.create_record(record_type, name, content)
2019-12-03 15:11:07 [17] |   File "/usr/local/lib/python3.7/site-packages/lexicon/providers/base.py", line 80, in create_record
2019-12-03 15:11:07 [17] |     return self._create_record(rtype, name, content)
2019-12-03 15:11:07 [17] |   File "/usr/local/lib/python3.7/site-packages/lexicon/providers/namecheap.py", line 201, in _create_record
2019-12-03 15:11:07 [17] |     self.client.domains_dns_addHost(self.domain, record)
2019-12-03 15:11:07 [17] |   File "/usr/local/lib/python3.7/site-packages/namecheap.py", line 388, in domains_dns_addHost
2019-12-03 15:11:07 [17] |     self._call("namecheap.domains.dns.setHosts", extra_payload)
2019-12-03 15:11:07 [17] |   File "/usr/local/lib/python3.7/site-packages/namecheap.py", line 144, in _call
2019-12-03 15:11:07 [17] |     xml = self._fetch_xml(pa
2019-12-03 15:11:07 [17] | yload, extra_payload)
2019-12-03 15:11:07 [17] |   File "/usr/local/lib/python3.7/site-packages/namecheap.py", line 137, in _fetch_xml
2019-12-03 15:11:07 [17] |     raise ApiError(error.attrib['Number'], error.text)
2019-12-03 15:11:07 [17] | namecheap.ApiError: 2050900 - Please enter a fully qualified domain name.
2019-12-03 15:11:07 [17] | Waiting for verification...
2019-12-03 15:11:09 [17] | Challenge failed for domain example.org
2019-12-03 15:11:09 [17] | Challenge failed for domain example.org
2019-12-03 15:11:09 [17] | dns-01 challenge for example.org
2019-12-03 15:11:09 [17] | dns-01 challenge for example.org
2019-12-03 15:11:09 [17] | Cleaning up challenges
2019-12-03 15:11:09 [17] | Running manual-cleanup-hook command: /var/lib/letsencrypt/hooks/cleanup.sh
2019-12-03 15:11:11 [17] | Running manual-cleanup-hook command: /var/lib/letsencrypt/hooks/cleanup.sh
2019-12-03 15:11:14 [17] | Some challenges have failed.

// EDIT

Seems to be a problem on namecheap. I'll close this and re-open later if required.

Test Gitter

Test

Add icon

Using this as the container icon, feel free to use it.

ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Connection refused

THe Container doesn't generate certificates.

ERROR:tldextract:Exception reading Public Suffix List url https://publicsuffix.org/list/public_suffix_list.dat
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 157, in _new_conn
(self._dns_host, self.port), self.timeout, **extra_kw
File "/usr/local/lib/python3.7/site-packages/urllib3/util/connection.py", line 84, in create_connection
raise err
File "/usr/local/lib/python3.7/site-packages/urllib3/util/connection.py", line 74, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 672, in urlopen
chunked=chunked,
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 334, in connect
conn = self._new_conn()
File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 169, in _new_conn
self, "Failed to establish a new connection: %s" % e
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f2f3fecffd0>: Failed to establish a new connection: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 720, in urlopen
method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
File "/usr/local/lib/python3.7/site-packages/urllib3/util/retry.py", line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='publicsuffix.org', port=443): Max retries exceeded with url: /list/public_suffix_list.dat (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f2f3fecffd0>: Failed to establish a new connection: [Errno 111] Connection refused'))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/tldextract/remote.py", line 37, in find_first_response
resp = session.get(url, timeout=cache_fetch_timeout)
File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 546, in get
return self.request('GET', url, **kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='publicsuffix.org', port=443): Max retries exceeded with url: /list/public_suffix_list.dat (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f2f3fecffd0>: Failed to establish a new connection: [Errno 111] Connection refused'))
ERROR:tldextract:Exception reading Public Suffix List url https://raw.githubusercontent.com/publicsuffix/list/master/public_suffix_list.dat
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 157, in _new_conn
(self._dns_host, self.port), self.timeout, **extra_kw
File "/usr/local/lib/python3.7/site-packages/urllib3/util/connection.py", line 84, in create_connection
raise err
File "/usr/local/lib/python3.7/site-packages/urllib3/util/connection.py", line 74, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 672, in urlopen
chunked=chunked,
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 334, in connect
conn = self._new_conn()
File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 169, in _new_conn
self, "Failed to establish a new connection: %s" % e
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f2f3fe6f5d0>: Failed to establish a new connection: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 720, in urlopen
method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
File "/usr/local/lib/python3.7/site-packages/urllib3/util/retry.py", line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /publicsuffix/list/master/public_suffix_list.dat (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f2f3fe6f5d0>: Failed to establish a new connection: [Errno 111] Connection refused'))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/tldextract/remote.py", line 37, in find_first_response
resp = session.get(url, timeout=cache_fetch_timeout)
File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 546, in get
return self.request('GET', url, **kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /publicsuffix/list/master/public_suffix_list.dat (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f2f3fe6f5d0>: Failed to establish a new connection: [Errno 111] Connection refused'))
ERROR:tldextract:No Public Suffix List found. Consider using a mirror or constructing your TLDExtract with `suffix_list_urls=None`.
2019-11-08 10:00:20 circus[1] [INFO] Starting master on pid 1
crond[15]: crond (busybox 1.30.1) started, log level 8
2019-11-08 10:00:20 circus[1] [INFO] Arbiter now waiting for commands
2019-11-08 10:00:20 circus[1] [INFO] crond started
2019-11-08 10:00:20 circus[1] [INFO] watch-domains started
2019-11-08 10:00:20 [16] | #### Registering Let's Encrypt account if needed ####
2019-11-08 10:00:20 [16] | Saving debug log to /etc/letsencrypt/logs/letsencrypt.log
2019-11-08 10:00:20 [16] | An unexpected error occurred:
2019-11-08 10:00:20 [16] | Traceback (most recent call last):
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 157, in _new_conn
2019-11-08 10:00:20 [16] | (self._dns_host, self.port), self.timeout, **extra_kw
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/urllib3/util/connection.py", line 84, in create_connection
2019-11-08 10:00:20 [16] | raise err
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/urllib3/util/connection.py", line 74, in create_connection
2019-11-08 10:00:20 [16] | sock.connect(sa)
2019-11-08 10:00:20 [16] | ConnectionRefusedError: [Errno 111] Connection refused
2019-11-08 10:00:20 [16] | During handling of the above exception, another exception occurred:
2019-11-08 10:00:20 [16] | Traceback (most recent call last):
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 672, in urlopen
2019-11-08 10:00:20 [16] | chunked=chunked,
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 376, in _make_request
2019-11-08 10:00:20 [16] | self._validate_conn(conn)
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
2019-11-08 10:00:20 [16] | conn.connect()
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/urllib3/conn
2019-11-08 10:00:20 [16] | ection.py", line 334, in connect
2019-11-08 10:00:20 [16] | conn = self._new_conn()
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 169, in _new_conn
2019-11-08 10:00:20 [16] | self, "Failed to establish a new connection: %s" % e
2019-11-08 10:00:20 [16] | urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f8d18f2df10>: Failed to establish a new connection: [Errno 111] Connection refused
2019-11-08 10:00:20 [16] | During handling of the above exception, another exception occurred:
2019-11-08 10:00:20 [16] | Traceback (most recent call last):
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
2019-11-08 10:00:20 [16] | timeout=timeout
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 720, in urlopen
2019-11-08 10:00:20 [16] | method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/urllib3/util/retry.py", line 436, in increment
2019-11-08 10:00:20 [16] | raise MaxRetryError(_pool, url, error or ResponseError(cause))
2019-11-08 10:00:20 [16] | urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port
2019-11-08 10:00:20 [16] | =443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f8d18f2df10>: Failed to establish a new connection: [Errno 111] Connection refused'))
2019-11-08 10:00:20 [16] | During handling of the above exception, another exception occurred:
2019-11-08 10:00:20 [16] | Traceback (most recent call last):
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/acme/client.py", line 1110, in _send_request
2019-11-08 10:00:20 [16] | response = self.session.request(method, url, *args, **kwargs)
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 533, in request
2019-11-08 10:00:20 [16] | resp = self.send(prep, **send_kwargs)
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 646, in send
2019-11-08 10:00:20 [16] | r = adapter.send(request, **kwargs)
2019-11-08 10:00:20 [16] | File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 516, in send
2019-11-08 10:00:20 [16] | raise ConnectionError(e, request=request)
2019-11-08 10:00:20 [16] | requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /direct
2019-11-08 10:00:20 [16] | ory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f8d18f2df10>: Failed to establish a new connection: [Errno 111] Connection refused'))
2019-11-08 10:00:20 [16] | During handling of the above exception, another exception occurred:
2019-11-08 10:00:20 [16] | ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Connection refused
2019-11-08 10:00:20 [16] | Please see the logfiles in /etc/letsencrypt/logs for more details.
2019-11-08 10:00:21 [16] | #### Clean autorestart/autocmd jobs
2019-11-08 10:00:21 [16] | #### Creating missing certificates if needed (~1min for each) ####
2019-11-08 10:00:21 [16] | >>> Creating a certificate for domain(s): -d *.h42.co -d h42.co
2019-11-08 10:00:21 [16] | Saving debug log to /etc/letsencrypt/logs/letsencrypt.log
2019-11-08 10:00:21 [16] | Plugins selected: Authenticator manual, Installer None
2019-11-08 10:00:21 [16] | You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.
2019-11-08 10:00:21 [16] | md5sum: can't open '/etc/letsencrypt/live/h42.co/cert.pem': No such file or directory
2019-11-08 10:00:21 [16] | ### Revoke and delete certificates if needed ####
2019-11-08 10:00:21 [16] | ### Reloading circusd configuration ###
2019-11-08 10:00:22 [16] | ok

Logfile:

2019-11-08 09:54:44,085:DEBUG:certbot.main:certbot version: 0.39.0
2019-11-08 09:54:44,086:DEBUG:certbot.main:Arguments: ['-n', '--config-dir', '/etc/letsencrypt', '--logs-dir', '/etc/letsencrypt/logs', '--work-dir', '/etc/letsencrypt/work', '--agree-tos', '-m', '[email protected]', '--server', 'https://acme-v02.api.letsencrypt.org/directory']
2019-11-08 09:54:44,086:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-08 09:54:44,101:DEBUG:certbot.log:Root logging level set at 20
2019-11-08 09:54:44,102:INFO:certbot.log:Saving debug log to /etc/letsencrypt/logs/letsencrypt.log
2019-11-08 09:54:44,154:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-11-08 09:54:44,156:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2019-11-08 09:54:44,163:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 157, in _new_conn
    (self._dns_host, self.port), self.timeout, **extra_kw
  File "/usr/local/lib/python3.7/site-packages/urllib3/util/connection.py", line 84, in create_connection
    raise err
  File "/usr/local/lib/python3.7/site-packages/urllib3/util/connection.py", line 74, in create_connection
    sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 672, in urlopen
    chunked=chunked,
  File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 376, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 334, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 169, in _new_conn
    self, "Failed to establish a new connection: %s" % e
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f5c612eb510>: Failed to establish a new connection: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 720, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/usr/local/lib/python3.7/site-packages/urllib3/util/retry.py", line 436, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f5c612eb510>: Failed to establish a new connection: [Errno 111] Connection refused'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/acme/client.py", line 1110, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f5c612eb510>: Failed to establish a new connection: [Errno 111] Connection refused'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/certbot/main.py", line 1378, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.7/site-packages/certbot/main.py", line 692, in register
    _determine_account(config)
  File "/usr/local/lib/python3.7/site-packages/certbot/main.py", line 523, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/usr/local/lib/python3.7/site-packages/certbot/client.py", line 176, in register
    acme = acme_from_config_key(config, key)
  File "/usr/local/lib/python3.7/site-packages/certbot/client.py", line 46, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/local/lib/python3.7/site-packages/acme/client.py", line 828, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/local/lib/python3.7/site-packages/acme/client.py", line 1161, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/local/lib/python3.7/site-packages/acme/client.py", line 1133, in _send_request
    raise ValueError("Requesting {0}{1}:{2}".format(host, path, err_msg))
ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Connection refused
2019-11-08 09:54:44,167:ERROR:certbot.log:An unexpected error occurred:

[root@r1 logs]# curl acme-v02.api.letsencrypt.org/directory
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

Creating a docker-compose.yml

Hey adrian,

I really like your container and created a docker-compose.yml with .env for myself for it. Would you like a pull request with a generic .env file, to give people the possibility for a even faster setup?

I'm not sure whats the current best practice for it, but it might be even better to create an own repository ensure separation of concerns.

Test Teams notification

Test

autorestart-containers isn't working with wildcard domains

Hello,
Everything works flawlessly for me without the autorestart-containers, once i added it i get weird errors.

domains.conf:
*.home.example.com home.example.com autorestart-containers=nginx

output (replaced my domain with home.example.com):

certbot    | *.home.example.com_autorestart-containers: added process group
certbot    | ERROR: /etc/letsencrypt/archive/*.home.example.com directory is missing.
certbot    | 2018-04-10 13:36:42,044 INFO exited:  *.home.example.com_autorestart-containers (exit status 1; not expected)

Domains.conf file and accessibility to certificates

I'm having a couple issues with you container (although it is quite awesome).

I've added two lines to the domains.conf file:

*.d.com d.com
*.a.d.com a.d.com

Only the first line is being run. Am I missing something or can i do nested subdomains with this certificate?

I cannot access the certificates without sudo chown -R 1000:1000 * on the mounted folder even though i passed

      - CERTS_DIR_MODE=0755
      - CERTS_FILES_MODE=0644

into the docker-compose environment vars.

certificate gets regenerated after restore from backup

hi, thank you for your wonderful project. i think it could fit my needs very well :)

as i'm fiddling arround i think i found a non documented side effect:

start with a clean vm with docker installed
run docker-letsencrypt-dns with a named volume
run a helper container and copy the data to s3
start with a clean vm with docker installed
run a helper container copy the data from s3 to the named volume
run docker-letsencrypt-dns with that named volume
the certificate gets regenerated

expected behavior: the certificate is here -> do not regenerate it

but if i replace point 4 with:

4.1. delete named volume
4.2. create named volume

then point 7 changes to:

the certificate does not get regenerated

thats the reason why i think this is a side effect. maybe some state is not in the containers /etc/letsencrypt directory?

could you clarify what else has to go into the backups except /etc/letsencrypt?

thx a lot

crond: can't execute '/bin/bash' for user root

Hi Adrien,

The cronjob does not run properly for me on the latest release 2.12.0, and is giving the following error in docker log:

2019-05-13 13:12:00 [18] | crond: can't execute '/bin/bash' for user root
2019-05-14 01:12:00 [18] | crond: can't execute '/bin/bash' for user root

I have resolved it by adding the bash package to the Dockerfile.

Let me know if you would like a PR.

Charles

Add configurable delay?

My DNS registrar (namesilo) doesnt push updates immediately but instead on 5 minute intervals.
This causes certs not generate as script times out.
Is there a way to handle this? is there some option to delay DNS record check to 5 minutes?

Feature Request: Add support for docker secrets

Instead of passing passwords and api keys as env variables, it would be better to store and retrieve them using docker secrets.

Does docker-letsencrypt-dns support testing api?

LetsEncrypt has rate limit. https://letsencrypt.org/docs/rate-limits/
Can I use stage api to test?

domains.conf does not issue certificate for other than line 1

Hi Adrien,
First of all thank you very much for this wonderful project.

I am trying to set this up in my environment and seeing that any line after the first line is not getting certificates issued? I have gone through some closed issues and understand that new-line was may be not dealt properly but then those issues were fixed.
My domains.conf for now has simple 3 entries.

bigip-ve-2.domain.net
bigip-ve-1.domain.net
bigiq-ve-1.domain.net

everything works for first line. but the second one does not get issued.

Any idea?

Problems generating certificates

Hello, I am attempting to use your container, but am running into the following problems:

It does not seem to recognize domains.conf with only one line entry.
It will revoke the certs immediately after under unspecified circumstances.

Logs from fresh start (with account info already added, and domains.conf populated):

2018-05-18 02:26:53,143 CRIT Supervisor running as root (no user in config file)
2018-05-18 02:26:53,143 WARN No file matches via include "/etc/supervisord.d/*"
2018-05-18 02:26:53,207 INFO RPC interface 'supervisor' initialized
2018-05-18 02:26:53,207 INFO supervisord started with pid 23
2018-05-18 02:26:54,219 INFO spawned: 'watch-domains' with pid 26
2018-05-18 02:26:54,231 INFO spawned: 'crond' with pid 27
#### Registering Let's Encrypt account if needed ####
2018-05-18 02:26:55,271 INFO success: watch-domains entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2018-05-18 02:26:55,271 INFO success: crond entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
There is an existing account; registration of a duplicate account with this command is currently unsupported.
#### Creating missing certificates if needed (~1min for each) ####
### Revoke and delete certificates if needed ####
### Reloading supervisord configuration ###

The certbot log output for the above:

2018-05-18 02:26:56,159:DEBUG:certbot.main:certbot version: 0.23.0
2018-05-18 02:26:56,163:DEBUG:certbot.main:Arguments: ['-n', '--agree-tos', '-m', '{{account_email}}@gmail.com', '--server', 'https://acme-v02.api.letsencrypt.org/directory']
2018-05-18 02:26:56,164:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-05-18 02:26:56,214:DEBUG:certbot.log:Root logging level set at 20
2018-05-18 02:26:56,216:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

domains.conf:

*.domain.net domain.net

If I put it at the start, and put junk data (literally "junk.") at the end of domains.conf, it will work:

### Reloading supervisord configuration ###
#### Registering Let's Encrypt account if needed ####
Saving debug log to /var/log/letsencrypt/letsencrypt.log
There is an existing account; registration of a duplicate account with this command is currently unsupported.
#### Creating missing certificates if needed (~1min for each) ####
>>> Creating a certificate for domain(s): -d *.domain.net -d domain.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domain.net
dns-01 challenge for domain.net
Output from authenticator.sh:
Arguments: Namespace(action='create', auth_token=None, auth_username=None, content='{{token}}', delegated=None, domain='domain.net', identifier=None, log_level='DEBUG', name='_acme-challenge.domain.net.', priority=None, provider_name='cloudflare', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.cloudflare.com
https://api.cloudflare.com:443 "GET /client/v4/zones?name=domain.net&status=active HTTP/1.1" 200 None
Starting new HTTPS connection (1): api.cloudflare.com
https://api.cloudflare.com:443 "POST /client/v4/zones/{{token}}/dns_records HTTP/1.1" 200 None
create_record: True

Output from authenticator.sh:
Arguments: Namespace(action='create', auth_token=None, auth_username=None, content='{{token}}', delegated=None, domain='domain.net', identifier=None, log_level='DEBUG', name='_acme-challenge.domain.net.', priority=None, provider_name='cloudflare', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.cloudflare.com
https://api.cloudflare.com:443 "GET /client/v4/zones?name=domain.net&status=active HTTP/1.1" 200 None
Starting new HTTPS connection (1): api.cloudflare.com
https://api.cloudflare.com:443 "POST /client/v4/zones/{{token}}/dns_records HTTP/1.1" 200 None
create_record: True

Waiting for verification...
Cleaning up challenges
Output from cleanup.sh:
Arguments: Namespace(action='delete', auth_token=None, auth_username=None, content='{{token}}', delegated=None, domain='domain.net', identifier=None, log_level='DEBUG', name='_acme-challenge.domain.net.', priority=None, provider_name='cloudflare', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.cloudflare.com
https://api.cloudflare.com:443 "GET /client/v4/zones?name=domain.net&status=active HTTP/1.1" 200 None
Starting new HTTPS connection (1): api.cloudflare.com
https://api.cloudflare.com:443 "GET /client/v4/zones/{{token}}/dns_records?per_page=100&type=TXT&name=_acme-challenge.domain.net&content={{token}} HTTP/1.1" 200 None
list_records: [{'type': 'TXT', 'name': '_acme-challenge.domain.net', 'ttl': 3600, 'content': '{{token}}', 'id': '{{token}}'}]
delete_records: ['{{token}}']
Starting new HTTPS connection (1): api.cloudflare.com
https://api.cloudflare.com:443 "DELETE /client/v4/zones/{{token}}/dns_records/{{token}} HTTP/1.1" 200 None
delete_record: True

Output from cleanup.sh:
Arguments: Namespace(action='delete', auth_token=None, auth_username=None, content='{{token}}', delegated=None, domain='domain.net', identifier=None, log_level='DEBUG', name='_acme-challenge.domain.net.', priority=None, provider_name='cloudflare', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.cloudflare.com
https://api.cloudflare.com:443 "GET /client/v4/zones?name=domain.net&status=active HTTP/1.1" 200 None
Starting new HTTPS connection (1): api.cloudflare.com
https://api.cloudflare.com:443 "GET /client/v4/zones/{{token}}/dns_records?per_page=100&type=TXT&name=_acme-challenge.domain.net&content={{token}} HTTP/1.1" 200 None
list_records: [{'type': 'TXT', 'name': '_acme-challenge.domain.net', 'ttl': 3600, 'content': '{{token}}', 'id': '{{token}}'}]
delete_records: ['5e2e89424cb4e9c3f21c6d08f36cd34a']
Starting new HTTPS connection (1): api.cloudflare.com
https://api.cloudflare.com:443 "DELETE /client/v4/zones/{{token}}/dns_records/{{token}} HTTP/1.1" 200 None
delete_record: True

Running deploy-hook command: deploy-hook.sh
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domain.net/privkey.pem
   Your cert will expire on 2018-08-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

### Revoke and delete certificates if needed ####
### Reloading supervisord configuration ###

And it does not revoke!

(I also notice that the arguments section in the log under authenticator.sh and cleanup.sh show "None" for cloudflare? Or is that just to not log the token?)

It looks as if it does not properly handle the last line in the file, or the only line if there's only one line.

Please let me know what debug information I can gather for you.

.com.de domain with namecheap not working

if i use and domain which has name.tld.tld2 the authentication fails with namecheap.
if i use my other domain like name.tld it workd perfectly. both the domains are in the same namecheap account.

anyone know why and how to solve it?

letsencrypt-dns | 2019-10-17 15:13:07 [19] | manual-auth-hook command "/var/lib/letsencrypt/hooks/authenticator.sh" returned error code 1
letsencrypt-dns | 2019-10-17 15:13:07 [19] | Error output from manual-auth-hook command authenticator.sh:
letsencrypt-dns | 2019-10-17 15:13:07 [19] | Traceback (most recent call last):
letsencrypt-dns | 2019-10-17 15:13:07 [19] |   File "/usr/local/lib/python3.7/site-packages/lexicon/providers/namecheap.py", line 121, in _authenticate
letsencrypt-dns | 2019-10-17 15:13:07 [19] |     xml = self.client._call('namecheap.domains.getInfo', extra_payload)  # pylint: disable=protected-access
letsencrypt-dns | 2019-10-17 15:13:07 [19] |   File "/usr/local/lib/python3.7/site-packages/namecheap.py", line 144, in _call
letsencrypt-dns | 2019-10-17 15:13:07 [19] |     xml = self._fetch_xml(payload, extra_payload)
letsencrypt-dns | 2019-10-17 15:13:07 [19] |   File "/usr/local/lib/python3.7/site-packages/namecheap.py", line 137, in _fetch_xml
letsencrypt-dns | 2019-10-17 15:13:07 [19] |     raise ApiError(error.attrib['Number'], error.text)
letsencrypt-dns | 2019-10-17 15:13:07 [19] | namecheap.ApiError: 2030166 - Domain is invalid
letsencrypt-dns | 2019-10-17 15:13:07 [19] | During handling of the above exception, another exception occurred:
letsencrypt-dns | 2019-10-17 15:13:07 [19] | Traceback (most recent call last):
letsencrypt-dns | 2019-10-17 15:13:07 [19] |   File "/usr/local/bin/lexicon", line 10, in <module>
letsencrypt-dns | 2019-10-17 15:13:07 [19] |     sys.exit(main())
letsencrypt-dns | 2019-10-17 15:13:07 [19] |   File "/usr/local/lib/python3.7/site-packages/lexicon/cli.py", line 117, in main
letsencrypt-dns | 2019-10-17 15:13:07 [19] |     results = client.execute()
letsencrypt-dns | 2019-10-17 15:13:07 [19] |   File
letsencrypt-dns | 2019-10-17 15:13:07 [19] | "/usr/local/lib/python3.7/site-packages/lexicon/client.py", line 71, in execute
letsencrypt-dns | 2019-10-17 15:13:07 [19] |     self.provider.authenticate()
letsencrypt-dns | 2019-10-17 15:13:07 [19] |   File "/usr/local/lib/python3.7/site-packages/lexicon/providers/base.py", line 69, in authenticate
letsencrypt-dns | 2019-10-17 15:13:07 [19] |     return self._authenticate()
letsencrypt-dns | 2019-10-17 15:13:07 [19] |   File "/usr/local/lib/python3.7/site-packages/lexicon/providers/namecheap.py", line 127, in _authenticate
letsencrypt-dns | 2019-10-17 15:13:07 [19] |     raise Exception('Authentication failed: `%s`' % str(err))
letsencrypt-dns | 2019-10-17 15:13:07 [19] | Exception: Authentication failed: `2030166 - Domain is invalid`
letsencrypt-dns | 2019-10-17 15:13:07 [19] | Waiting for verification...
letsencrypt-dns | 2019-10-17 15:13:09 [19] | Challenge failed for domain mikrotik.com.de
letsencrypt-dns | 2019-10-17 15:13:09 [19] | dns-01 challenge for mikrotik.com.de
letsencrypt-dns | 2019-10-17 15:13:09 [19] | Cleaning up challenges
letsencrypt-dns | 2019-10-17 15:13:09 [19] | Running manual-cleanup-hook command: /var/lib/letsencrypt/hooks/cleanup.sh
letsencrypt-dns | 2019-10-17 15:13:10 [19] | manual-cleanup-hook command "/var/lib/letsencrypt/hooks/cleanup.sh" returned error code 1
letsencrypt-dns | 2019-10-17 15:13:10 [19] | Error output from manual-cleanup-hook command cleanup.sh:
letsencrypt-dns | 2019-10-17 15:13:10 [19] | Traceback (most recent call last):
letsencrypt-dns | 2019-10-17 15:13:10 [19] |   File "/usr/local/lib/python3.7/site-packages/lexicon/providers/namecheap.py", line 121, in _authenticate
letsencrypt-dns | 2019-10-17 15:13:10 [19] |     xml = self.client._call('namecheap.domains.getInfo', extra_payload)  # pylint: disable=protected-access
letsencrypt-dns | 2019-10-17 15:13:10 [19] |   File "/usr/local/lib/python3.7/site-packages/namecheap.py", line 144, in _call
letsencrypt-dns | 2019-10-17 15:13:10 [19] |     xml = self._fetch_xml(payload, extra_payload)
letsencrypt-dns | 2019-10-17 15:13:10 [19] |   File "/usr/local/lib/python3.7/site-packages/namecheap.py", line 137, in _fetch_xml
letsencrypt-dns | 2019-10-17 15:13:10 [19] |     raise ApiError(error.attrib['Number'], error.text)
letsencrypt-dns | 2019-10-17 15:13:10 [19] | namecheap.ApiError: 2030166 - Domain is invalid
letsencrypt-dns | 2019-10-17 15:13:10 [19] | During handling of the above exception, another exception occurred:
letsencrypt-dns | 2019-10-17 15:13:10 [19] | Traceback (most recent call last):
letsencrypt-dns | 2019-10-17 15:13:10 [19] |   File "/usr/local/bin/lexicon", line 10, in <module>
letsencrypt-dns | 2019-10-17 15:13:10 [19] |     sys.exit(main())
letsencrypt-dns | 2019-10-17 15:13:10 [19] |   File "/usr/local/lib/python3.7/site-packages/lexicon/cli.py", line 117, in main
letsencrypt-dns | 2019-10-17 15:13:10 [19] |     results = client.execute()
letsencrypt-dns | 2019-10-17 15:13:10 [19] |   File "/usr/
letsencrypt-dns | 2019-10-17 15:13:10 [19] | local/lib/python3.7/site-packages/lexicon/client.py", line 71, in execute
letsencrypt-dns | 2019-10-17 15:13:10 [19] |     self.provider.authenticate()
letsencrypt-dns | 2019-10-17 15:13:10 [19] |   File "/usr/local/lib/python3.7/site-packages/lexicon/providers/base.py", line 69, in authenticate
letsencrypt-dns | 2019-10-17 15:13:10 [19] |     return self._authenticate()
letsencrypt-dns | 2019-10-17 15:13:10 [19] |   File "/usr/local/lib/python3.7/site-packages/lexicon/providers/namecheap.py", line 127, in _authenticate
letsencrypt-dns | 2019-10-17 15:13:10 [19] |     raise Exception('Authentication failed: `%s`' % str(err))
letsencrypt-dns | 2019-10-17 15:13:10 [19] | Exception: Authentication failed: `2030166 - Domain is invalid`
letsencrypt-dns | 2019-10-17 15:13:10 [19] | Some challenges have failed.

adferrand / dnsrobocert Goto Github PK

dnsrobocert's People

Contributors

Stargazers

Watchers

Forkers

dnsrobocert's Issues

Recommend Projects

Recommend Topics

Recommend Org