"An unexpected error occurred" when getting wildcard and base domain cert

stefanfoulis · March 18, 2018, 11:18pm

My domain is: foul.is

I ran this command:
certbot certonly --agree-tos --server https://acme-v02.api.letsencrypt.org/directory --dns-dnsimple --dns-dnsimple-credentials /credentials/dnsimple.ini -d '*.local.foul.is,local.foul.is'
(using the certbot/dns-dnsimple docker image)

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-dnsimple, Installer None

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/local.foul.is.conf)

It contains these names: *.local.foul.is

You requested these names for the new certificate: *.local.foul.is,
local.foul.is.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for local.foul.is
dns-01 challenge for local.foul.is
Waiting 30 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
Exception: Record identifier could not be found.
Please see the logfiles in /var/log/letsencrypt for more details.

The last lines of the log file:

2018-03-18 23:10:57,518:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot', 'console_scripts', 'certbot')()
  File "/opt/certbot/src/certbot/main.py", line 1266, in main
    return config.func(config, plugins)
  File "/opt/certbot/src/certbot/main.py", line 1157, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/src/certbot/main.py", line 113, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/opt/certbot/src/certbot/renewal.py", line 297, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/opt/certbot/src/certbot/client.py", line 294, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/src/certbot/client.py", line 330, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/certbot/src/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(resp, best_effort)
  File "/opt/certbot/src/certbot/auth_handler.py", line 159, in _respond
    self._cleanup_challenges(active_achalls)
  File "/opt/certbot/src/certbot/auth_handler.py", line 304, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/opt/certbot/src/certbot/plugins/dns_common.py", line 76, in cleanup
    self._cleanup(domain, validation_domain_name, validation)
  File "/opt/certbot/src/certbot-dns-dnsimple/certbot_dns_dnsimple/dns_dnsimple.py", line 54, in _cleanup
    self._get_dnsimple_client().del_txt_record(domain, validation_name, validation)
  File "/opt/certbot/src/certbot/plugins/dns_common_lexicon.py", line 55, in del_txt_record
    self.provider.delete_record(type='TXT', name=record_name, content=record_content)
  File "/usr/local/lib/python2.7/site-packages/lexicon/providers/dnsimple.py", line 129, in delete_record
    raise Exception('Record identifier could not be found.')
Exception: Record identifier could not be found.
2018-03-18 23:10:57,521:ERROR:certbot.log:An unexpected error occurred:

It left two TXT records behind on dnsimple. I tried manually deleting those records before re-running the command without any difference.

I previously ran the same command and it failed the same way. Then I ran it with just the wildcard domain and I got a valid cert. Hence the output now shows the message about expanding the existing cert.

_az · March 18, 2018, 11:31pm

I believe it is because of the following:

Fixed here but not yet merged:

https://github.com/AnalogJ/lexicon/pull/183

stefanfoulis · March 18, 2018, 11:57pm

Cool. Thanks for the quick reply @_az

stefanfoulis · March 19, 2018, 8:01am

As a workaround, provisioning the cert in “manual” mode by adding the TXT records myself worked fine:
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges=dns -d '*.local.foul.is,local.foul.is'

kevinrutherford · March 20, 2018, 5:02pm

I had exactly this problem. Running in --manual mode worked perfectly – thanks!

schoen · March 20, 2018, 7:36pm

Note that when you do this (without an authenticator hook script), you can’t autorenew that certificate with certbot renew (because the renewal process will require the deployment of a new TXT record). It can only be renewed manually (e.g. by repeating the exact same certonly command as before). Please bear this in mind to avoid having your certificate expire unexpectedly!

(If there is eventually a working plugin for your DNS provider and you select that plugin as an authenticator, or if you can write a script to update the TXT records and you select that script as an authentication hook, then it’s possible to have Certbot auto-renew the certificate non-interactively.)

system · April 19, 2018, 7:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.