Hi, I can’t renew nor issue certificate using lego script azure dns method after domain was moved to another resource group in different subscription. Letsencrypt caches old parameters and ignores new ones provided before “run”
My domain is: digitaldexteritylabs.com and digitaldexteritylabs.pl with wildcards.
I ran this command:
export AZURE_SUBSCRIPTION_ID=“b1bXXX”
export AZURE_TENANT_ID=“b1559be9XXX”
export AZURE_CLIENT_ID=“b6eXXX”
export AZURE_CLIENT_SECRET=“XXX”
export AZURE_RESOURCE_GROUP=“itdev-prod-domains”
/opt/bitnami/letsencrypt/lego --email XXX@it-dev.pl --dns azure -d digitaldexteritylabs.pl -d *.digitaldexteritylabs.pl -d digitaldexteritylabs.com -d *.digitaldexteritylabs.com --path /opt/bitnami/letsencrypt --pem run
It produced this output:
2020/06/15 15:19:49 [INFO] [digitaldexteritylabs.pl, .digitaldexteritylabs.pl, digitaldexteritylabs.com, .digitaldexteritylabs.com] acme: Obtaining bundled SAN certificate
2020/06/15 15:19:50 [INFO] [.digitaldexteritylabs.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5243027460
2020/06/15 15:19:50 [INFO] [.digitaldexteritylabs.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5243027463
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5243027466
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5243027467
2020/06/15 15:19:50 [INFO] [.digitaldexteritylabs.com] acme: use dns-01 solver
2020/06/15 15:19:50 [INFO] [.digitaldexteritylabs.pl] acme: use dns-01 solver
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.com] acme: Could not find solver for: tls-alpn-01
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.com] acme: Could not find solver for: http-01
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.com] acme: use dns-01 solver
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.pl] acme: Could not find solver for: tls-alpn-01
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.pl] acme: Could not find solver for: http-01
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.pl] acme: use dns-01 solver
2020/06/15 15:19:50 [INFO] [.digitaldexteritylabs.com] acme: Preparing to solve DNS-01
2020/06/15 15:19:51 [INFO] [.digitaldexteritylabs.pl] acme: Preparing to solve DNS-01
2020/06/15 15:19:51 [INFO] [digitaldexteritylabs.com] acme: Preparing to solve DNS-01
2020/06/15 15:19:51 [INFO] [digitaldexteritylabs.pl] acme: Preparing to solve DNS-01
2020/06/15 15:19:51 [INFO] [.digitaldexteritylabs.com] acme: Cleaning DNS-01 challenge
2020/06/15 15:19:51 [WARN] [.digitaldexteritylabs.com] acme: error cleaning up: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.com’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
2020/06/15 15:19:51 [INFO] [.digitaldexteritylabs.pl] acme: Cleaning DNS-01 challenge
2020/06/15 15:19:51 [WARN] [.digitaldexteritylabs.pl] acme: error cleaning up: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.pl’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
2020/06/15 15:19:51 [INFO] [digitaldexteritylabs.com] acme: Cleaning DNS-01 challenge
2020/06/15 15:19:51 [WARN] [digitaldexteritylabs.com] acme: error cleaning up: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.com’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
2020/06/15 15:19:51 [INFO] [digitaldexteritylabs.pl] acme: Cleaning DNS-01 challenge
2020/06/15 15:19:51 [WARN] [digitaldexteritylabs.pl] acme: error cleaning up: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.pl’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
2020/06/15 15:19:51 Could not obtain certificates:
acme: Error -> One or more domains had a problem:
[.digitaldexteritylabs.com] [.digitaldexteritylabs.com] acme: error presenting token: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.com’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
[.digitaldexteritylabs.pl] [.digitaldexteritylabs.pl] acme: error presenting token: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.pl’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
[digitaldexteritylabs.com] [digitaldexteritylabs.com] acme: error presenting token: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.com’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
[digitaldexteritylabs.pl] [digitaldexteritylabs.pl] acme: error presenting token: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.pl’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
How can I renew certificates using refreshed dns auth parameters?