Azure DNS method renewal problem

Hi, I can’t renew nor issue certificate using lego script azure dns method after domain was moved to another resource group in different subscription. Letsencrypt caches old parameters and ignores new ones provided before “run”

My domain is: digitaldexteritylabs.com and digitaldexteritylabs.pl with wildcards.

I ran this command:
export AZURE_SUBSCRIPTION_ID=“b1bXXX”
export AZURE_TENANT_ID=“b1559be9XXX”
export AZURE_CLIENT_ID=“b6eXXX”
export AZURE_CLIENT_SECRET=“XXX”
export AZURE_RESOURCE_GROUP=“itdev-prod-domains”

/opt/bitnami/letsencrypt/lego --email XXX@it-dev.pl --dns azure -d digitaldexteritylabs.pl -d *.digitaldexteritylabs.pl -d digitaldexteritylabs.com -d *.digitaldexteritylabs.com --path /opt/bitnami/letsencrypt --pem run

It produced this output:

2020/06/15 15:19:49 [INFO] [digitaldexteritylabs.pl, .digitaldexteritylabs.pl, digitaldexteritylabs.com, .digitaldexteritylabs.com] acme: Obtaining bundled SAN certificate
2020/06/15 15:19:50 [INFO] [.digitaldexteritylabs.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5243027460
2020/06/15 15:19:50 [INFO] [.digitaldexteritylabs.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5243027463
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5243027466
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5243027467
2020/06/15 15:19:50 [INFO] [.digitaldexteritylabs.com] acme: use dns-01 solver
2020/06/15 15:19:50 [INFO] [.digitaldexteritylabs.pl] acme: use dns-01 solver
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.com] acme: Could not find solver for: tls-alpn-01
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.com] acme: Could not find solver for: http-01
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.com] acme: use dns-01 solver
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.pl] acme: Could not find solver for: tls-alpn-01
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.pl] acme: Could not find solver for: http-01
2020/06/15 15:19:50 [INFO] [digitaldexteritylabs.pl] acme: use dns-01 solver
2020/06/15 15:19:50 [INFO] [.digitaldexteritylabs.com] acme: Preparing to solve DNS-01
2020/06/15 15:19:51 [INFO] [.digitaldexteritylabs.pl] acme: Preparing to solve DNS-01
2020/06/15 15:19:51 [INFO] [digitaldexteritylabs.com] acme: Preparing to solve DNS-01
2020/06/15 15:19:51 [INFO] [digitaldexteritylabs.pl] acme: Preparing to solve DNS-01
2020/06/15 15:19:51 [INFO] [.digitaldexteritylabs.com] acme: Cleaning DNS-01 challenge
2020/06/15 15:19:51 [WARN] [.digitaldexteritylabs.com] acme: error cleaning up: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.com’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
2020/06/15 15:19:51 [INFO] [.digitaldexteritylabs.pl] acme: Cleaning DNS-01 challenge
2020/06/15 15:19:51 [WARN] [.digitaldexteritylabs.pl] acme: error cleaning up: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.pl’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
2020/06/15 15:19:51 [INFO] [digitaldexteritylabs.com] acme: Cleaning DNS-01 challenge
2020/06/15 15:19:51 [WARN] [digitaldexteritylabs.com] acme: error cleaning up: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.com’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
2020/06/15 15:19:51 [INFO] [digitaldexteritylabs.pl] acme: Cleaning DNS-01 challenge
2020/06/15 15:19:51 [WARN] [digitaldexteritylabs.pl] acme: error cleaning up: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.pl’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
2020/06/15 15:19:51 Could not obtain certificates:
acme: Error -> One or more domains had a problem:
[.digitaldexteritylabs.com] [.digitaldexteritylabs.com] acme: error presenting token: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.com’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
[.digitaldexteritylabs.pl] [.digitaldexteritylabs.pl] acme: error presenting token: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.pl’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
[digitaldexteritylabs.com] [digitaldexteritylabs.com] acme: error presenting token: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.com’ or the scope is invalid. If access was recently granted, please refresh your credentials.”
[digitaldexteritylabs.pl] [digitaldexteritylabs.pl] acme: error presenting token: azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘5c3b7afa-XXX’ with object id ‘5c3b7afa-XXX’ does not have authorization to perform action ‘Microsoft.Network/dnsZones/read’ over scope ‘/subscriptions/c34be382-XXX/resourceGroups/ITDev-Prod-WebApps/providers/Microsoft.Network/dnsZones/digitaldexteritylabs.pl’ or the scope is invalid. If access was recently granted, please refresh your credentials.”

How can I renew certificates using refreshed dns auth parameters?

Hi @tszalaj

that's

an error in your dns configuration. Not something of Letsencrypt.

Looks like your DNS credentials are wrong.

Hi Juergen,

Thanks for your answer, but what I stressed is that IDs from error message are not IDs that I’ve set in exports. My question is how can I discard credentials stored with my account on letsencrypt servers and use those I provided in exports. According to documentation parameter “run” performs account re-registration, but it didn’t happen.

Pozdrawiam,
Tomasz Szałaj

Second time: Your Microsoft.Network credentials aren't saved from Letsencrypt.

That's your local Letsencrypt client that saves and uses these wrong values.

That's

not a Letsencrypt error message, that's something in your DNS management.

Read some basics:

It's a local problem in your environment.

Hi Tomasz

As @JuergenAuer mentioned the client you are using does not store your azure credentials

The ACME protocol allows for public keys (for accounts) to be stored but no other secrets

Clients such as LEGO optionally implement DNS Challenge solvers for common DNS services such as Azure DNS.

The first port of call is to go to the DNS Zone in your Azure Subscription and view the IAM to make sure that the client you are using (App Registrations) is allowed to make changes to the DNS Zone.

If you feel that you are using a newer App Registration and the client is not picking it up contact LEGO authors on github and raise an issue.

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.