Cannot perform dns challenge on GCE

nmtri881994 · September 16, 2020, 5:16pm

My domain is:
*.strapi.vn

I ran this command:
sudo certbot certonly --dns-google -d *.stool.vn

It produced this output:

Encountered exception during recovery: 
Traceback (most recent call last):
  File "/snap/certbot/579/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 70, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/snap/certbot/579/lib/python3.8/site-packages/certbot/plugins/dns_common.py", line 57, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/certbot_dns_google/_internal/dns_google.py", line 70, in _perform
    self._get_google_client().add_txt_record(domain, validation_name, validation, self.ttl)
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/certbot_dns_google/_internal/dns_google.py", line 76, in _get_google_client
    return _GoogleClient(self.conf('credentials'))
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/certbot_dns_google/_internal/dns_google.py", line 96, in __init__
    self.dns = discovery.build('dns', 'v1',
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/oauth2client/_helpers.py", line 133, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/googleapiclient/discovery.py", line 221, in build
    content = _retrieve_discovery_doc(requested_url, http, cache_discovery,
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/googleapiclient/discovery.py", line 269, in _retrieve_discovery_doc
    resp, content = http.request(actual_url)
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/httplib2/__init__.py", line 1322, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/httplib2/__init__.py", line 1072, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/httplib2/__init__.py", line 995, in _conn_request
    conn.connect()
  File "/snap/certbot/579/usr/lib/python3.8/http/client.py", line 1409, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/snap/certbot/579/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/snap/certbot/579/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/snap/certbot/579/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL] internal error (_ssl.c:1108)
During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/snap/certbot/579/lib/python3.8/site-packages/certbot/_internal/error_handler.py", line 125, in _call_registered
    self.funcs[-1]()
  File "/snap/certbot/579/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 243, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/snap/certbot/579/lib/python3.8/site-packages/certbot/plugins/dns_common.py", line 76, in cleanup
    self._cleanup(domain, validation_domain_name, validation)
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/certbot_dns_google/_internal/dns_google.py", line 73, in _cleanup
    self._get_google_client().del_txt_record(domain, validation_name, validation, self.ttl)
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/certbot_dns_google/_internal/dns_google.py", line 76, in _get_google_client
    return _GoogleClient(self.conf('credentials'))
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/certbot_dns_google/_internal/dns_google.py", line 96, in __init__
    self.dns = discovery.build('dns', 'v1',
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/oauth2client/_helpers.py", line 133, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/googleapiclient/discovery.py", line 221, in build
    content = _retrieve_discovery_doc(requested_url, http, cache_discovery,
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/googleapiclient/discovery.py", line 269, in _retrieve_discovery_doc
    resp, content = http.request(actual_url)
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/httplib2/__init__.py", line 1322, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/httplib2/__init__.py", line 1072, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/snap/certbot-dns-google/current/lib/python3.8/site-packages/httplib2/__init__.py", line 995, in _conn_request
    conn.connect()
  File "/snap/certbot/579/usr/lib/python3.8/http/client.py", line 1409, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/snap/certbot/579/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/snap/certbot/579/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/snap/certbot/579/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL] internal error (_ssl.c:1108)
An unexpected error occurred:
ssl.SSLError: [SSL] internal error (_ssl.c:1108)

My web server is (include version):
nginx but I haven't configure it for strapi.vn, I intend to create a certificate 1st then will pass it to nginx config and start the server later

The operating system my web server runs on is (include version):
ubuntu 18.04

My hosting provider, if applicable, is:
I don't have this, I'm hosting my website on GCE

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
1.8.0

–
I created service account for my GCE and assigned needed permissions for it.
Last 2 weeks I can use this service account to generate certificates for my subdomain strapi.stool.vn (this domain still working for now). I cannot repeat the process after 1 week.

I attempt to create another service account with owner privilege but got no success at all.

griffin · September 16, 2020, 6:13pm

Welcome to the Let’s Encrypt Community

Allow me to page someone with more knowledge of this than myself.

@_az, @bmw

Any ideas on what might lurk behind this cascade? I’m not familiar with this plug-in and don’t want to make any assumptions.

By the way, is there an “@” for certbot developers? Would be nice to not bug you two all the time.

_az · September 16, 2020, 9:04pm

Thanks for tagging. I will check this out soon.

@nmtri881994 could you also provide the output of:

snap list

so I can see the exact versions of everything.

rg305 · September 16, 2020, 9:39pm

Aside from the already requested, have you checked your system for updates?
If not, then please do so AND post anything that was needing to be updated (before just updating them).

sudo apt update
sudo apt list --upgradable
^show this output (if any)^

then if anything needed upgrading:

sudo apt upgrade
and retest your certbot command

Thanks.

bmw · September 16, 2020, 9:58pm

I think the cause here is an old version of one of our dependencies in the snap. I'll try to get this fixed soon and add instructions here for how to try a new version of the snap once it's available. You can track this work at Update httplib2 · Issue #8204 · certbot/certbot · GitHub.

What I think would be most useful for us is for people to create an issue on our GitHub at Sign in to GitHub · GitHub when something needs our attention. We regularly check that and share that work across the team so that would work quite well for us.

If that's too inconvenient for people though, I can look into getting a group created on this forum for the Certbot developers.

griffin · September 16, 2020, 10:08pm

I’ll make a note of it.

rg305 · September 16, 2020, 10:10pm

I think this forum is better suited for those whom are polar opposite of those that typically github things.
[not trying to throw shade or label anyone here]

It just seems reasonable to think that the normal user will first go to LE org for help and that points them only to this forum (no git there):

rg305 · September 16, 2020, 10:15pm

I think we are going off topic but I can’t split anything…

bmw · September 16, 2020, 10:34pm

Good call. While I can split the topic, I don’t see a good way to do so since a couple of our messages talk both about how to ping the Certbot devs and this Google DNS plugin issue so I created Should we make a Certbot group? and we can continue the discussion there.

nmtri881994 · September 17, 2020, 12:40pm

This is what I got @_az

Name                Version   Rev   Tracking         Publisher          Notes
certbot             1.8.0     579   latest/beta      certbot-eff✓       classic
certbot-dns-google  1.8.0     158   latest/beta      certbot-eff✓       -
core18              20200724  1885  latest/stable    canonical✓         base
core20              20        634   latest/stable    canonical✓         base
google-cloud-sdk    310.0.0   150   latest/stable/…  google-cloud-sdk✓  classic
snapd               2.46.1    9279  latest/stable    canonical✓         snapd

nmtri881994 · September 17, 2020, 12:41pm

@rg305 I got something need to upgrade

apport/bionic-updates 2.20.9-0ubuntu7.17 all [upgradable from: 2.20.9-0ubuntu7.16]
base-files/bionic-updates 10.1ubuntu2.10 amd64 [upgradable from: 10.1ubuntu2.9]
bcache-tools/bionic-updates 1.0.8-2ubuntu0.18.04.1 amd64 [upgradable from: 1.0.8-2build1]
cloud-init/bionic-updates 20.3-2-g371b392c-0ubuntu1~18.04.1 all [upgradable from: 20.2-45-g5f7825e2-0ubuntu1~18.04.1]
grub-common/bionic-updates 2.02-2ubuntu8.18 amd64 [upgradable from: 2.02-2ubuntu8.17]
grub-efi-amd64/bionic-updates 2.02-2ubuntu8.18 amd64 [upgradable from: 2.02-2ubuntu8.17]
grub-efi-amd64-bin/bionic-updates 2.02-2ubuntu8.18 amd64 [upgradable from: 2.02-2ubuntu8.17]
grub-efi-amd64-signed/bionic-updates 1.93.20+2.02-2ubuntu8.18 amd64 [upgradable from: 1.93.19+2.02-2ubuntu8.17]
grub-pc-bin/bionic-updates 2.02-2ubuntu8.18 amd64 [upgradable from: 2.02-2ubuntu8.17]
grub2-common/bionic-updates 2.02-2ubuntu8.18 amd64 [upgradable from: 2.02-2ubuntu8.17]
initramfs-tools/bionic-updates 0.130ubuntu3.10 all [upgradable from: 0.130ubuntu3.9]
initramfs-tools-bin/bionic-updates 0.130ubuntu3.10 amd64 [upgradable from: 0.130ubuntu3.9]
initramfs-tools-core/bionic-updates 0.130ubuntu3.10 all [upgradable from: 0.130ubuntu3.9]
libpam-modules/bionic-updates 1.1.8-3.6ubuntu2.18.04.2 amd64 [upgradable from: 1.1.8-3.6ubuntu2.18.04.1]
libpam-modules-bin/bionic-updates 1.1.8-3.6ubuntu2.18.04.2 amd64 [upgradable from: 1.1.8-3.6ubuntu2.18.04.1]
libpam-runtime/bionic-updates 1.1.8-3.6ubuntu2.18.04.2 all [upgradable from: 1.1.8-3.6ubuntu2.18.04.1]
libpam0g/bionic-updates 1.1.8-3.6ubuntu2.18.04.2 amd64 [upgradable from: 1.1.8-3.6ubuntu2.18.04.1]
libpcap0.8/bionic-updates 1.8.1-6ubuntu1.18.04.2 amd64 [upgradable from: 1.8.1-6ubuntu1.18.04.1]
python3-apport/bionic-updates 2.20.9-0ubuntu7.17 all [upgradable from: 2.20.9-0ubuntu7.16]
python3-problem-report/bionic-updates 2.20.9-0ubuntu7.17 all [upgradable from: 2.20.9-0ubuntu7.16]
ubuntu-minimal/bionic-updates 1.417.5 amd64 [upgradable from: 1.417.4]
ubuntu-server/bionic-updates 1.417.5 amd64 [upgradable from: 1.417.4]
ubuntu-standard/bionic-updates 1.417.5 amd64 [upgradable from: 1.417.4]

I update, upgrade then retest my command but got no luck.

nmtri881994 · September 17, 2020, 12:53pm

For the sideline topic, actually I’m familiar with raising issue on Github. But when was searching my error on Google, most of destinations lead to this forum instead of Github. That’s why I seek help at here.

bmw · October 1, 2020, 10:21pm

I believe we've fixed the problem here. The fix will be available in our snaps by default after our next release which we're planning to do on Tuesday, October 6th.

If you'd like to try it before then you can install our snaps from the edge channel which are updated nightly. You can do this by installing the snaps as normal following the wildcard instructions at https://certbot.eff.org/lets-encrypt/ubuntubionic-other and then running:

sudo snap refresh certbot --edge
sudo snap refresh certbot-dns-google --edge

After our release next week, you can stop following our nightly builds if you want by running:

sudo snap refresh certbot --beta
sudo snap refresh certbot-dns-google --beta

If you try this, please let me know whether or not it works!

system · October 31, 2020, 10:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.