Cerbot cannot create a certificate with acme-dns

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: af-reiner.fr

I ran this command:
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.af-reiner.fr -d af-reiner.fr

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.af-reiner.fr and af-reiner.fr
Hook '--manual-auth-hook' for af-reiner.fr reported error code 1
Hook '--manual-auth-hook' for af-reiner.fr ran with error output:
Traceback (most recent call last):
File "/etc/letsencrypt/acme-dns-auth.py", line 4, in
import requests
File "/snap/certbot/4559/lib/python3.12/site-packages/requests/init.py", line 43, in
import urllib3
File "/snap/certbot/4559/lib/python3.12/site-packages/urllib3/init.py", line 14, in
from . import exceptions
File "/snap/certbot/4559/lib/python3.12/site-packages/urllib3/exceptions.py", line 26, in
_TYPE_REDUCE_RESULT = tuple[typing.Callable[..., object], tuple[object, ...]]
TypeError: 'type' object is not subscriptable
Hook '--manual-auth-hook' for af-reiner.fr reported error code 1
Hook '--manual-auth-hook' for af-reiner.fr ran with error output:
Traceback (most recent call last):
File "/etc/letsencrypt/acme-dns-auth.py", line 4, in
import requests
File "/snap/certbot/4559/lib/python3.12/site-packages/requests/init.py", line 43, in
import urllib3
File "/snap/certbot/4559/lib/python3.12/site-packages/urllib3/init.py", line 14, in
from . import exceptions
File "/snap/certbot/4559/lib/python3.12/site-packages/urllib3/exceptions.py", line 26, in
_TYPE_REDUCE_RESULT = tuple[typing.Callable[..., object], tuple[object, ...]]
TypeError: 'type' object is not subscriptable

Challenges loaded. Press continue to submit to CA.
Pass "-v" for more info about challenges.

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: af-reiner.fr
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.af-reiner.fr - check that a DNS record exists for this domain

Domain: af-reiner.fr
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.af-reiner.fr - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
root@jeedom:~# apache2 -v
Server version: Apache/2.4.59 (Raspbian)
Server built: 2024-05-24T22:36:21

The operating system my web server runs on is (include version):
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 10 (buster)
Release: 10
Codename: buster

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
root@jeedom:~# certbot --version
certbot 4.0.0

Hello, thank you for reading me.
First I received alert emails from let's encrypt about the next expiration of my certificate. These alerts were among other alert emails about the next ending of the renewal of certificates. As, so far, my certificate was automatically renewed thank to certbot, I did not understand.
So, on April the 8th (yesterday), my certificate expired.
I tried the certificate request command ("manually" with hook). I was proposed to keep the certificate in RSA or update to ECDSA. I choose to update to ECDSA. And then I got the error message.
I thought it was because the expired certificate was still installed, so I removed it. New try, same answer.
I thought that perhaps the DNS entry for the _acme-challenge was not valid anymore, so I suppressed it. New try, same answer. You can see that after the error message, certbot is able to see that the DNS entry is missing, but it did not provide me with the right entry to add in the DNS.

Thank you,
Alain Reiner

Looks like the acme-dns-auth.py doesn't work (any more?), not sure why exactly.

Have you always used acme-dns-auth.py to get/renew your certificates? Because I see your DNS provider is OVH and Certbot also has the certbot-dns-ovh DNS plugin. Or was there a specific reason to use acme-dns over the OVH DNS plugin?

Thank you for your quick answer.
Yes I always used acme-dns-auth.py. Why ? because it was written like that in the "how to" doc.. and it worked. Should I install and use the certbot-dns-ovh plugin instead ?

You could try that. Or fix whatever is causing that Python error. It's late here, so I don't have time to debug it now, perhaps another volunteer could help you.

Hello, Good day,
the OVH let's encrypt system is only for their web-cloud hosting service. My web site is on my own server, at home. So I have to keep on with the ACME client.
Finally, I installed a fresh new debian 11 on my spare server, then installed the jeedom package and restored my backup, and ran the certbot installation (snap) + the certificate request procedure. Everything did right and well and the https/ssl service is well working.
I think that, thank to snap, the certbot package has been updated though debian 10 and all the packages could no more be updated. So the new 4.0.0 version of certbot was calling new python procedures that did not exist (or not with the same interface) in my old python.
In the previous version of Certbot, there was a "hook" python script for automatic renewal that is not provided with the new 4.0.0 version. So I have either to make or find such a script, or renew my certificate manually every 3 months.
Thanks for trying to help me.
Best Regards,
Alain Reiner

acme-dns-auth.py is a third party script so yes, that doesn't come with Certbot. Never did.

Yes, I did not suggest to change to OVH for the entire certificate thing, just use their DNS servers with the Certbot certbot-dns-ovh DNS plugin to perform the challenge. That's completely different than letting OVH take care of the entire certificate issuance and renewal. You'd still be doing that using Certbot, just not using acme-dns-auth.py, but using the certbot-dns-ovh plugin. See the documentation I linked earlier.

Unless I misunderstood you and it happens that with your OVH DNS account you cannot change any DNS setting using their API, but that would be strange I think.