I did a fresh Installation of certbot on ubuntu 18.04 using your instructions with sudo snap install --classic certbot and had some trouble in finding a way how to install the certbot-dns-hetzner plugin (snap install certbot-dns-hetzner did not find the plugin).
So I tried an installation with pip, what seemed to succeed in first place - certbot plugins listed dns-hetzner - but when trying to generate a cert I'll get error messages like 'The requested certbot-dns-hetzner plugin does not appear to be installed'.
Here is my own answer to my question on how to do the installation on StackOverflow (I was too fast posting it, I was so happy to see the plugin in certbot plugins)
So what am I doing wrong?
Here are my Commands I am running without success.
root@my-server:~# certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
* dns-hetzner
Description: Obtain certificates using a DNS TXT record (if you are using
Hetzner for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-hetzner = certbot_dns_hetzner.dns_hetzner:Authenticator
* nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@my-server:~# certbot certonly --authenticator dns-hetzner -d "my-server.domain.me" --dns-hetzner-credentials /root/my-cert.ini
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --dns-hetzner-credentials /root/my-cert.ini
root@my-server:~# certbot certonly --authenticator dns-hetzner
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The requested dns-hetzner plugin does not appear to be installed
The requested dns-hetzner plugin does not appear to be installed
One other note.
Included plugins, like apache are located in /snap/certbot/784/lib/python3.8/site-packages/ where as the hetzner plugin is placed in /root/.local/lib/python3.8/site-packages/.
I tried to copy the hetzner directories to the snap folder, but it is mounted as read only.
I don't think you can mix and match SNAP with PIP.
That can't lead to anything good!
I would uninstall anything added with PIP.
Then look for the right plugin for SNAP or, if one is not yet available, look for another ACME client that does have that functionality today (Like maybe: amce.sh).
You are right with the wrong parameter, that was my fault while testing different ways (in an older installation we had to use --authenticator certbot-dns-hetzner). I hat tried before with the correct parameter as suggested, so I've corrected it in my post to avoid confusions because of this deprecated param.
But the strange thing is, that certbot plugins does list the Hetzner plugin installed by pip. So it does look up plugins in the user's / root's home directory.
How should I add something to the read only directory /snap/ when it is read only and not having the desired plugin as a snap app?
I'll give it one last try and if that does not solve the problem I'll use the --manual-auth-hook and --manual-cleanup-hook together with an other script (like described here https://community.hetzner.com/tutorials/letsencrypt-dns).
Ugh, I forgot to post (and to look into) the log file. So here it is:
2020-12-03 09:31:05,314:DEBUG:certbot._internal.main:certbot version: 1.10.0
2020-12-03 09:31:05,314:DEBUG:certbot._internal.main:Arguments: ['--authenticator', 'dns-hetzner']
2020-12-03 09:31:05,314:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-12-03 09:31:05,324:DEBUG:certbot._internal.log:Root logging level set at 20
2020-12-03 09:31:05,325:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-12-03 09:31:05,326:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-hetzner and installer None
2020-12-03 09:31:05,326:DEBUG:certbot._internal.plugins.selection:No candidate plugin
2020-12-03 09:31:05,326:DEBUG:certbot._internal.plugins.selection:Selected authenticator None and installer None
2020-12-03 09:31:05,326:INFO:certbot._internal.main:Could not choose appropriate plugin: The requested dns-hetzner plugin does not appear to be installed
2020-12-03 09:31:05,326:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python3.6/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/main.py", line 1412, in main
return config.func(config, plugins)
File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/main.py", line 1271, in certonly
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/plugins/selection.py", line 235, in choose_configurator_plugins
diagnose_configurator_problem("authenticator", req_auth, plugins)
File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/plugins/selection.py", line 339, in diagnose_configurator_problem
raise errors.PluginSelectionError(msg)
certbot.errors.PluginSelectionError: The requested dns-hetzner plugin does not appear to be installed
2020-12-03 09:31:05,327:ERROR:certbot._internal.log:The requested dns-hetzner plugin does not appear to be installed
So I'll give it one last try in installing the plugin with pip in /usr/local/...
Now the plugin is not listed when running certbot plugins but it works when creating certs.
Would have saved me a lot of time when I simply would have tried to use the plugin instead of trusting certbot plugins what totally deceived me. My first installation way was the right one.
So this should be included in your issue as well. Certbot and letsencrypt are scanning different folders for plugins.
We've made a change to the next release of Certbot (1.11) which will prevent pip --user-installed plugins from inadvertently showing up in certbot plugins.
For others: the only way to use DNS (and other) plugins from the Certbot snap, is to install the plugin via snap. If the plugin you want to use is not available as a snap, we can provide help with getting it packaged and published. Have a look over the instructions for writing your own plugin snap and file an issue if you'd like some assistance.
Meanwhile there is a snap installation available for the desired plugin, but I can't get it running, So I'll have to stick to the pip installation what is doing it's job without any problems. I hope an update of certbot won't break my configuration.
Those extra trust/connect steps are needed because the plugin does not come from the same publisher as the main Certbot snap, and that's the condition we have placed on us for being a "classic" snap.
It appears in certbot plugins and appears to work properly (though I don't have any Hetzner credentials to do a full end-to-end test):
root@benefit-athena:~/work# certbot certonly -d example.com -a dns-hetzner --dns-hetzner-credentials creds.ini --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-hetzner, Installer None
Simulating a certificate request for example.com
Performing the following challenges:
dns-01 challenge for example.com
Unsafe permissions on credentials configuration file: creds.ini
Cleaning up challenges
Missing property in credentials configuration file creds.ini:
* Property "dns_hetzner_api_token" not found (should be Hetzner API Token from 'https://dns.hetzner.com/settings/api-token').
