Certbot renew fails on Linode API request

I tried to renew my certs, but get an Authentication error. This is the first time I tried to renew since installing the certs. The letsencrypt log shows there is an error when trying to access the Linode API (see below). The Linode API key has not changed and has not expired. Any thoughts/ideas will be greatly appreciated. Thanks

My domain is:
aap.frostycoder.net, www.frostycoder.net

I ran this command:
certbot renew

It produced this output:
Failed to renew certificate aap.frostycoder.net-0001 with error: Unexpected error determining zone identifier for aap.frostycoder.net: Linode api error: [{'ERRORMESSAGE': 'Authentication failed', 'ERRORCODE': 4}]

LOG FILE:
2021-04-02 16:07:18,638:DEBUG:acme.client:Storing nonce: XXX
2021-04-02 16:07:18,639:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-04-02 16:07:18,639:INFO:certbot._internal.auth_handler:dns-01 challenge for www.XXX.net
2021-04-02 16:07:18,641:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.linode.com:443
2021-04-02 16:07:18,787:DEBUG:urllib3.connectionpool:https://api.linode.com:443 "GET /api/?api_key=XXX&resultFormat=JSON&api_action=domain.list HTTP/1.1" 200 None
2021-04-02 16:07:18,789:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot/1042/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 91, in _find_domain_id
self.provider.authenticate()
File "/snap/certbot-dns-linode/current/lib/python3.8/site-packages/lexicon/providers/base.py", line 69, in authenticate
return self._authenticate()
File "/snap/certbot-dns-linode/current/lib/python3.8/site-packages/lexicon/providers/linode.py", line 30, in _authenticate
payload = self._get('domain.list')
File "/snap/certbot-dns-linode/current/lib/python3.8/site-packages/lexicon/providers/base.py", line 142, in _get
return self._request('GET', url, query_params=query_params)
File "/snap/certbot-dns-linode/current/lib/python3.8/site-packages/lexicon/providers/linode.py", line 141, in _request
raise Exception('Linode api error: {0}'.format(result['ERRORARRAY']))
Exception: Linode api error: [{'ERRORMESSAGE': 'Authentication failed', 'ERRORCODE': 4}]

My web server is (include version):
Apache2

The operating system my web server runs on is (include version):
Ubuntu 18.04.5 LTS

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.13.0

We had another Certbot+Linode user report a similar error message and they also said that using an API Key with these account scopes was the solution:

• Domains: Read+Write
• Account: Read

That issue can be found here. It's not yet resolved, but you could potentially give it a go to see if it helps.

It might also help us figure out why this error happens. If the Account scope is (sometimes) needed, we should update our docs.

Thank you for the quick response, I already had Domain r/w, but made a new key with domain r/w and account read only. I still get the Authentication error. I had the renewal working on an older domain last year and I only needed domain r/w.

I can simulate the renew command by using the following URL in a browser (this was the point in the letsencrypt log where the error occurred): https://api.linode.com/?api_key=XXX&api_action=domain.list where XXX is the API key. I get the same error as the renew.

There is a similar API command using curl. It is:
curl -H "Authorization: Bearer XXX" \ https://api.linode.com/v4/domains. When I do this, I get a good response back with a list of domains. Note the "v4". If I take the v4 out I get the authentication error.

I'm wondering, could Linode be running a new version of API and the renew command isn't aware of it?

I tried to renew my certificates today and this time it worked! I compared today's log against last weeks log,when it failed, and found they were very different.While the logs from the failed renewals had requests to linode api, today's log had no such requests.

When I looked at the first few lines in the log files, I noticed a difference in certbot versions.
The failing logs have 2021-04-02 18:34:02,301:DEBUG:certbot._internal.main:certbot version: 1.13.0
The success log has 2021-04-09 14:38:08,705:DEBUG:certbot._internal.main:certbot version: 1.14.0

I suspect I might have 2 versions on my server and I was using the wrong version. Anyway, I can now renew my certificates.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.