Certbot with NS1 plugin unrecognized arguments

I need to get certbot to connect to ns1 and make and remove the TXT DNS record. I found this

https://github.com/certbot/certbot/blob/master/certbot-dns-nsone/certbot_dns_nsone/__init__.py

I made nsone.ini with

 dns_nsone_api_key = 1dRCgkzYF8ASSG9G130j

and on Debian 9 I run the below to install certbot version: 0.10.2

apt-get install -y certbot

certbot certonly --dns-nsone --dns-nsone-credentials nsone.ini --dns-nsone-propagation-seconds 60 -d mydomain.com

and i get the response

 certbot: error: unrecognized arguments: --dns-nsone --dns-nsone-credentials nsone.ini --dns-nsone-propagation-seconds 60

I guess i’m missing something? Do i need to install the plugin somehow?

Yes and Yes.
From the GitHub link, it looks like it would require certbot 0.15.0 or higher.

Rudy, thank you so much, can I ask how do I specify the version to install?

If you mean which version of certbot - it should automatically update itself. Or try:
apt-get update
apt-get upgrade (to see if certbot is listed)
If you mean which version of NS1 - that is a GitHub question.
But you can simple change from selection “master” to another listed version.

Thanks Rudy,

I tried

apt-get update
apt-get upgrade 
certbot -v

and the output was still

certbot version: 0.10.2

You are using a stable version of Debian/Ubuntu which doesn’t package the latest version of certbot. There’s an easy way to install the latest version of certbot, but some research indicates that it doesn’t install the DNS plugins either. :disappointed_relieved:

@schoen how exactly are you supposed to install the DNS plugins? I was going to suggest certbot-auto but I guess that doesn’t install them either?

Patches, you are correct, I installed certbot-auto and again the DNS plugins were not available.

Do you know which linux system does have the latest version of certbot? At this point it may be quicker to just change the system.

So I believe certbot-auto installs all its files to /root/.local/share/letsencrypt and in there should be a venv directory into which all certbot-auto’s dependencies are installed.

If that directory is there, you could install the nsone plugin as follows:

sudo -i
source /root/.local/share/letsencrypt/venv/bin/activate
pip install certbot-dns-nsone
1 Like

Patches, thanks for trying I really appreciate your help, im in Debian 9x and…

/usr/local/share only has
ca-certificates fonts man

and using
whereis nsone

I can confidently say there is no folder of the name ‘nsone’

Did I install it correctly? …

apt-get update
apt-get -f install
apt-get install wget -y
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
apt-get install -y certbot

from root I can do…

./certbot-auto -h

and I get back…

Usage: certbot-auto [OPTIONS]
A self-updating wrapper script for the Certbot ACME client. When run, updates
to both this script and certbot will be downloaded and installed. After
ensuring you have the latest versions installed, certbot will be invoked with
all arguments you have provided.

Help for certbot itself cannot be provided until it is installed.

  --debug                                   attempt experimental installation
  -h, --help                                print this help
  -n, --non-interactive, --noninteractive   run without asking for user input
  --no-bootstrap                            do not install OS dependencies
  --no-self-upgrade                         do not download updates
  --os-packages-only                        install OS dependencies and exit
  -v, --verbose                             provide more output
  -q, --quiet                               provide only update/error output;
                                            implies --non-interactive

All arguments are accepted and forwarded to the Certbot client when run.

the line that reads
Help for certbot itself cannot be provided until it is installed.
makes me feel its not installed

and if I do…

certbot -v

I get back…

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot version: 0.10.2

I was expecting the version to be the latest now?

if i do …

./certbot-auto certonly --dns-nsone

i get back

Could not choose appropriate plugin: The requested dns-nsone plugin does not appear to be installed
The requested dns-nsone plugin does not appear to be installed

if i check we are installed

apt-get install certbot

I get back…

Reading package lists... Done
Building dependency tree
Reading state information... Done
certbot is already the newest version (0.10.2-1).

I said /root/.local/share/letsencrypt. That is in the home directory of the root user /root, in a hidden subdirectory .local, not /usr/local.

EDIT: I guess it’s also possible that it installed in your home directory, e.g. /home/yourusername/.local/share/letsencrypt in which case it would be a little bit simpler:

source ~/.local/share/letsencrypt/venv/bin/activate
pip install certbot-dns-nsone
1 Like

@Patches, Just a correction, instead of:

source ~/.local/share/letsencrypt/venv/bin/activate

@kiyokocrypto should use:

source ~/.local/share/letsencrypt/bin/activate

I’ve just installed it on a clean Debian Stretch and the venv dir is not created. So, using your method (changing the dir) I was able to install the dns-nsone plugin.

Before the installation:

[stretch9][root:certbot]# ./certbot-auto plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
* apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator

Installing dns-nsone plugin (in my case as root):

[stretch9][root:certbot]# source ~/.local/share/letsencrypt/bin/activate
(letsencrypt) [stretch9][root:certbot]# pip install certbot-dns-nsone
Collecting certbot-dns-nsone
  Using cached certbot_dns_nsone-0.17.0-py2.py3-none-any.whl
Requirement already satisfied: zope.interface in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from certbot-dns-nsone)
Requirement already satisfied: setuptools>=1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from certbot-dns-nsone)
Requirement already satisfied: certbot==0.17.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from certbot-dns-nsone)
Collecting dns-lexicon (from certbot-dns-nsone)
Requirement already satisfied: mock in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from certbot-dns-nsone)
Requirement already satisfied: acme==0.17.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from certbot-dns-nsone)
Requirement already satisfied: pyrfc3339 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from certbot==0.17.0->certbot-dns-nsone)
Requirement already satisfied: zope.component in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from certbot==0.17.0->certbot-dns-nsone)
Requirement already satisfied: pytz in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from certbot==0.17.0->certbot-dns-nsone)
Requirement already satisfied: ConfigArgParse>=0.9.3 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from certbot==0.17.0->certbot-dns-nsone)
Requirement already satisfied: configobj in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from certbot==0.17.0->certbot-dns-nsone)
Requirement already satisfied: six in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from certbot==0.17.0->certbot-dns-nsone)
Requirement already satisfied: cryptography>=1.2 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from certbot==0.17.0->certbot-dns-nsone)
Requirement already satisfied: PyOpenSSL in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from certbot==0.17.0->certbot-dns-nsone)
Requirement already satisfied: parsedatetime>=1.3 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from certbot==0.17.0->certbot-dns-nsone)
Requirement already satisfied: requests in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from dns-lexicon->certbot-dns-nsone)
Collecting future (from dns-lexicon->certbot-dns-nsone)
Collecting tldextract (from dns-lexicon->certbot-dns-nsone)
  Using cached tldextract-2.1.0-py2.py3-none-any.whl
Requirement already satisfied: funcsigs>=1; python_version < "3.3" in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from mock->certbot-dns-nsone)
Requirement already satisfied: pbr>=0.11 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from mock->certbot-dns-nsone)
Requirement already satisfied: zope.event in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from zope.component->certbot==0.17.0->certbot-dns-nsone)
Requirement already satisfied: ipaddress in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=1.2->certbot==0.17.0->certbot-dns-nsone)
Requirement already satisfied: cffi>=1.7 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=1.2->certbot==0.17.0->certbot-dns-nsone)
Requirement already satisfied: idna>=2.1 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=1.2->certbot==0.17.0->certbot-dns-nsone)
Requirement already satisfied: asn1crypto>=0.21.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=1.2->certbot==0.17.0->certbot-dns-nsone)
Requirement already satisfied: enum34 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=1.2->certbot==0.17.0->certbot-dns-nsone)
Collecting requests-file>=1.4 (from tldextract->dns-lexicon->certbot-dns-nsone)
Requirement already satisfied: pycparser in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cffi>=1.7->cryptography>=1.2->certbot==0.17.0->certbot-dns-nsone)
Installing collected packages: future, requests-file, tldextract, dns-lexicon, certbot-dns-nsone
Successfully installed certbot-dns-nsone-0.17.0 dns-lexicon-2.1.10 future-0.16.0 requests-file-1.4.2 tldextract-2.1.0
(letsencrypt) [stretch9][root:certbot]#

After the installation certbot-auto shows the new installed plugin:

(letsencrypt) [stretch9][root:certbot]# ./certbot-auto plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
* apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator

* dns-nsone
Description: Obtain certificates using a DNS TXT record (if you are using NS1 for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-nsone = certbot_dns_nsone.dns_nsone:Authenticator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
(letsencrypt) [stretch9][root:certbot]#

certbot-auto should provide a better way to install the plugins.

Cheers,
sahsanu

2 Likes

Yes! that got it!

Thank you everyone so much!

1 Like

Excellent!

Now that you have it working, I strongly recommend you apt-get remove certbot so the Debian version doesn’t conflict with certbot-auto, as suggested in the other thread.

You’ll also want to setup a cronjob that runs /path/to/certbot-auto -q renew since certbot-auto doesn’t set this up automatically like the Debian package does. This command will only renew your certificates when they are 30 days or less from expiration so it is safe to run as often as you like and you’ll have a month to deal with anything that should go wrong. The general recommendation is to set it up to run twice daily.

1 Like

Thanks Patches, I’m so close now! I’m just getting this error now…

Failed authorization procedure. mydomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for mydomain.com

The zone is setup on NS1 with no records, do i need to set an A record to point at the same IP as the server Im working on or will the plugin do everything I need?

The NS1 control panel, under recent actions does not show any actions, no TXT records or A records were made or deleted

That looks like the apache or nginx plugin was selected for authentication instead of the dns-nsone plugin.

I’m guessing you tried something like --apache --dns-nsone to get certbot to configure your webserver for you?

If so you actually have to specify the authenticator plugin with -a or --authenticator and the installer plugin with -i or --installer like so:

 ./certbot-auto run -a dns-nsone -i apache --dns-nsone-credentials nsone.ini --dns-nsone-propagation-seconds 60 -d mydomain.com

Otherwise, please specify the exact command you’re running now.

Oh, and if that was your real DNS API key in the first post, please change it now. :fearful:

1 Like

Definitely very important advice!

@Patches & @schoen again thanks for the heads up on the API key, I had posted it by mistake then quickly realized and changed it 2min after.

I was using the certonly standalone

./certbot-auto certonly --standalone -d mydomain.com --agree-tos --email myemail@gmail.com -q

I basically just want to get the cert, then i can place it where i need it for nginx

You passed the --standalone option to certbot. This causes certbot to use a different verification method. It will start a server listening on port 443 or 80 and instruct the Let’s Encrypt validation servers to connect to it to verify the domain. It probably won’t work in most situations you want to use DNS verification for.

To use the dns-nsone plugin, you need to specify the dns-nsone options instead, e.g.

certbot certonly --agree-tos --email myemail@gmail.com --dns-nsone --dns-nsone-credentials nsone.ini -d mydomain.com

You’ll need to specify these for each certificate you want. Since you could use certbot for any number of domains and validation strategies, it does not remember these options from domain to domain (though it does for automatic renewal for the same domain set).

@Patches you are the best, thank you for being so patient and detailed.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.