Digitalocean api key failure

rbucker · August 4, 2021, 4:16pm

I ran this command: /usr/local/bin/certbot renew --post-hook "/usr/sbin/rcctl restart haproxy" --renew-hook "/usr/local/bin/renew.sh" >> /var/log/le-renewal.log

It produced this output:
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-digitalocean, Installer None
Performing the following challenges:
dns-01 challenge for makefloridablueagain.com
dns-01 challenge for makefloridablueagain.com
Cleaning up challenges
Failed to renew certificate makefloridablueagain.com with error: Error finding domain using the DigitalOcean API: Unable to authenticate you. (Did you provide a valid API token?)

My web server is (include version): n/a

The operating system my web server runs on is (include version): openbsd

My hosting provider, if applicable, is:n/a

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.13.0

rbucker · August 4, 2021, 4:22pm

I repaired the problem... Need to add -dns-digitalocean --dns-digitalocean-credentials to the renew.

Osiris · August 4, 2021, 4:39pm

Hm, weird. You probably used both those options previously when you issued the cert for the first time too, right? I'd think those options would be saved in the renewal configuration file.

Could you perhaps confirm that the dns-digitalocean-credentials options is present in the file /etc/letsencrypt/renewal/makefloridablueagain.com.conf ?

rbucker · August 4, 2021, 4:58pm

Thanks for that pointer... It turns out that some of my domains are configured:

dns_digitalocean_credentials = /root/.ssh/digitalocean.ini

which contains a deleted token

but the new domain conf file contain

dns_digitalocean_credentials = /etc/digitalocean.ini

So root cause is resolved.

rg305 · August 4, 2021, 8:41pm

Have a peek at which ones are using which token with:
grep digitalocean /etc/letsencrypt/renewal/*
[and you can make any necessary changes before they even need to renew]

system · September 3, 2021, 8:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.