Dns-ovh renew : Zone xxxx is not deployed error

kornflex · November 18, 2023, 11:04am

Hello,

I was using an old certbot version. When I tried to renew my certificate, I had an error : /usr/bin/certbot:6: DeprecationWarning: pkg_resources is deprecated as an API. See Package Discovery and Resource Access using pkg_resources - setuptools 68.2.2.post20231117 documentation

So I remove old my old certbot package and reinstall it with "snap".

I try to renew my certificate but I had this error :
Unexpected error determining zone identifier for lefebvre.ovh: Zone lefebvre.ovh is not deployed

So I thought it was because I have reinstall all the certbot and he loose the configuration.
So I remove all my certificates.

I try to create a new one from scratch. Same problem... Same with a new API token created on OVH provider....

My domain is:

home.lefebvre.ovh

I ran this command:
certbot certonly --dns-ovh --dns-ovh-credentials .ovhapi --dns-ovh-propagation-seconds 60 -d home.lefebvre.ovh

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for home.lefebvre.ovh
Unexpected error determining zone identifier for lefebvre.ovh: Zone lefebvre.ovh is not deployed
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
apache2

The operating system my web server runs on is (include version):
raspbian

My hosting provider, if applicable, is:
at home, but with DNS-ovh challenge

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 2.7.4

Here an extract of log file :

2023-11-18 11:47:04,964:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/3463/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 250, in _resolve_domain
    with Client(self._build_lexicon_config(domain_name)):
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/client.py", line 151, in __enter__
    raise e
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/client.py", line 144, in __enter__
    provider.authenticate()
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/_private/providers/ovh.py", line 96, in authenticate
    raise AuthenticationError(f"Zone {domain} is not deployed")
lexicon.exceptions.AuthenticationError: Zone lefebvre.ovh is not deployed

Thank you for your help

rg305 · November 18, 2023, 11:23am

Hi @kornflex, and welcome to the LE community forum

I'm not a fan of relative paths.
It probably won't make any difference, but try it with the full/absolute path.

Also, be sure your file follows this example:

rg305 · November 18, 2023, 11:26am

And since your cert expires very soon:

I would suggest that you run the process manually [this one time] and buy yourself 90 more days to figure out what is going on and get it fixed.

Osiris · November 18, 2023, 11:37am

Might be/probably the same issue as this one on the Certbot Github repo: certbot-dns-ovh fails with "Unexpected error determining zone identifier" when zone has a warning · Issue #9836 · certbot/certbot · GitHub.

Also, there have been some major updates to how some of the DNSl plugins handle stuff in Certbot 2.7.0. Not sure if this issue could have been caused by that, but you might want to try to downgrade Certbot to 2.6.0. Not sure how one would do that using snap, but you could always temporarily install certbot in a venv and install certbot 2.6.0 specifically within that venv.

kornflex · November 18, 2023, 3:35pm

Same error

You are correct, Same error : Zone is not deployed

kornflex · November 18, 2023, 3:36pm

I don't know how to downgrade

Osiris · November 18, 2023, 3:53pm

With snap, I don't know either. Using pip though:

sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot==2.6.0 certbot-dns-ovh==2.6.0

Then you could try certbot 2.6.0 using /opt/certbot/bin/certbot.

kornflex · November 18, 2023, 4:04pm

thank you very much !

For now, I have made the certificate using default certbot with http 80 challenge. ( I can do it because I've changed my FAI. With another FAI, 80 could'nt be redirected that's why I had to use ovh challenge before ). So for now it's working.

I close http 80.
I will open it when necessary.

I hope DNS challenge will be fixed next time I need to use it...

Thank you very much

Osiris · November 18, 2023, 4:52pm