"DNS provider" plug-in question

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: theturners.org systypes.org

I ran this command: currently installing Certbot

It produced this output: None yet. I'm stalled at the "DNS provider" question that's part of the installation process. Out LAN has Bind running on the RPi to handle the internal named function with forwarders pointing to nameservers provided by AT&T.

Our domains are defined/managed by EasyDNS.

I see no mention of either AT&T or EasyDNS in any of the DNS plugin documentation.

How to proceed now?

My web server is (include version): nginx (reverse proxy to apache)

The operating system my web server runs on is (include version): Raspberry Pi/Debian bookworm

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.10.0

To automate the DNS Challenge you need API access to the public DNS servers.

Certbot has support for "DNS Made Easy" but I don't think that is the same as your "EasyDNS".

Another popular ACME Client does have support for EasyDNS. You might consider that acme.sh/dnsapi/dns_easydns.sh at master · acmesh-official/acme.sh · GitHub

Another option is to change your DNS provider to one that Certbot supports.

2 Likes

From here DNS providers who easily integrate with Let's Encrypt DNS validation

3 Likes

What exactly is the reason that you need the dns-01 challenge?

I see your hostnames have a public IP address (AT&T), but aren't reachable on port 80 nor 443. Is that the reason? Could you make the server available on TCP port 80 for the http-01 challenge?

If lego supports EasyDNS than the certbot-dns-multi, which uses lego under the hood, can be used as a DNS plugin for Certbot for EasyDNS.

1 Like

Everything on port 80 and 443 is being forwarded to nginx at the firewall. It used to work fine that way.

Thanks for the tip about dns-multi. It'd likely have taken a lot of trial and error figuring out that plugin was the one to use. I'm going to proceed using that plugin and see how it goes.

Thanks again.

2 Likes

I am no EasyDNS expert (barely know it) but in general you should consider the security of the token or key used for the DNS API. These auth tokens / keys on some DNS systems grant very wide privileges. On others they can be scoped very narrow.

You should review the scope for EasyDNS and take suitable precautions with access to the files that contain these tokens/keys.

2 Likes

Where does one find a.) the ".lego" subdirectory and b.) the values for the API_TOKEN, etc. variables referred to in the Lego documentation. Granted, it's been a long time since I first set up Certbot but I sure don't recall having to jump through this many hoops to get it installed the first time. I'm finding the instructions not clear at all.

It will be automatically created in whatever directory you're currently in when running the lego run command (the "current working directory").

But if you'd use the certbot-dns-multi Certbot plugin, you don't have to run the lego command manually, just let Certbot do all the work. And if you use that plugin, follow the instructions on GitHub - alexzorin/certbot-dns-multi: Certbot DNS plugin supporting multiple providers, using github.com/go-acme/lego.

Sorry but that page makes little to no sense. A lot of prior background
seems to be needed to the point of making the pages meaningless. I'm not
a REST programmer so when things tell me I need access to the innards of
a REST API, I'm lost. As I said earlier: this wasn't anywhere nearly so
complex when I first used Certbot. A clear start-to-finish example would
be helpful and I sure am not finding it on those pages. (The Cloudflare
example isn't helping.)

Thanks for the link but I need more guidance on what heck it's asking for.

1 Like

Not sure which page you're looking at, but I'm pretty sure it's not the page I linked, because that one doesn't mention anything about any REST API?

If you mean EasyDNS :: Let’s Encrypt client and ACME library written in Go. then you can probably ignore the whole "Additional Configuration" swction as that's just for finetuning if required.

1 Like

[Osiris] Osiris https://community.letsencrypt.org/u/osiris
Community leader
June 5

Not sure which page you're looking at, but I'm pretty sure it's not
the page I linked, because that one doesn't mention anything about any
REST API?

If you mean EasyDNS :: Let’s Encrypt client and ACME library written
in Go. https://go-acme.github.io/lego/dns/easydns/ then you can
probably ignore the whole "Additional Configuration" swction as that's
just for finetuning if required.

OK. I'm using the following script ("run_lego") to run the lego command:

#!/bin/bash

EASYDNS_KEY=rnturner@domain1.org
EASYDNS_TOKEN=<string_obtained_from_uuid>
/snap/bin/lego
--email rnturner@domain1.org
--dns easydns
--domains domain1.org
--domains *.domain1.org
--domains domain2.org
--domains *.domain2.org
run

What I get in return when running this is:

$ ./run_lego
2024/06/06 19:24:10 Could not load RSA private key from file
/var/snap/lego/common/.lego/accounts/acme-v02.api.letsencrypt.org/rntu
rner@domain1.org/keys/rnturner@domain1.org.key: open
/var/snap/lego/common/.lego/accounts/acme-v02.api.letsencrypt.org/rnturner@dom
ain1.org/keys/rnturner@domain1.org.key: permission denied

When running under sudo:

$ sudo ./run_lego
2024/06/06 19:26:08 [INFO] [theturners.org, .theturners.org,
systypes.org, .sy
stypes.org] acme: Obtaining bundled SAN certificate
2024/06/06 19:26:08 [INFO] [
.systypes.org] AuthURL:
https://acme-v02.api.letsen
crypt.org/acme/authz-v3/360626916557
2024/06/06 19:26:08 [INFO] [
.theturners.org] AuthURL:
https://acme-v02.api.lets
encrypt.org/acme/authz-v3/360626916567
2024/06/06 19:26:08 [INFO] [systypes.org] AuthURL:
https://acme-v02.api.letsencr
ypt.org/acme/authz-v3/360626916577
2024/06/06 19:26:08 [INFO] [theturners.org] AuthURL:
https://acme-v02.api.letsen
crypt.org/acme/authz-v3/360626916587
2024/06/06 19:26:08 [INFO] [.systypes.org] acme: use dns-01 solver
2024/06/06 19:26:08 [INFO] [
.theturners.org] acme: use dns-01 solver
2024/06/06 19:26:08 [INFO] [systypes.org] acme: Could not find solver
for: tls-a
lpn-01
2024/06/06 19:26:08 [INFO] [systypes.org] acme: Could not find solver
for: http-
01
2024/06/06 19:26:08 [INFO] [systypes.org] acme: use dns-01 solver
2024/06/06 19:26:08 [INFO] [theturners.org] acme: Could not find solver
for: tls
-alpn-01
2024/06/06 19:26:08 [INFO] [theturners.org] acme: Could not find solver
for: htt
p-01
2024/06/06 19:26:08 [INFO] [theturners.org] acme: use dns-01 solver
2024/06/06 19:26:08 [INFO] [.systypes.org] acme: Preparing to solve DNS-01
2024/06/06 19:26:09 [INFO] [
.systypes.org] acme: Cleaning DNS-01 challenge
2024/06/06 19:26:09 [INFO] [.theturners.org] acme: Preparing to solve
DNS-01
2024/06/06 19:26:09 [INFO] [
.theturners.org] acme: Cleaning DNS-01
challenge
2024/06/06 19:26:09 [INFO] [systypes.org] acme: Preparing to solve DNS-01
2024/06/06 19:26:09 [INFO] [systypes.org] acme: Cleaning DNS-01 challenge
2024/06/06 19:26:09 [INFO] [theturners.org] acme: Preparing to solve DNS-01
2024/06/06 19:26:10 [INFO] [theturners.org] acme: Cleaning DNS-01 challenge
2024/06/06 19:26:10 [INFO] Deactivating auth:
https://acme-v02.api.letsencrypt.o
rg/acme/authz-v3/360626916557
2024/06/06 19:26:10 [INFO] Deactivating auth:
https://acme-v02.api.letsencrypt.o
rg/acme/authz-v3/360626916567
2024/06/06 19:26:10 [INFO] Deactivating auth:
https://acme-v02.api.letsencrypt.o
rg/acme/authz-v3/360626916577
2024/06/06 19:26:10 [INFO] Deactivating auth:
https://acme-v02.api.letsencrypt.o
rg/acme/authz-v3/360626916587
2024/06/06 19:26:10 Could not obtain certificates:
error: one or more domains had a problem:
[.systypes.org] [.systypes.org] acme: error presenting token: easydns:
code 42
0: Enhance Your Calm. Rate limit exceeded (too many requests) OR you did
NOT pro
vide any credentials with your request!
code 420: Enhance Your Calm. Rate limit exceeded (too many requests) OR
you did
NOT provide any credentials with your request!
[.theturners.org] [.theturners.org] acme: error presenting token:
easydns: cod
e 420: Enhance Your Calm. Rate limit exceeded (too many requests) OR you
did NOT
provide any credentials with your request!
code 420: Enhance Your Calm. Rate limit exceeded (too many requests) OR
you did
NOT provide any credentials with your request!
[systypes.org] [systypes.org] acme: error presenting token: easydns:
code 420: E
nhance Your Calm. Rate limit exceeded (too many requests) OR you did NOT
provide
any credentials with your request!
code 420: Enhance Your Calm. Rate limit exceeded (too many requests) OR
you did
NOT provide any credentials with your request!
[theturners.org] [theturners.org] acme: error presenting token: easydns:
code 42
0: Enhance Your Calm. Rate limit exceeded (too many requests) OR you did
NOT pro
vide any credentials with your request!
code 420: Enhance Your Calm. Rate limit exceeded (too many requests) OR
you did
NOT provide any credentials with your request!
$

So I'm missing credentials. Where should those go and what needs to be
included. I assumed that the key and token were the credentials.
Apparently that's incorrect.

Where have I gone wrong?

I've given up trying to get Certbot running with the "--dns" method. I fell back on the basic "sudo certbot --nginx" command and things sort of worked. (Once I selected the domains correctly, that is.) Not sure what the "--dns" method is good for. I guess it works for some but the documentation on how to use it, IMHO, needs work.

Anyway... I'm satisfied that this thread could be closed out.

1 Like