DNSimple validation fails with a 400 response

My domain is:
identityvector.com

I ran this command:
certbot certonly --dns-dnsimple --dns-dnsimple-credentials ~/.dnsimple_certbot_token --dns-dnsimple-propagation-seconds 60 -d testme.identityvector.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-dnsimple, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for testme.identityvector.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Cleaning up challenges
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Error adding TXT record: 400 Client Error: Bad Request

My web server is (include version): N/A

The operating system my web server runs on is (include version): Linux Centos 7

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is:
certbot 0.31.0 (EPEL RPM)

Validation fails with the 400 response. Running the command with -vvv shows, in part, the following is responsible:

dns-01 challenge for testme.identityvector.com
Starting new HTTPS connection (1): api.dnsimple.com
"GET /v2/accounts HTTP/1.1" 200 None
Starting new HTTPS connection (1): api.dnsimple.com
"GET /v2/1111/domains?name_like=testme.identityvector.com HTTP/1.1" 200 None
Starting new HTTPS connection (1): api.dnsimple.com
"GET /v2/accounts HTTP/1.1" 200 None
Starting new HTTPS connection (1): api.dnsimple.com
"GET /v2/1111/domains?name_like=identityvector.com HTTP/1.1" 200 None
Starting new HTTPS connection (1): api.dnsimple.com
"GET /v2/1111/zones/identityvector.com/records?type=TXT&name=_acme-challenge.testme HTTP/1.1" 200 None
list_records: []
Starting new HTTPS connection (1): api.dnsimple.com
"POST /v21111/zones/identityvector.com/records HTTP/1.1" 400 None

Note that the POST operation is for /v21111/ when it should be for /v2/1111/ - the forward slash is missing. I am not sure where this is coming from, as the DNSimple validation has worked in the past. A cursory review of the responsible code reflects the slash as present.

FWIW, this is a bug in the Lexicon library that was apparently fixed yesterday in version 3.2.0:

3 Likes

Thanks for that pointer!!! I tried downgrading the RPM, but the previous version was also broken. Rather than trying to trace back the problem to its root (since it’s already fixed), I simply applied the single-character patch to providers/dnsimple.py on line 75, per the PR linked above. Running certbot renew worked fine after this change.

Thank you again!!!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.