My domain is:
identityvector.com

I ran this command:
certbot certonly --dns-dnsimple --dns-dnsimple-credentials ~/.dnsimple_certbot_token --dns-dnsimple-propagation-seconds 60 -d testme.identityvector.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-dnsimple, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for testme.identityvector.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Cleaning up challenges
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Starting new HTTPS connection (1): api.dnsimple.com
Error adding TXT record: 400 Client Error: Bad Request

My web server is (include version): N/A

The operating system my web server runs on is (include version): Linux Centos 7

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is:
certbot 0.31.0 (EPEL RPM)

Validation fails with the 400 response. Running the command with -vvv shows, in part, the following is responsible:

dns-01 challenge for testme.identityvector.com
Starting new HTTPS connection (1): api.dnsimple.com
"GET /v2/accounts HTTP/1.1" 200 None
Starting new HTTPS connection (1): api.dnsimple.com
"GET /v2/1111/domains?name_like=testme.identityvector.com HTTP/1.1" 200 None
Starting new HTTPS connection (1): api.dnsimple.com
"GET /v2/accounts HTTP/1.1" 200 None
Starting new HTTPS connection (1): api.dnsimple.com
"GET /v2/1111/domains?name_like=identityvector.com HTTP/1.1" 200 None
Starting new HTTPS connection (1): api.dnsimple.com
"GET /v2/1111/zones/identityvector.com/records?type=TXT&name=_acme-challenge.testme HTTP/1.1" 200 None
list_records: []
Starting new HTTPS connection (1): api.dnsimple.com
"POST /v21111/zones/identityvector.com/records HTTP/1.1" 400 None

Note that the POST operation is for /v21111/ when it should be for /v2/1111/ - the forward slash is missing. I am not sure where this is coming from, as the DNSimple validation has worked in the past. A cursory review of the responsible code reflects the slash as present.

FWIW, this is a bug in the Lexicon library that was apparently fixed yesterday in version 3.2.0:

Thanks for that pointer!!! I tried downgrading the RPM, but the previous version was also broken. Rather than trying to trace back the problem to its root (since it’s already fixed), I simply applied the single-character patch to providers/dnsimple.py on line 75, per the PR linked above. Running certbot renew worked fine after this change.

Thank you again!!!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.