DNSMadeEasy Certbot Plugin Error - Unable to determine zone identifier for domain when using subdomains

From what I can tell a recent update sometime around early October of this plugin has broken the DNSMadeEasy DNS authentication functionality when used with subdomains. Everything was working fine prior.

When using the DNSMadeEasy plugin to query their API along with a subdomain (ex: "foo.bar.example.com") it is trying "example.com" on the first three attempts, then trying ".com" the final attempt. It SHOULD be trying "foo.bar.example.com", then "bar.example.com", then "example.com", then ".com".

Here's are some example snippets from the logs where you can see it repeatedly querying the wrong name in spite of knowing the correct names:

<snip...>
2023-10-20 09:50:59,562:DEBUG:urllib3.connectionpool:https://api.dnsmadeeasy.com:443 "GET /V2.0/dns/managed/name?domainname=example.com HTTP/1.1" 404 None
<snip...>
2023-10-20 09:50:59,897:DEBUG:urllib3.connectionpool:https://api.dnsmadeeasy.com:443 "GET /V2.0/dns/managed/name?domainname=example.com HTTP/1.1" 404 None
<snip...>
2023-10-20 09:51:00,266:DEBUG:urllib3.connectionpool:https://api.dnsmadeeasy.com:443 "GET /V2.0/dns/managed/name?domainname=example.com HTTP/1.1" 404 None
<snip...>
2023-10-20 09:51:00,641:DEBUG:urllib3.connectionpool:https://api.dnsmadeeasy.com:443 "GET /V2.0/dns/managed/name?domainname=.com HTTP/1.1" 404 None
<snip...>
2023-10-20 09:51:00,644:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/3420/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/snap/certbot/3420/lib/python3.8/site-packages/certbot/plugins/dns_common.py", line 76, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/snap/certbot/3420/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 216, in _perform
    resolved_domain = self._resolve_domain(domain)
  File "/snap/certbot/3420/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 259, in _resolve_domain
    raise errors.PluginError('Unable to determine zone identifier for {0} using zone names: {1}'

certbot.errors.PluginError: Unable to determine zone identifier for subdomain-two.subdomain-one.example.com using zone names: ['subdomain-two.subdomain-one.example.com', 'subdomain-one.example.com', 'example.com', 'com']

Thanks for any help you can give.

2 Likes

Hi @NDev, and welcome to the LE community forum :slight_smile:

What version of certbot are you using?

3 Likes

@rg305 ,

Thanks for responding!

Here's the output from snap list --all

Name                     Version    Rev    Tracking       Publisher     Notes
certbot                  2.7.2      3420   latest/stable  certbot-effâś“  classic
certbot-dns-dnsmadeeasy  2.7.2      3028   latest/stable  certbot-effâś“  -
core                     16-2.60.3  16091  latest/stable  canonicalâś“    core,disabled
core                     16-2.60.4  16202  latest/stable  canonicalâś“    core
core20                   20230622   1974   latest/stable  canonicalâś“    base,disabled
core20                   20230801   2015   latest/stable  canonicalâś“    base
core22                   20230725   858    latest/stable  canonicalâś“    base,disabled
core22                   20230801   864    latest/stable  canonicalâś“    base
htop                     3.2.2      3758   latest/stable  maxiberta     disabled
htop                     3.2.2      3873   latest/stable  maxiberta     -
3 Likes

Do those subdomains exist in that zone?

Did you happen to upgrade from Ubuntu 20 to 22 recently?
If so, try uninstalling and reinstalling: certbot-dns-dnsmadeeasy

3 Likes

@rg305 ,
Our DNSMadeEasy config has not changed in quite some time. During that time it was working without issue.

Edit: Forgot to mention. We do have the main domain managed elsewhere and DNSMadeEasy is only responsible for the subdomain-one.example.com level onward. That said, it has always been this way so nothing has changed there. The only thing that I can determine changed was the certbot-dns-dnsmadeeasy plugin version.

I strongly suspect that the logic which checks the DNSMadeEasy API to query for the domain record is broken. This is evidenced by the 4 API calls in the log which should correspond to the array of hostnames it intends to check (['subdomain-two.subdomain-one.example.com', 'subdomain-one.example.com', 'example.com', 'com']), but instead it's checking example.com the first 3 times, and .com the fourth time.

I suspect the code that constructs the URL for the API call to DNSMadeEasy (ex: /V2.0/dns/managed/name?domainname=example.com) is stripping of the subdomains when appending the domainname=... search string parameter. If it only intended to check example.com and .com why would it be making 4 calls?

I have tried uninstalling and reinstalling the plugin and certbot. I have also tried a previous version which appeared to be released around October 10th (based on directory date) and October 3rd. Both of those versions also exhibited the same problem.

Unfortunately I don't think there's a way to go back beyond the previous version using snap. I'd love to try installing 2.6.0 again to see how it goes, but I don't think there's a way to do that with snap. If you know of a way, let me know.

Thanks for your help. I'm hoping this results in a bug report to the maintainers of the plugin. If nothing else someone experiencing the same problem might stumble onto this and know it's not them.

3 Likes

You may have better luck posting on the Certbot github. You may reach the devs quicker there. I also couldn't find a way to install a specific Certbot with snap (just a single one back using revert). But, maybe someone on the github would know.

The acme.sh ACME Client also supports DNSMadeEasy and its plugin (source here) has not changed for 3 years. Changing clients isn't always simple but is another way forward.

5 Likes

@MikeMcQ ,

Thank you for the suggestions. I will take them into consideration.

3 Likes

There has been a major refactoring of the dns-lexicon based DNS plugins (see Refactor Lexicon-based DNS plugins (#9746) · certbot/certbot@732a3ac · GitHub). It landed in 2.7.0.

You could try to install Certbot 2.6.0 using pip in a Python venv for testing purposes. E.g.:

cd /tmp
python -m venv certbot-test
cd certbot-test
source bin/activate
pip install certbot-dns-dnsmadeeasy==2.6.0

And try that version.

4 Likes

@Osiris ,

This is a great suggestion. I will see if I can give this a try and report back.

3 Likes

@Osiris ,

It took some jumping through hoops but I was able to revert back to certbot-dns-dnsmadeeasy version 2.6.0 within a Python virtual env, and the renewal worked. I also see entries in the log consistent with the behavior I would expect to see based on the domains it was attempting to find via the DNSMadeEasy API.

This time around it sent the full subdomain + domain entry to the API. Example:

<snip...>
2023-10-24 16:27:45,457:INFO:certbot._internal.auth_handler:dns-01 challenge for subdomain-two.subdomain-one.example.com
<snip...>
2023-10-24 16:27:45,736:DEBUG:urllib3.connectionpool:https://api.dnsmadeeasy.com:443 "GET /V2.0/dns/managed/name?domainname=subdomain-two.subdomain-one.example.com HTTP/1.1" 404 None
<snip...>
2023-10-24 16:27:46,121:DEBUG:urllib3.connectionpool:https://api.dnsmadeeasy.com:443 "GET /V2.0/dns/managed/name?domainname=subdomain-one.example.com HTTP/1.1" 200 None
<snip...>
2023-10-24 16:27:46,828:DEBUG:urllib3.connectionpool:https://api.dnsmadeeasy.com:443 "POST /V2.0/dns/managed/1323232/records/ HTTP/1.1" 201 None
2023-10-24 16:27:46,830:DEBUG:lexicon._private.providers.dnsmadeeasy:create_record: True
2023-10-24 16:27:46,831:DEBUG:certbot._internal.display.obj:Notifying user: Waiting 60 seconds for DNS changes to propagate
<snip...>

Notice the call to /V2.0/dns/managed/name?domainname=subdomain-one.example.com which was successful. The newer version of the plugin just tries example.com multiple times instead which is never going to find the subdomain entry.

I think this strongly supports my suspicion that the new plugin version has a bug and is lopping off the subdomains when it constructs the URL to query the API.

For now this is a bandaid, but I hope the actual plugin is fixed. I know most people probably aren't using this with subdomains so we may be an edge-case there, but I doubt we're the only ones having this issue. Is there a way to report this to the dev of this plugin? Is opening a GitHub issue the proper route to take there?

Thank you for your help so far! I greatly appreciate it.

4 Likes

It is indeed.

3 Likes

For what it's worth the issue still persists with the latest beta version 2.7.3. I tried this with certbot, and certbot-dns-dnsmadeeasy set to the 2.7.3 beta release. Same error. :frowning:

1 Like

There have been fixes for dnsimple (typo which destroyed the entire plugin) and OVH, but not for dnsmadeeasy.

This is probably another bug introduced in Certbot and requires fixing yet.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.