DnsManagementClient.__init__() takes from 3 to 4 positional arguments but 5 were given

Hello Team,

we are using certbot command for getting the certs-

certbot certonly --authenticator dns-azure --preferred-challenges dns --noninteractive --agree-tos --dns-azure-config ./azure.ini -m ITSOECloudandIaaS-AzureSMEs@xxxx.com $san_args --key-type rsa --config-dir $HOME/.config/letsencrypt --work-dir $HOME/.local/share/letsencrypt --logs-dir $HOME/.cache/letsencrypt -v

However, we are running in the github actions and here are some plugins that we are installing:

steps:
- name: Checkout Repository
  uses: actions/checkout@v2

- name: Update and Upgrade Packages
  run: |
     sudo apt-get update
     sudo apt-get upgrade -y
  shell: bash

- name: Update and Upgrade Packages
  run: |
     sudo apt install jq 
  shell: bash

- name: Install Python3 and pip
  run: |
     sudo apt-get install python3-pip -y
  shell: bash

- name: Install Certbot and Certbot Plugins
  run: |
     sudo -H pip install --ignore-installed certbot certbot-dns-azure
  shell: bash

- name: Remove python3-openssl and Install pyOpenSSL
  run: |
     sudo apt remove python3-openssl -y
     sudo -H pip install pyOpenSSL
  shell: bash

During the execution of the certbot command, we are getting error now while it worked exactly fine till last month.

This is the error we are getting now along with the logs

dns: cdt-api.fulfillment.xxxx.com

environment: cdt

domainname: fulfillment.xxxx.com

Preparing azure.ini file..

azure.ini file created successfully..

dns_without_domain: cdt-api

-d cdt-api.fulfillment.xxxx.com

checking existing CNAME records..

Renewing certificate now..

Saving debug log to /home/runner/.cache/letsencrypt/letsencrypt.log

Plugins selected: Authenticator dns-azure, Installer None

Account registered.

Requesting a certificate for cdt-api.fulfillment.xxxx.com

Performing the following challenges:

dns-01 challenge for cdt-api.fulfillment.xxxx.com

Cleaning up challenges

Encountered exception during recovery: TypeError: DnsManagementClient.init() takes from 3 to 4 positional arguments but 5 were given

An unexpected error occurred:

TypeError: DnsManagementClient.init() takes from 3 to 4 positional arguments but 5 were given

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /home/runner/.cache/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Could you please help as soon as possible as it may be a high priority issue (p1) if the certificates are not renewed.

Thank you.

There's no DnsManagementClient anywhere in the Certbot code base, so it's likely part of the third party DNS plugin you're using or a library that plugin is depending on.

This can be confirmed with a detailed backtrace from the log.

If I were to guess, it's probably a version mismatch between the third party DNS plugin and one of their dependencies.

Edit:
Looks like in azure-mgmt-dns there were 5 arguments possible:

But with the most recent update from 2025-07-14, it was changed to:

Most likely everything starts to work again if you downgrade/ppin the azure-mgmt-dns Python package to 8.2.0.

Also probably a good idea, if 8.2.0 makes everything work again while 9.0.0 breaks it, to file an issue with the author of the Azure DNS plugin at GitHub · Where software is built.

By the way: is the xxxx.com domain really yours? Or is it just a placeholder? If it's the latter: please don't use existing, registered domains as placeholders. Use example.com and/or one of the other TLDs for that domain name as placeholders. Thank you.

2 Likes

Hello Osiris,

Thanks for your response.

Just by Replacing this step -

**- name: Install Certbot and Certbot Plugins**

** run: |**
** sudo -H pip install --ignore-installed certbot certbot-dns-azure**

By this step -

**- name: Install Certbot and Certbot Plugins**

** run: |**
** sudo snap install certbot --classic**
** sudo snap install --channel=stable certbot-dns-azure**
** sudo snap set certbot trust-plugin-with-root=ok**
** sudo snap connect certbot:plugin certbot-dns-azure**
** shell: bash**

it started working again. Not sure if this is a good idea to leave it as is or is there any other better approach that I can consider to permanently resolve this issue please?

The Domain belongs to us (Just masked it here)

Thank you.

You didn't share enough to convey what you're doing, so I should give this warning: subscribers should NOT order Certificates from a trusted CA as part of their CI/Testing Systems. Staging and Test systems are fine; ordering from Production and saving the cert into CI for other runs is fine as well. Many users have wedged their account with Rate Limits by ordering in their CI systems and bad autoscaling of cloud services though.

3 Likes

You didn't "mask" it. You substitutesd a real domain that is not yours. Please don't do that. It makes it harder to troubleshoot and and is inconsiderate to the actual domain registrant.

If you want to hide your domain, please use an appropriate mechanism, such as example.com. This makes it obvious that you are hiding the real domain, and doesn't misuse a domain that belongs to someone else.

2 Likes

hi @jvanasco , @linkp , Sure Noted.
This was our first Lets Encrypt Community Support Request :slight_smile:

Could Either of you please confirm the steps that we took to resolve is Okay? Or do you have any other better approaches to resolve this permanently?

Thank you.

You should ask that of the author of the plugin. They should be made aware of this problem and that the snap install worked for you.

Maybe a coincidence but someone just posted about your exact problem at that github. See: Hardcode azure-mgmt-dns version to 8.2.0 by carnerito · Pull Request #58 · terricain/certbot-dns-azure · GitHub

Maybe some volunteer here has personal experience with that 3rd party azure plugin. But, it is still best to work directly with the author for the best solution.

2 Likes

The snap probably worked by lucky timing.

The issue, as disclosed on the link shared, is that azure-mgmt-dns was recently upgraded with breaking changes and the certbot plugin does not guard against that via version pinning.

Installation via PyPi will always provide the most recent versions of a package immediately after they have been uploaded to all users. It is up to developers to pin releases of required packages. If you install software with unpinned dependencies, the latest version of that dependency is getting pulled in from PyPi.

Installation via Snap will utilize their systems and deployment logic -- so there is usually a delay in getting the snap developed from the PyPi release, and then there is a delay in how the snap is distributed across channels (see Channels | Snapcraft documentation). Snapd also (at least at one time) partitioned releases to the general public – so once something hits stable, it slowly rolls out to users in groups instead of all users at once.

Most likely the @Suhas_Chandrashekar switched to snap during a window in which the breaking changes in the azure package have not widely deployed on the snap network yet. If you have a snap machine handy, you can interrogate the system to see what is live on which channels. I would not be surprised if snapd updates to the broken packages in the next few days.

4 Likes

Thanks @MikeMcQ and @jvanasco !

So, while I wait this PR to be merged - Hardcode azure-mgmt-dns version to 8.2.0 by carnerito · Pull Request #58 · terricain/certbot-dns-azure · GitHub, Could this be a safer option to use with - ?

  • name: Install Certbot and Certbot Plugins
    run: |
    sudo -H pip install certbot certbot-dns-azure azure-mgmt-dns==8.2.0
    shell: bash

Could you please suggest?

1 Like

sudo -H pip install certbot certbot-dns-azure azure-mgmt-dns==8.2.0

Yes, that's what I would do.

4 Likes

Thanks @jvanasco. Tried this and it is working now.

Just for my understanding, so, should we lock in this version of plugin that works for us? For instance, lets say, there are newer versions of this getting released and we would still be on 8.2.0.

would that affect in any way?

I'd probably pin the plugin too.

Thanks @Osiris . Would you mean, something like this as an example?
pip install certbot==2.10.0 certbot-dns-azure==2.10.0 azure-mgmt-dns==8.2.0

Just for my understanding, so, should we lock in the versions of all these plugins that works for us? For instance, lets say, there are newer versions of this getting released and we would still be on 8.2.0.

would that affect in any way?

Thanks in advance for your suggestions.