Domain Offensive (do.de) - DNS-01 challenge - Error adding TXT record: not successful

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: flexdns.rothertec.de, *.flexdns.rothertec.de

I ran this command: nginx proxy manager challenge with do.de API token (Docker on Debian)

It produced this output:

CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Encountered error adding TXT record: not successful
Encountered error deleting TXT record: not successful
Encountered error deleting TXT record: not successful
Error adding TXT record: not successful
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at /app/lib/utils.js:16:13
    at ChildProcess.exithandler (node:child_process:430:5)
    at ChildProcess.emit (node:events:518:28)
    at maybeClose (node:internal/child_process:1105:16)
    at ChildProcess._handle.onexit (node:internal/child_process:305:5)

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: do.de (Domain Offensive)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 2.9.0

I am kind of a rookie with nginx PM and letsencrypt (sorry, please be patient).
I use flexdns with Domain Offensive. I would like to get a certificate for my wildcard subdomain *.flexdns.rothertec.de using nginx Proxy Manager in a Docker container.

I have inserted the API token optained from the do.de website for my account (using the certbot option).

flexdns points to flexdns.rothertec.de
I have created a CNAME record for *.flexdns.rothertec.de pointing to flexdns.rotherted.de.

I have already successfully created an certificate (HTTP-01 challenge) for a subdomain. I am able to connect via https to that service. So nginx PM and the encrypted connection to my service works fine.

So, I could create a separate HTTP-01 certificate for each subdomain and service. That would work but a wildcard certificate would be more elegant I guess and easier to handle.

But I am not able to generate a certificate for my wildcard domain. I get the mentioned error message.

Do you have an idea what I am doing wrong?

Thanks!

To be honest, most volunteers on this Community really have a dislike for NPM due to its weird quirks and the habit of absolutely showing NOTHING relevant when something goes wrong. And I guess most volunteers also don't have any experience themselves with NPM. Therefore, you might be disappointed what we as volunteers can do for you.

That said, you have provided a lot more information than the regular NPM user on this Community usually gives us, so that's quite nice for a change, thanks for that

Perhaps you can find out how to retrieve the /tmp/letsencrypt-log/letsencrypt.log file?

Thank you very much for your immediate and kind reply.

I am able to ssh into the nginxPM container and retrieve the /tmp/letsencrypt-log/letsencrypt.log

But there are a lot of let's say "private" information in there, at least I would have to delete my API token.

Would it help if I provide the log file?
Which information should I remove?

Of course the API token for your DNS zone needs to be redacted, if necessary. But as far as I know, Certbots logs do not leak any actual private information. It often looks like weird encrypted code, but usually (if not always?) that's just the encoded JWS stuff which is send to/from the ACME server and is actually not private at all (it's signed by the accounts private key, but that key is never shown itself).

If certbot 2.9.0 has a plugin for do.de, then you should be able to test that directly [outside of NPM].

Here we go, the letsencrypt.log from today. I tried it again to have a "fresh" logfile.

2021-04-21-letsencrypt - token removed.log.txt (17.4 KB)

Error message from today:

CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Encountered error adding TXT record: not successful
Encountered error deleting TXT record: not successful
Encountered error deleting TXT record: not successful
Error adding TXT record: not successful
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at /app/lib/utils.js:16:13
    at ChildProcess.exithandler (node:child_process:430:5)
    at ChildProcess.emit (node:events:518:28)
    at maybeClose (node:internal/child_process:1105:16)
    at Socket. (node:internal/child_process:457:11)
    at Socket.emit (node:events:518:28)
    at Pipe. (node:net:337:12)

Domain Names
flexdns.rothertec.de
*.flexdns.rothertec.de

It seems the do.de plugin is brocken?

Thanks again.

I assume you are using the do.de plugin from georgeto on github. A DFS-90 forked that with better instructions on setting it up and debugging it. If you haven't seen that yet you may want to review it.

But, yes, the plugin seems broken or possibly not configured properly. The original hasn't been updated in 4 years so a lot can change in that time. If nothing else you might try posting an Issue at the georgeto repository and see if anyone can help.

I don't have any experience with do.de so don't have much else to offer. And, I am just guessing about the plugin. There isn't one for do.de mentioned in the Certbot docs so I just started searching github and found these.

UPDATE:
Oh, I just ran across this thread in NPM github. Same DFS-90 posted here. Might be better place to post an issue to.

Thank you very much.

I have used the do.de plugin that is included in the Docker image of NginxPM. Neither the DFS-90 fork nor the georgeto repo have been updated in 4 years (as you mentioned). I doubt that any one cares about do.de.

But maybe I should still open an issue in the NginxPM repository, can't hurt.

I guess I can live with the HTTP-01 challenge for each subdomain in my little home project.

So thanks again for your time and research.

Letsencrypt is such a fantastic project!

I am now very embarrassed and I apologize for the trouble I have caused.

I had a look into the python source code of the plugin and it is not so complicated. Everything seemed to be fine and I wondered why it is not working.

So, I had a look into the provided information of do.de and I found the problem. There is an empty field on top of the letsencrypt information, perhaps a little too inconspicuously labeled, and you have to click the update button to get an API token. I had completely overlooked that.

Well, it was my fault. I copied the wrong API token (the example API token).

Now with the correct API token it works flawlessly.