Error while certbot renew --dry-run

zkitzo · May 15, 2020, 8:07pm

I only get this error if I'm dry-running.

My domain is:
ztjuh.tk

I ran this command:
sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/ztjuh.tk.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for ztjuh.tk
dns-01 challenge for ztjuh.tk
Cleaning up challenges
Attempting to renew cert (ztjuh.tk) from /etc/letsencrypt/renewal/ztjuh.tk.conf produced an unexpected error: 'code'. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ztjuh.tk/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ztjuh.tk/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

The operating system my web server runs on is (include version):
Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.4.0

Here is a pastebin of letsencrypt.log: https://pastebin.com/raw/NRJSZuTq

Osiris · May 15, 2020, 8:17pm

While the Python error is rather prominent and is probably a bug too (try updating the cloudflare python library), I don't think that's really your problem. If you look at the following log line:

2020-05-15 22:04:40,987:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "POST /client/v4/zones/6f63a88933aeb8b3ff1fffdd23666298/dns_records HTTP/1.1" 401 None

One thing stands out: the HTTP response code of CloudFlares API: 401. And the HTTP 401 response code means Unauthorized.

Could you double verify your CloudFlare credentials?

zkitzo · May 15, 2020, 8:21pm

My e-mail and api key are right in the ini file…

Osiris · May 15, 2020, 8:22pm

And there has nothing been changed in the zone authorizations at CloudFlares side?

zkitzo · May 15, 2020, 8:23pm

No I just checked them, they are right.

Osiris · May 15, 2020, 8:25pm

And if you upgrade the CloudFlare python library?

I’m finding it very strange "GET"s (“reads”) to the CloudFlare API are fine with the credentials, but "POST"s (“writes”) are forbidden…

zkitzo · May 15, 2020, 8:28pm

I think they are updated already

certbot-dns-cloudflare 1.4.0
cloudflare 2.3.0

rg305 · May 15, 2020, 9:08pm

Can you show a similar trace that passes.
This failure seems pretty evident that the creds are not good:

2020-05-15 22:04:40,560:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443
2020-05-15 22:04:40,795:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=ztjuh.tk&per_page=1 HTTP/1.1" 200 None
2020-05-15 22:04:40,796:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Found zone_id of 6f63a88933aeb8b3ff1fffdd23666298 for ztjuh.tk using name ztjuh.tk
2020-05-15 22:04:40,796:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Attempting to add record to zone 6f63a88933aeb8b3ff1fffdd23666298: {'type': 'TXT', 'name': '_acme-challenge.ztjuh.tk', 'content': '5vwEd9ycczb5xvOyIJkPQCa-AuIqOBDf-O-1xav9-ng', 'ttl': 120}
2020-05-15 22:04:40,987:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "POST /client/v4/zones/6f63a88933aeb8b3ff1fffdd23666298/dns_records HTTP/1.1" 401 None
2020-05-15 22:04:40,989:DEBUG:certbot._internal.error_handler:Encountered exception:

zkitzo · May 15, 2020, 9:52pm

Can’t show one that passes since I only have 1 cert and domain nowadays, and it doesn’t need renewal yet.

Should I check my domain.conf too or only the credentials.ini?

I’ll try to create a API Token to edit my domain (this wasn’t here a few months ago).

rg305 · May 15, 2020, 10:07pm

There should be a way to test your creds independent of certbot.

zkitzo · May 15, 2020, 10:09pm

Well the zoneid is right for sure so I don’t know why it’s failing with 401…

mnordhoff · May 16, 2020, 2:39am

That might be the most recent release available on your OS, but it's about six months old. The 'code' error handling bug was fixed in 2.7.0 or 2.7.1.

If you fix that bug, you should be able to see the real error message that's coming from Cloudflare. It's probably this one:

https://community.cloudflare.com/t/unable-to-update-ddns-using-api-for-some-tlds/167228

zkitzo · May 16, 2020, 10:18am

Ah yes it is, I updated cloudflare to 2.7.1 now and it’s showing exactly that error!

system · June 15, 2020, 10:18am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem on certbot dry run Help	4	879	February 16, 2023
Certbot renewal fails Help	6	3458	October 9, 2016
Certbot dry run error Help	7	1664	June 19, 2018
Renew dry run works but renew fails Help	5	3422	June 11, 2018
Certbot renew failed most of the time Help	15	576	November 23, 2023

Error while certbot renew --dry-run

Related topics