Not sure where to ask but I noticed my letsencrypt for one (sub)domain is not working in combination with Gandi DNS. I recently did a upgrade from Ubuntu server 22.04 to 24.04 LTS and guess this is the issue.

In the log I noticed:
2024-08-28 17:17:14,952:ERROR:certbot._internal.renewal:Failed to renew certificate with error: The requested certbot-plugin-gandi:dns plugin does not appear to be installed

I did a list of installed packages and seems the mentioned certbot-plugin-gandi is installed:
pip list | grep certbot
certbot 2.9.0
certbot-apache 2.9.0
certbot-plugin-gandi 1.4.3

Ubuntu itself mentions: python3-certbot-dns-gandi is already the newest version (1.4.3-2).

This is part of the domain config for renewal:

Options used in the renewal process

[renewalparams]
account =
pref_challs = dns-01,
authenticator = certbot-plugin-gandi:dns
server = https://acme-v02.api.letsencrypt.org/directory
certbot_plugin_gandi:dns_credentials = /etc/letsencrypt/gandi.ini
renew_hook = systemctl reload exim4

How to troubleshoot this? Any help would be appreciated.

What I understand is that letsencrypt is no longer able to access my DNS entries at Gandi to verify the domain etc.

Thanks,
Matthijs

It's always a very bad idea to combine pip globally with the OS package manager. When using pip, it's a good idea to use a virtual environment.

What's the output of the following commands:

whereis certbot

sudo certbot plugins

Okay, I just did as suggested and:
certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log

• apache
  Description: Apache Web Server plugin
  Interfaces: Authenticator, Installer, Plugin
  Entry point: EntryPoint(name='apache',
  value='certbot_apache._internal.entrypoint:ENTRYPOINT', group='certbot.plugins')

• dns-gandi
  Description: Obtain certificates using a DNS TXT record (if you are using Gandi
  for DNS).
  Interfaces: Authenticator, Plugin
  Entry point: EntryPoint(name='dns-gandi',
  value='certbot_plugin_gandi.main:Authenticator', group='certbot.plugins')

• standalone
  Description: Runs an HTTP server locally which serves the necessary validation
  files under the /.well-known/acme-challenge/ request path. Suitable if there is
  no HTTP server already running. HTTP challenge only (wildcards not supported).
  Interfaces: Authenticator, Plugin
  Entry point: EntryPoint(name='standalone',
  value='certbot._internal.plugins.standalone:Authenticator',
  group='certbot.plugins')

• webroot
  Description: Saves the necessary validation files to a
  .well-known/acme-challenge/ directory within the nominated webroot path. A
  seperate HTTP server must be running and serving files from the webroot path.
  HTTP challenge only (wildcards not supported).
  Interfaces: Authenticator, Plugin
  Entry point: EntryPoint(name='webroot',
  value='certbot._internal.plugins.webroot:Authenticator',
  group='certbot.plugins')

Does this look correct? I guess so...

Okay, digging around I just tried to certificate a new sub-domain and test if it works.
Seems some details are changed:

In the gandi.ini I changed: certbot_plugin_gandi:dns_api_key => dns_gandi_api_key
And this is the new domain config for renewal:
[renewalparams]
account =
authenticator = dns-gandi
dns_gandi_credentials = /etc/letsencrypt/gandi.ini
server = https://acme-v02.api.letsencrypt.org/directory
renew_hook = systemctl reload exim4
key_type = rsa

Though in the test the key_type was ecdsa but now seems to be changed into rsa.

Ah yes, I missed the : earlier.. Nowadays Certbot does not use the plugin_name:variable like construction any more.

Does it work now?

Yes, works fine now

THANKS!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.