Getting unauthorized URL error while trying to get cert for subdomains

I wanted to request new certificate for my website. I am able to get it for my domain without any issues, but when I am attempting to get for subdomains, I am seeing following errors

I have created api in developer[.]godaddy[.]com and when I am attempting to curl it.. getting access denied there as well

spiderman@apollo13:/etc/letsencrypt$ curl -X GET -H "Authorization: sso-key api-key:secret "https://api.godaddy.com/v1/domains/available?domain=website.top"
{"code":"ACCESS_DENIED","message":"Authenticated user is not allowed access"}

spiderman@apollo13:/etc/letsencrypt$ sudo certbot certonly --authenticator dns-godaddy --dns-godaddy-credentials /etc/letsencrypt/credentials.ini --dns-godaddy-propagation-seconds 900 -d website.top -d blog.website.top -d api.website.top -d app.website.top -d services.website.top --keep-until-expiring --non-interactive --server https://acme-v02.api.letsencrypt.org/directory -v

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-godaddy, Installer None
Requesting a certificate for website.top and 4 more domains
Performing the following challenges:
dns-01 challenge for api.website.top
dns-01 challenge for app.website.top
dns-01 challenge for blog.website.top
dns-01 challenge for services.website.top
Cleaning up challenges
Error determining zone identifier for api.website.top: 401 Client Error: Unauthorized for url: https://api.godaddy.com/v1/domains/api.website.top.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Any suggestions ?

You're using your actual API key instead of api-key and your actual secret instead of secret, right? As provided by GoDaddy and with no additional quotation marks or punctuation?

4 Likes

Hello @gdgupta11, welcome to the Let's Encrypt community. :slightly_smiling_face:

Moved from Issuance Tech to Help

When you opened this thread if had been in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

1 Like

Hi,

I have found that there is currently a general problem with the GoDaddy production domains API (for ANY acme client or API user) and I've reported it to them directly. The symptom is an http response like this for a previously working API key [and also with a new key].

{"code":"ACCESS_DENIED","message":"Authenticated user is not allowed access"}

4 Likes

I've contacted godaddy api support and I don't have good news:

We have recently updated the account requirements to access parts of our production Domains API. As part of this update, access to these APIs are now limited:

  • Availability API: Limited to accounts with 50 or more domains
  • Management and DNS APIs: Limited to accounts with 10 or more domains and/or an active Discount Domain Club plan.

This is impacting me in two ways: 1st as above here, I won't be able to renew my letsencrypt cert with the script I was using so far
2nd: I can't update the DNS record anymore, which I was using as a custom dynamic dns for my server...
What are alternative options now for both?

3 Likes

Ah. Well that will definitely affect many users - it affects me to. I think the best option is to complain loudly and for any users affected to also complain similarly.

The most practical option I can see would be to move your DNS hosting for that domain to a different API enabled DNS hosting provider (such as Cloudflare, which is free, but there are many paid options as well.). You can optionally keep the domain registration with GoDaddy, or move it, but that's separate to DNS nameserver hosting.

3 Likes

Yep, I've just triggered domain transfer to name.com Seems it has the right APIs that I need to update DNS records and renew letsencrypt certificate. Goodbye godaddy after so many years...

1 Like

Ok, well as mentioned you don't need to transfer the domain, just the nameserver hosting (which will be setting in GoDaddy to point to custom nameservers). For name.com check that your ACME client has a supported DNS provider plugin. I think for certbot you might be able to use GitHub - laonan/certbot-dns-name-com: A certbot DNS plugin for name.com

2 Likes

I'm just pissed on godaddy so don't want to pay them a dime for my domain. And it is soon due for renewal.
Seems that ACME client I have should just work but I'll confirm once the domain transfer is complete. Anyway, thanks for hints!

2 Likes

Domain transfer completed. Official ACME client supports name.com. Just a small update to my shell scripts and all is working now as before. And seems to be a bit cheaper than godaddy as well. A pity they have managed it this way but so long godaddy.

3 Likes

This is really important information... Is there an article or source anywhere to verify this? I don't want to have to pay for discount domain club and have it not function. As a short term solution of course, long term it doesn't make sense to tie our business to a service that can restrict access or increase prices whenever they deem fit.

1 Like

@CameronWise I have also now received the following information from GoDaddy support and have asked them to update their API document to reflect this change. I have explained to them that thousands of certificate renewals will fail as a result of this change:

We have recently updated the account requirements to access parts of our production Domains API. As part of this update, access to these APIs are now limited:

Availability API: Limited to accounts with 50 or more domains
Management and DNS APIs: Limited to accounts with 10 or more domains and/or an active Discount Domain Club plan.

If you have lost access to these APIs, but feel you meet these requirements, please reply back with your account number and we will review your account and whitelist you if we have denied you access in error.

5 Likes

I'm continually surprised at how many people still end up using GoDaddy. They haven't been the cheapest registrar for years. Their website has always been clunky, user hostile, and an upselling nightmare. And their web hosting purposefully makes cert management tedious to scam people who don't know any better into paying for something that should be free. This is just another nail in the coffin.

But I also acknowledge that tech lethargy is a thing and switching providers often doesn't seem worth it just to save a few bucks a year.

7 Likes

This is the final nail in the coffin. Even though it's going to be an absolute pain, I am going to move my personal and business GoDaddy accounts away from them.

Emails through cPanel taking 2 hours to be delivered a lot of the time was becoming awkward for websites which use emails for MFA. But this is even more inconvenient.

Any recommendations for a decent alternative provider which has similar features? E.g. email aliases and forwarders without paying per user? Plus web space, databases etc of course.

I've always hated their "reward new customers" model rather than existing customers anyway.

Goodbye (possibly 10 years of) GoDaddy. Well done.

1 Like

In my humble opinion, trying to get all of those things directly from your domain registrar is part of the problem. Let your registrar just be your registrar. Find a separate DNS provider. Find a separate email provider. Find a separate web host or cloud provider. Individually, they'll all be much better than the bottom of the barrel offering from the registrar and there are so many more choices when you're not trying to bundle everything together like a cable TV plan.

6 Likes

It definitely appears as if GoDaddy API is broke...

Posh-ACME started failing, additionally the standard API test listed here on GoDaddys website is also failing with the same error as others are seeing.
https://developer.godaddy.com/getstarted

1 Like

A post was split to a new topic: Replacing GoDaddy API for DNS Challenge

To add a cherry on the top, my client is decided to pay for the Discount Domain Club, even tho I advised to migrate to Digitalocean. After 48 Hrs the API is still not working. Support ticket is raised, response time 72 Hrs. Bunch of certs are expired, and even some subdomains stopped resolving.

#timetoleavegodaddy

2 Likes