Nothing that seems useful to me. I did try to retrieve a cert (certbot -v certonly ...) just in case in case 'certbot plugins' is/was not reliable. Log file shows:
2023-05-19 09:26:25,092:DEBUG:certbot._internal.main:certbot version: 2.5.0
2023-05-19 09:26:25,093:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-05-19 09:26:25,093:DEBUG:certbot._internal.main:Arguments: ['-v', '--authenticator', 'dns-hetzner']
2023-05-19 09:26:25,093:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-05-19 09:26:25,102:DEBUG:certbot._internal.log:Root logging level set at 20
2023-05-19 09:26:25,102:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-hetzner and installer None
2023-05-19 09:26:25,102:DEBUG:certbot._internal.plugins.selection:No candidate plugin
2023-05-19 09:26:25,102:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 8, in <module>
File "/usr/lib/python3.9/site-packages/certbot/main.py", line 19, in main
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1864, in main
return config.func(config, plugins)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1578, in certonly
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/selection.py", line 255, in choose_configurator_plugins
diagnose_configurator_problem("authenticator", req_auth, plugins)
File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/selection.py", line 373, in diagnose_configurator_problem
certbot.errors.PluginSelectionError: The requested dns-hetzner plugin does not appear to be installed
2023-05-19 09:26:25,104:ERROR:certbot._internal.log:The requested dns-hetzner plugin does not appear to be installed
So I found a workaround. After much poking around here are the steps that got me to a mostly working solution. Not sure how to handle automated renewals just yet. I'm posting hopefully enough detail to help others whose searches may end up here and/or someone who might be able to create a more permanent solution.
In fact in the file .../disco.py in the function find_all I found the line: plugin_paths_string = os.getenv('CERTBOT_PLUGIN_PATH')
Hmmm, does 'CERTBOT_PLUGIN_PATH' exist?
So: export CERTBOT_PLUGIN_PATH=/usr/local/lib/python3.9/site-packages/
Description: Obtain certificates using a DNS TXT record (if you are using
Hetzner for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-hetzner = certbot_dns_hetzner.dns_hetzner:Authenticator
And certbot -v certonly --authenticator dns-hetzner --dns-hetzner-credentials /etc/hetzner.ini -d '...'
Out of curiosity, I added this after line 182: print(sys.path)
Then in another terminal that does not have CERTBOT_PLUGIN_PATH set: certbot plugins ['/usr/bin', '/usr/lib64/python39.zip', '/usr/lib64/python3.9', '/usr/lib64/python3.9/lib-dynload', '/usr/lib64/python3.9/site-packages', '/usr/lib/python3.9/site-packages']
For some reason that path is different from what I see in the shell. Hmmm I also dunno what's going on.
Ok - one last tidbit of info on this topic. The first line of /usr/bin/certbot is: #! /usr/bin/python3 -s
From man python:
COMMAND LINE OPTIONS
-s Don't add user site directory to sys.path.
The certbot version in Rocky 8.x does not have the -s switch in /usr/bin/certbot. I'm assuming the certbot devs had a reason to add -s. At least I'll sleep better tonight having a better idea of what's happening.
That's probably put there by the package maintainers. In the snapcraft file from Certbot I see they also use the -s option for the Certbot command for snap it looks like. But in the pip installed Certbot there's no such option. So it seems to differ.
As far as I can tell, this issue is new in EPEL9. The -s flag is not present in the EPEL8 package.
In general, mixing OS Python packages and pip ones is a bad idea. Using the official pip instructions is recommended here, or picking a plugin which has an installation method that matches your Certbot installation method.
Yeah am very much aware of the pitfalls of mixing OS and pip installs, as a rule I NEVER do it for production servers. Unfortunately we have many servers NOT hosted on Hetzner for which EPEL dns plugins do exist. So this is a bit of an exploration with the goal of maintaining commonality amongst servers to the extent possible.