Key renewal on netcup server does not work on Debian Bullseye

My domain is:
ftv-spandau.de

I ran this command:

sudo /usr/bin/certbot --reuse-key renew

It produced this output:

sudo /usr/bin/certbot --reuse-key renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/ftv-spandau.de.conf


Renewal configuration file /etc/letsencrypt/renewal/ftv-spandau.de.conf (cert: ftv-spandau.de) produced an unexpected error: 'Namespace' object has no attribute 'certbot_dns_netcup:dns_netcup_propagation_se
conds'. Skipping.


Processing /etc/letsencrypt/renewal/neuruppin-segelflug.de.conf


Renewal configuration file /etc/letsencrypt/renewal/neuruppin-segelflug.de.conf (cert: neuruppin-segelflug.de) produced an unexpected error: 'Namespace' object has no attribute 'certbot_dns_netcup:dns_netcu
p_propagation_seconds'. Skipping.


No renewals were attempted.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/ftv-spandau.de.conf (parsefail)
/etc/letsencrypt/renewal/neuruppin-segelflug.de.conf (parsefail)


0 renew failure(s), 2 parse failure(s)

My web server is (include version):
Apache 2.4.48-3.1+deb11u1

The operating system my web server runs on is (include version):
Debian 11

My hosting provider, if applicable, is:

https://www.netcup.de/

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

The renew command ran fine with Debian 10. On my other server running Debian 10 this problem does not show up.

It looks like your old server had the certbot-dns-netcup plugin installed but you haven't yet installed it on this new Bullseye server.

1 Like

It is the same server, upgraded from Buster to Bullseye. So I expected the plugins would stay.

Anyway, now I did

sudo pip3 install certbot-dns-netcup

and retried the renew. Now I get:

Plugin legacy name certbot-dns-netcup:dns-netcup may be removed in a future version. Please use dns-netcup instead.
Plugins selected: Authenticator certbot-dns-netcup:dns-netcup, Installer None
Renewing an existing certificate for ftv-spandau.de and 7 more domains
Reusing existing private key from /etc/letsencrypt/live/ftv-spandau.de/privkey.pem.
Performing the following challenges:
dns-01 challenge for ftv-spandau.de
... (other subdomains)
Cleaning up challenges
Encountered exception during recovery: TypeError: delete_record() got an unexpected keyword argument 'type'
Failed to renew certificate ftv-spandau.de with error: create_record() got an unexpected keyword argument 'type'

If installing the plugin with pip, you may also need to manually downgrade dns-lexicon to <3.6.0, because there were some backwards-incompatible changes that took place in newer versions:

pip install "dns-lexicon<3.6.0"
2 Likes

@_az Is that something the developer(s) of certbot-dns-netcup could work around in their plugin? I.e., would it be helpful if @eehmke post an issue at GitHub - coldfix/certbot-dns-netcup: netcup DNS Authenticator plugin for Certbot ?

I am not at all sure what the best step here would be. The underlying issue not relevant for Certbot >=1.16.0 because it got fixed in #8819.

I imagine the users who will encounter this will be be deb/rpm users who mix OS packages with pip (because 3rd party DNS plugins are almost always unpackaged, no blame here). But doing that is always a source of problems.

Getting them to use the pip instructions might be slightly saner advice if they need to combine Certbot with 3rd party plugins, but all this stuff is likely going to look different long term.

Ah OK, I get it. :slight_smile: Has been deprecated for over 2 years now. No need to "fix" that indeed.

1 Like

Thanks, that helped! The renew worked now. Must I manually upgrade the dns-lexicon to newer versions later?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.