New cert fail - encountered exception during recovery

jamesj711 · November 7, 2023, 4:37pm

I ran this command:

certbot certonly --authenticator dns-godaddy --dns-godaddy-credentials /opt/certbot/credentials.ini --keep-until-expiring --non-interactive --expand --server https://acme-v02.api.letsencrypt.org/directory -d 'ambassadeurs.com' -d '*.ambassadeurs.com' -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Python 3.7 support will be dropped in the next planned release of Certbot - please upgrade your Python version.
Plugins selected: Authenticator dns-godaddy, Installer None
Requesting a certificate for 6mayfair.com and *.6mayfair.com
Performing the following challenges:
dns-01 challenge for 6mayfair.com
dns-01 challenge for 6mayfair.com
Cleaning up challenges
Encountered exception during recovery: lexicon.exceptions.LexiconError: Could not find record matching type: TXT, name: _acme-challenge.6mayfair.com, content: a0zmTfeJnCYrVh-vg44_v885TCpoRPHLfA9bp3Pnsm0
Error adding TXT record: 422 Client Error: Unprocessable Entity for url: https://api.godaddy.com/v1/domains/6mayfair.com/records/TXT/_acme-challenge

Also, when curling "https://api.godaddy.com/v1/domains/6mayfair.com/records/TXT/_acme-challenge" I get the response "{"code":"MISSING_CREDENTIALS","message":"Unauthorized : Credentials must be specified"}(certbot) [root@ip-172-31-37-205 ec2-user]#"

My web server is (include version): wordpress 6.3.2

The operating system my web server runs on is (include version): Amazon Linux 2

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.7.4

So it logs in to GoDaddy and adds/deletes records ok, just can't retrieve the cert and I'm stumped

MikeMcQ · November 7, 2023, 5:12pm

This command is for ambassadeurs.com but the error is for 6mayfair.com. How did that happen?

The error says the DNS TXT record could not be added. Which domain name are you talking about?

rg305 · November 7, 2023, 5:16pm

Hi @jamesj711, and welcome to the LE community forum

I see:

But I don't see which certificate (name) is being expanded.
Was there more input that hasn't been shown?

jamesj711 · November 7, 2023, 5:26pm

Hi Mike, So we use this method a lot and it's always worked fine. I did a test server last week and installed the ambassadeurs.com cert on that, but encountered this error when performing the same task on this server. My last attempt at troubleshooting/digging was to try with a different domain, in case the other install confused the issue. It didn't work with a different domain (6mayfir.com) so here I am

jamesj711 · November 7, 2023, 5:29pm

Hi Rg, Thanks! I've pasted all the command that I used. We use the same command on previous servers fine, here it is again:

certbot certonly --authenticator dns-godaddy --dns-godaddy-credentials /opt/certbot/credentials.ini --keep-until-expiring --non-interactive --expand --server https://acme-v02.api.letsencrypt.org/directory -d 'ambassadeurs.com' -d '*.ambassadeurs.com'

rg305 · November 7, 2023, 5:34pm

If you are going to --expand, there must be a cert to expand.
What shows?:
certbot certificates

jamesj711 · November 8, 2023, 12:23pm

I don't know, it's just the command we use and it's working on other servers, just not this one.

Looking at the debug from a successful server and comparing with this one, the good one uses python:

2023-11-08 11:59:27,535:DEBUG:filelock:Attempting to acquire lock 139725667050960 on /root/.cache/python-tldextract/3.7.16.final__certbot__45d1d6__tldextract-3.4.4/publicsuffix.or
g-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock

Whereas the failed one uses lexicon (whatever that is):

2023-11-08 12:06:25,088:DEBUG:filelock:Attempting to acquire lock 140630620691920 on /root/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.
lock

both setups are exactly the same though....is this relevant?

MikeMcQ · November 8, 2023, 1:03pm

Certbot is a python script.

How did you install Certbot on Amazon Linux 2? Because I don't believe the snap install works on that without great effort.

Did you install using a pip venv? Or some other method?

Last I looked the version of Certbot in EPEL on AL2 was 1.12 but you show version 2.7.4

jamesj711 · November 8, 2023, 2:07pm

We've used these commands to install certbot:

# create an isolated python environment for certbot purposes alone 
python3 -m venv /opt/certbot 
	
# Modify environment for the current shell only to make python modify 
# the virtual environment and not your system libraries 
source /opt/certbot/bin/activate 
	
#needed an older version of urllib for this to work 
pip install urllib3==1.26.6 
 
# Install certbot 
pip install certbot 
	
#upgrade   pip 
/opt/certbot/bin/python3 -m pip install --upgrade pip 
	
#install gd plugin 
pip install certbot-dns-godaddy

Any idea why the failed server is using .lexicon_tld_set instead of python-tldextract?

rg305 · November 8, 2023, 2:17pm

Not sure that is currently accurate.
For which version of certbot where these instructions designed to work with?

Latest version shown: 2.0.7 [Oct 17, 2023]

jamesj711 · November 14, 2023, 3:38pm

Hi Guys,

Thanks for your help with this, I managed to fix this by downgrading the Certbot version from 2.7.x to 2.6.0, which is the same as on our other servers

Osiris · November 14, 2023, 7:55pm

Hmm.. If it's just Certbot, you might have found a bug.

It would be helpful if you'd file a bug report as an issue on the Certbot Github repository. Preferably with detailed logs with a working Certbot (2.6.0) and a non-working Certbot (2.7.x). Might also be useful to add the output of pip freeze from within the venv.