Nginx PM - Ionos - renew failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wiki.labor-habermehl.de

I ran this command: certbot --config /etc/letsencrypt.ini --work-dir /tmp/letsencrypt-lib --logs-dir /tmp/letsencrypt-log --cert-name npm-32 --agree-tos --email chris@ueba3ba.de --domains wiki.labor-habermehl.de --authenticator dns-ionos --dns-ionos-credentials /etc/letsencrypt/credentials/credentials-32

It produced this output:2024-10-01 09:58:25,695:DEBUG:certbot._internal.main:certbot version: 2.11.0
2024-10-01 09:58:25,696:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-10-01 09:58:25,696:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-32', '--agree-tos', '--email', 'chris@ueba3ba.de', '--domains', 'wiki.labor-habermehl.de', '--authenticator', 'dns-ionos', '--dns-ionos-credentials', '/etc/letsencrypt/credentials/credentials-32']
2024-10-01 09:58:25,696:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-ionos,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-10-01 09:58:25,709:DEBUG:certbot._internal.log:Root logging level set at 30
2024-10-01 09:58:25,710:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-ionos and installer None
2024-10-01 09:58:25,710:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-ionos
Description: Obtain certificates using a DNS TXT record (if you are using IONOS for DNS).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='dns-ionos', value='certbot_dns_ionos.dns_ionos:Authenticator', group='certbot.plugins')
Initialized: <certbot_dns_ionos.dns_ionos.Authenticator object at 0x7fc783dd2a90>
Prep: True
2024-10-01 09:58:25,710:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_ionos.dns_ionos.Authenticator object at 0x7fc783dd2a90> and installer None
2024-10-01 09:58:25,710:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-ionos, Installer None
2024-10-01 09:58:25,758:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1186170437', new_authzr_uri=None, terms_of_service=None), 62fa970a6ab5b5ad6cf1fd18bee7c3be, Meta(creation_dt=datetime.datetime(2023, 7, 2, 0, 51, 29, tzinfo=), creation_host='de8e78ee0e4e', register_to_eff=None))>
2024-10-01 09:58:25,759:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-10-01 09:58:25,761:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2024-10-01 09:58:26,194:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 746
2024-10-01 09:58:26,195:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 01 Oct 2024 07:58:26 GMT
Content-Type: application/json
Content-Length: 746
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"8Wcv8W_VlYs": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2024-10-01 09:58:26,196:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for wiki.labor-habermehl.de
2024-10-01 09:58:26,202:DEBUG:acme.client:Requesting fresh nonce
2024-10-01 09:58:26,202:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2024-10-01 09:58:26,338:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2024-10-01 09:58:26,339:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 01 Oct 2024 07:58:26 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: PqaU5B9Mec_Mg2x-5AboDtn4-b1IdPzINC6T0AxPs5fE8oTH67U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2024-10-01 09:58:26,339:DEBUG:acme.client:Storing nonce: PqaU5B9Mec_Mg2x-5AboDtn4-b1IdPzINC6T0AxPs5fE8oTH67U
2024-10-01 09:58:26,340:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "wiki.labor-habermehl.de"\n }\n ]\n}'
2024-10-01 09:58:26,343:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE4NjE3MDQzNyIsICJub25jZSI6ICJQcWFVNUI5TWVjX01nMngtNUFib0R0bjQtYjFJZFB6SU5DNlQwQXhQczVmRThvVEg2N1UiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
"signature": "mumNFxUFMKZrqal82Xg3jt2qAkDjq3RhAaQB5Yxo8vKI8_l-Cslwne9ifTRxGJqqHvSdfUdYXUiBbkyic7vlU2ZUINBXiQYyu5nhPIN4cYv627I4VoPSRKeIgLwSp0VjHMZTPkxf-tYfDigS2wYIC3PKMUZ6Wy4SOsbYFhl-BQHN16JUB1uZOQn1-qaVW3gzNu09iv3P2NIOXMjoZjL23c6Q3p0g76s1Leni3aL2bv7IldMzEEOPv8rI_I_49EStaZtXvOk32OU3XMmu0K6mtp8do2IwS4RTDyNzUaKIYm7fXQxC82Z3swWRBAv5owxzboOmqu3dGPFxtmudRPkQjg",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIndpa2kubGFib3ItaGFiZXJtZWhsLmRlIgogICAgfQogIF0KfQ"
}
2024-10-01 09:58:26,523:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 349
2024-10-01 09:58:26,524:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Tue, 01 Oct 2024 07:58:26 GMT
Content-Type: application/json
Content-Length: 349
Connection: keep-alive
Boulder-Requester: 1186170437
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1186170437/309761701677
Replay-Nonce: A3ydJM1FLjUM8NShq-YlhZg62AEfb9W5PhK_ilINftl5vGbM3kE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2024-10-08T07:14:14Z",
"identifiers": [
{
"type": "dns",
"value": "wiki.labor-habermehl.de"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/410401051317"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1186170437/309761701677"
}
2024-10-01 09:58:26,525:DEBUG:acme.client:Storing nonce: A3ydJM1FLjUM8NShq-YlhZg62AEfb9W5PhK_ilINftl5vGbM3kE
2024-10-01 09:58:26,525:DEBUG:acme.client:JWS payload:
b''
2024-10-01 09:58:26,528:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/410401051317:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE4NjE3MDQzNyIsICJub25jZSI6ICJBM3lkSk0xRkxqVU04TlNocS1ZbGhaZzYyQUVmYjlXNVBoS19pbElOZnRsNXZHYk0za0UiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzQxMDQwMTA1MTMxNyJ9",
"signature": "hR5ncgHORN3ArSoWKmKRjRGsmA1MWe2miAiNTbMiJXeLQJ4PpJretCM6qLrBPSAlHQJwCE4FfonHNTs2Xy8j4VESBX1iwNpDfj47bxe7DftOeX24sB82AW54v7nQBL7F880pkAfGjfJzTIE_h8C-0gAtOZtTICKrpqto2_9l99kwK95GEBhuOyR55OGPmayi4HJsPnE8J7U3Jx0PsdbkZOnMgq7_TIYVTY6dEiB6lWD9NqaJVmsZausRwuw8vtMQRK2X9MQzryC6X7mfS5V8ImD4DrFSD4RSuEYvGrqjImvdzuuxk7blxkbLG1OZiKIq3cMI_tlktTTX8Rx8Gmz9Fg",
"payload": ""
}
2024-10-01 09:58:26,678:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/410401051317 HTTP/1.1" 200 807
2024-10-01 09:58:26,679:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 01 Oct 2024 07:58:26 GMT
Content-Type: application/json
Content-Length: 807
Connection: keep-alive
Boulder-Requester: 1186170437
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: A3ydJM1Fy3qqE7TIhc_aqvNFyuqaLMQ93X_WwqbY92ZE0YIw1aw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "wiki.labor-habermehl.de"
},
"status": "pending",
"expires": "2024-10-08T07:14:14Z",
"challenges": [
{
"type": "tls-alpn-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/410401051317/MvRcRw",
"status": "pending",
"token": "g_UL6UPKNU0Fkv0s8iJp_i_pB_XB-Lyh0fY1CCXARgE"
},
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/410401051317/sPrykA",
"status": "pending",
"token": "g_UL6UPKNU0Fkv0s8iJp_i_pB_XB-Lyh0fY1CCXARgE"
},
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/410401051317/dFwOmA",
"status": "pending",
"token": "g_UL6UPKNU0Fkv0s8iJp_i_pB_XB-Lyh0fY1CCXARgE"
}
]
}
2024-10-01 09:58:26,679:DEBUG:acme.client:Storing nonce: A3ydJM1Fy3qqE7TIhc_aqvNFyuqaLMQ93X_WwqbY92ZE0YIw1aw
2024-10-01 09:58:26,680:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-10-01 09:58:26,681:INFO:certbot._internal.auth_handler:dns-01 challenge for wiki.labor-habermehl.de
2024-10-01 09:58:26,682:DEBUG:certbot_dns_ionos.dns_ionos:_perform called with: domain: wiki.labor-habermehl.de, validation_name: _acme-challenge.wiki.labor-habermehl.de, validation: OKkoadfLe1U3OM_3605WpOhVdTDjxMGHVkFEyYtLDxs
2024-10-01 09:58:26,683:DEBUG:certbot_dns_ionos.dns_ionos:creating ionosclient
2024-10-01 09:58:26,683:DEBUG:certbot_dns_ionos.dns_ionos:get zones
2024-10-01 09:58:26,684:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.hosting.ionos.com:443
2024-10-01 09:58:26,847:DEBUG:urllib3.connectionpool:https://api.hosting.ionos.com:443 "GET /dns/v1/zones HTTP/1.1" 401 41
2024-10-01 09:58:26,847:DEBUG:certbot_dns_ionos.dns_ionos:API request to URL: https://api.hosting.ionos.com/dns/v1/zones
2024-10-01 09:58:26,849:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
resps = self.auth.perform(achalls)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/plugins/dns_common.py", line 76, in perform
self._perform(domain, validation_domain_name, validation)
File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_ionos/dns_ionos.py", line 52, in _perform
self._get_ionos_client().add_txt_record(
File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_ionos/dns_ionos.py", line 153, in add_txt_record
zone_id, zone_name = self._find_managed_zone_id(domain)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_ionos/dns_ionos.py", line 90, in _find_managed_zone_id
zones = self._api_request(type='get', action="/dns/v1/zones")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_ionos/dns_ionos.py", line 125, in _api_request
content = json.loads(resp.content)[0] # on error content is array with 1 element
~~~~~~~~~~~~~~~~~~~~~~~~^^^
KeyError: 0

2024-10-01 09:58:26,849:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-10-01 09:58:26,849:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-10-01 09:58:26,849:DEBUG:certbot_dns_ionos.dns_ionos:creating ionosclient
2024-10-01 09:58:26,849:DEBUG:certbot_dns_ionos.dns_ionos:get zones
2024-10-01 09:58:26,850:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.hosting.ionos.com:443
2024-10-01 09:58:27,046:DEBUG:urllib3.connectionpool:https://api.hosting.ionos.com:443 "GET /dns/v1/zones HTTP/1.1" 401 41
2024-10-01 09:58:27,047:DEBUG:certbot_dns_ionos.dns_ionos:API request to URL: https://api.hosting.ionos.com/dns/v1/zones
2024-10-01 09:58:27,047:ERROR:certbot._internal.error_handler:Encountered exception during recovery: KeyError: 0
2024-10-01 09:58:27,048:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 8, in
sys.exit(main())
^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main
return config.func(config, plugins)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1600, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
resps = self.auth.perform(achalls)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/plugins/dns_common.py", line 76, in perform
self._perform(domain, validation_domain_name, validation)
File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_ionos/dns_ionos.py", line 52, in _perform
self._get_ionos_client().add_txt_record(
File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_ionos/dns_ionos.py", line 153, in add_txt_record
zone_id, zone_name = self._find_managed_zone_id(domain)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_ionos/dns_ionos.py", line 90, in _find_managed_zone_id
zones = self._api_request(type='get', action="/dns/v1/zones")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_ionos/dns_ionos.py", line 125, in _api_request
content = json.loads(resp.content)[0] # on error content is array with 1 element
~~~~~~~~~~~~~~~~~~~~~~~~^^^
KeyError: 0
2024-10-01 09:58:27,051:ERROR:certbot._internal.log:An unexpected error occurred:
2024-10-01 09:58:27,051:ERROR:certbot._internal.log:KeyError: 0

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 22.04.4 (GNU/Linux 5.15.0-102-generic x86_64)

Docker version 24.0.7, build 24.0.7-0ubuntu2~22.04.1

My hosting provider, if applicable, is: Ionos

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hello dear forum.

I have a problem with Nginx Proxy Manager and Ionos DNS Challenge.

I have updated to the latest version 2.11.3.
With this version I can no longer create and renew certificates.

This still worked with the old version. Unfortunately, I didn't make a note of which version I had previously installed.

Which version of what exactly? Certbot is at 2.11.0 currently.

If you're having problems with NPM specifically, please refer to a NPM support channel. The volunteers here don't have much (or any for that matter I believe) experience with NPM and it's usually hard to debug. Although it's great you've managed to get and post the Certbot log.

Speaking about the log:

This error seems to be coming from the following piece of code in the certbot-dns-ionos plugin:

(Please note that the certbot-dns-ionos plugin is a third party plugin and is NOT maintained by the Certbot team.)

That part of the code is only run when the response of the IONOS API is NOT a HTTP 200, so the IONOS API returned a different status code.

Unfortunately the plugin seems to be written rather poorly to handle this specific problem. I have no clue what the actual contents of the API response was. The plugin just makes some assumptions.

There is an issue (Exception while handling ionos API error · Issue #24 · helgeerbe/certbot-dns-ionos · GitHub) in the plugins repo that mentions this problem just exactly. And that issue suggests one of the possible reasons hitting this key error is if the API returns a "missing or invalid API key" error.

Are you absolutely sure you have set up your IONOS account and NPM correctly for API access?

1 Like

Thanks fpr reply.

My Certbot Version is certbot 2.11.0

Are you absolutely sure you have set up your IONOS account and NPM correctly for API access?

Yes, it worked in an old version of Nginx PM

1 Like

Was able to solve the problem.
It was actually due to the Ionos API.

My key has disappeared. I created a new one and it works.

Thank you very much.

3 Likes