Problem renewing certificate using DNS-01 with Njalla domain

Hi, I was having problems renewing mail.parham.dev using HTTP-01 (I had used workaround.org guide, this page is about generating the certificate https://workaround.org/ispmail-bookworm/creating-a-tls-encryption-key-and-certificate), and it seemed certbot was not able to find acme challenge for this subdomain so I decided to switch to DNS-01 for my domain and subdomains (parham.dev, www.parham.dev, mail.parham.dev and memos.parham.dev)
Now I get this error message mentioned below for all of them. (I am also using the certbot-dns-njalla plugin: https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://github.com/chaptergy/certbot-dns-njalla&ved=2ahUKEwjnnL3j4IOKAxXLFFkFHRVeFCkQFnoECBUQAQ&sqi=2&usg=AOvVaw2C094qzqXgJtZuEHCNXQSK)
What should I do ?
I am fine with using HTTP-01 if it works too.

My domain is: parham.dev

I ran this command:
certbot renew --dry-run -a dns-njalla --dns-njalla-credentials /etc/letsencrypt/njalla.ini

It produced this output:
Unexpected error determining zone identifier for parham.dev: 403: Permission denied.

My web server is (include version): Apache/2.4.62 (Debian)

The operating system my web server runs on is (include version): Debian 12.8

My hosting provider, if applicable, is: aéza

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 3.0.1

I assume this error is reported from the Njalla API and it suggests your credentials are not providing permission for the domain parham.dev.

Or it might be a Certbot error not being able to perhaps read the credentials file, not sure. Can you please provide the entire output of Certbot?

2 Likes

Saving debug log to /var/log/letsencrypt/letsencrypt.log



Processing /etc/letsencrypt/renewal/mail.parham.dev.conf



Simulating renewal of an existing certificate for mail.p
arham.dev
Failed to renew certificate mail.parham.dev with error:
Unexpected error determining zone identifier for mail.pa
rham.dev: 403: Permission denied.



Processing /etc/letsencrypt/renewal/memos.parham.dev.con
f



Simulating renewal of an existing certificate for memos.
parham.dev
Failed to renew certificate memos.parham.dev with error:
Unexpected error determining zone identifier for memos.
parham.dev: 403: Permission denied.



Processing /etc/letsencrypt/renewal/parham.dev.conf



Simulating renewal of an existing certificate for parham
.dev and www.parham.dev
Failed to renew certificate parham.dev with error: Unexp
ected error determining zone identifier for www.parham.d
ev: 403: Permission denied.



All simulated renewals failed. The following certificate
s could not be renewed:
/etc/letsencrypt/live/mail.parham.dev/fullchain.pem (f
ailure)
/etc/letsencrypt/live/memos.parham.dev/fullchain.pem (
failure)
/etc/letsencrypt/live/parham.dev/fullchain.pem (failur
e)



3 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://communit
y.letsencrypt.org. See the logfile /var/log/letsencrypt/
letsencrypt.log or re-run Certbot with -v for more detai
ls.

This is the log:

2024-11-24 00:37:23,875:DEBUG:certbot._internal.main:cer
tbot version: 2.1.0
2024-11-24 00:37:23,876:DEBUG:certbot._internal.main:Loc
ation of certbot entry point: /usr/bin/certbot
2024-11-24 00:37:23,876:DEBUG:certbot._internal.main:Arg
uments: ['-q', '--no-random-sleep-on-renew']
2024-11-24 00:37:23,876:DEBUG:certbot._internal.main:Dis
covered plugins: PluginsRegistry(PluginEntryPoint#apache
,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEnt
ryPoint#standalone,PluginEntryPoint#webroot)
2024-11-24 00:37:23,882:DEBUG:certbot._internal.log:Root
logging level set at 40
2024-11-24 00:37:23,883:DEBUG:certbot._internal.display.
obj:Notifying user: Processing /etc/letsencrypt/renewal/
mail.parham.dev.conf
2024-11-24 00:37:23,887:DEBUG:certbot._internal.plugins.
selection:Requested authenticator <certbot._internal.cli
.cli_utils._Default object at 0x7f415d57bb90> and instal
ler <certbot._internal.cli.cli_utils._Default object at
0x7f415d57bb90>
2024-11-24 00:37:23,893:DEBUG:urllib3.connectionpool:Sta
rting new HTTP connection (1): e5.o.lencr.org:80
2024-11-24 00:37:24,103:DEBUG:urllib3.connectionpool:htt
p://e5.o.lencr.org:80 "POST / HTTP/1.1" 200 345
2024-11-24 00:37:24,104:DEBUG:certbot.ocsp:OCSP response
for certificate /etc/letsencrypt/archive/mail.parham.de
v/cert1.pem is signed by the certificate's issuer.
/var/log/letsencrypt/letsencrypt.log...skipping...
2024-11-24 00:37:23,875:DEBUG:certbot._internal.main:cer
tbot version: 2.1.0
2024-11-24 00:37:23,876:DEBUG:certbot._internal.main:Loc
ation of certbot entry point: /usr/bin/certbot
2024-11-24 00:37:23,876:DEBUG:certbot._internal.main:Arg
uments: ['-q', '--no-random-sleep-on-renew']
2024-11-24 00:37:23,876:DEBUG:certbot._internal.main:Dis
covered plugins: PluginsRegistry(PluginEntryPoint#apache
,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEnt
ryPoint#standalone,PluginEntryPoint#webroot)
2024-11-24 00:37:23,882:DEBUG:certbot._internal.log:Root
logging level set at 40
2024-11-24 00:37:23,883:DEBUG:certbot._internal.display.
obj:Notifying user: Processing /etc/letsencrypt/renewal/
mail.parham.dev.conf
2024-11-24 00:37:23,887:DEBUG:certbot._internal.plugins.
selection:Requested authenticator <certbot._internal.cli
.cli_utils._Default object at 0x7f415d57bb90> and instal
ler <certbot._internal.cli.cli_utils._Default object at
0x7f415d57bb90>
2024-11-24 00:37:23,893:DEBUG:urllib3.connectionpool:Sta
rting new HTTP connection (1): e5.o.lencr.org:80
2024-11-24 00:37:24,103:DEBUG:urllib3.connectionpool:htt
p://e5.o.lencr.org:80 "POST / HTTP/1.1" 200 345
2024-11-24 00:37:24,104:DEBUG:certbot.ocsp:OCSP response
for certificate /etc/letsencrypt/archive/mail.parham.de
v/cert1.pem is signed by the certificate's issuer.
2024-11-24 00:37:24,106:DEBUG:certbot.ocsp:OCSP certific
ate status for /etc/letsencrypt/archive/mail.parham.dev/
cert1.pem is: OCSPCertStatus.GOOD
2024-11-24 00:37:24,110:DEBUG:certbot._internal.display.
obj:Notifying user: Certificate not yet due for renewal
2024-11-24 00:37:24,110:DEBUG:certbot._internal.plugins.
selection:Requested authenticator webroot and installer
None
2024-11-24 00:37:24,110:DEBUG:certbot._internal.display.
obj:Notifying user: Processing /etc/letsencrypt/renewal/
memos.parham.dev.conf
2024-11-24 00:37:24,111:DEBUG:certbot._internal.cli:Var
post_hook=systemctl restart postfix dovecot apache2 (set
by user).
2024-11-24 00:37:24,113:DEBUG:urllib3.connectionpool:Sta
rting new HTTP connection (1): e5.o.lencr.org:80
2024-11-24 00:37:24,321:DEBUG:urllib3.connectionpool:htt
p://e5.o.lencr.org:80 "POST / HTTP/1.1" 200 344
2024-11-24 00:37:24,321:DEBUG:certbot.ocsp:OCSP response
for certificate /etc/letsencrypt/archive/memos.parham.d
ev/cert1.pem is signed by the certificate's issuer.
2024-11-24 00:37:24,104:DEBUG:certbot.ocsp:OCSP response
for certificate /etc/letsencrypt/archive/mail.parham.de
v/cert1.pem is signed by the certificate's issuer.
:

Can you perhaps post the entire log? This seems to be only the top of it. Maybe you can rename it to a .txt file and upload it to your post, if you have enough user rights on the Community?

Yeah sure
my_log.txt (1.0 MB)
Here it is
Thank you for helping

1 Like

The last attempts in your log seem to be, I think, caused by:

2024-11-30 12:00:10,818:DEBUG:root:Override resolved zone name because --delegated option is set: www.parham.dev

The zone name is probably just parham.dev, but for some reason for the subdomains, the zone name is overridden to the total hostname including the subdomain, which is not the zone name. Do you recognise thise --delegated option from somewhere?

I also see stuff like this in the log:

File "/opt/certbot/lib/python3.11/site-packages/certbotdelegated option is set: mail.parham.dev

But I have no clue what this certbotdelegated package is..? Although that log entry is just once in the total log and also from earlier..

Hm, it might be a Lexicon/Certbot-thing:

Not sure how related this --delegated is actually now..

1 Like

Thank you :pray:t2:
Unfortunately I couldn't solve the issue, I am going to try asking for help for resolving the error with the HTTP-01 solution. At least all but one subdomain work in that case :grin: