Problem with certbot-dns-acmedns plugin

Something weird and I am unable to figure out what is wrong.

I am trying to get the plugin for certbot and acme-dns working. I followed your instructions at

It seems I have done something wrong. But this is what certbot says:

# certbot plugins --text
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* dns-acmedns
Description: Obtain certificates using a DNS TXT record (if you are using
ACME-DNS for DNS.)
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='dns-acmedns',
value='certbot_dns_acmedns.dns_acmedns:Authenticator', group='certbot.plugins')

* standalone
Description: Runs an HTTP server locally which serves the necessary validation
files under the /.well-known/acme-challenge/ request path. Suitable if there is
no HTTP server already running. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='standalone',
value='certbot._internal.plugins.standalone:Authenticator',
group='certbot.plugins')

* webroot
Description: Saves the necessary validation files to a
.well-known/acme-challenge/ directory within the nominated webroot path. A
seperate HTTP server must be running and serving files from the webroot path.
HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='webroot',
value='certbot._internal.plugins.webroot:Authenticator',
group='certbot.plugins')

Which seems ok. But:

# certbot certonly --dry-run --test-cert --authenticator certbot-dns-acmedns:dns-acmedns --certbot-dns-acmedns:dns-acmedns-credentials /etc/acmedns/acmedns-credentials.ini -vv --de
bug-challenges
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: --certbot-dns-acmedns:dns-acmedns-credentials /etc/acmedns/acmedns-credentials.ini

So, the plugin is there, I am using the arguments as per instructions, but the argument isn't recognised.

I am running from a container, created with:

FROM python:alpine AS build

RUN apk update \
	&& apk upgrade \
	&& python3 -m venv /opt/certbot/ \
	&& /opt/certbot/bin/pip install --upgrade pip \
	&& /opt/certbot/bin/pip install certbot certbot \
	&& /opt/certbot/bin/pip install certbot-dns-acmedns

# While experimenting:
WORKDIR /tmp
ADD https://github.com/acme-dns/acme-dns-client/releases/download/v0.3/acme-dns-client_0.3_linux_386.tar.gz acme-dns-client_0.3_linux_386.tar.gz
RUN tar xzvf acme-dns-client_0.3_linux_386.tar.gz

FROM python:alpine
COPY --from=build /opt/certbot /opt/certbot
COPY --from=build /tmp/acme-dns-client /opt/certbot/acme-dns-client
RUN ln -s /opt/certbot/bin/certbot /usr/bin/certbot

ENTRYPOINT [ "certbot" ]

(though I override the entrypoint while testing)

What is going wrong here?

You probably just need to use

--authenticator dns-acmedns --dns-acmedns-credentials

The whole dist_name:plugin_name format was removed in Certbot 2.0.0. Just using plugin_name will suffice.

Also, it's not really necessary to open a new thread for every slightly different issue you're having. It's fine to just have a single thread to get acme-dns working.

2 Likes
3 Likes

@griffin That's the downside of opening a new thread for every new little fart: those are already known with OP.

2 Likes

Quite true!

:face_with_monocle:

I shall need to retrieve the necessary equipment...

:white_check_mark: :school_satchel:
:white_check_mark: :closed_book:
:white_check_mark: :hammer:

3 Likes

I also don't know why the --manual hooks didn't suffice (GitHub - joohoi/acme-dns-certbot-joohoi: Certbot client hook for acme-dns).

Maybe I could check in one of the 12 previous threads, but that's too much work.

Also, the previous threads didn't use Docker I believe :thinking: Possibly complicating things further.

2 Likes

Yeah. Sorry. This felt like a different problem, though, and it was (change in certbot handling plugin parameters, how could I have known?). This was indeed the correct fix. And they're not 12 threads, maybe three in total. And I try to separate them if they look as separate problems.

It's been quite a difficult problem so far. Stuff like that acme-dns-client doesn't come with usable explanations for someone in my position (can understand tech, but needs full information, because guessing in tech is a poor way to find stuff out). acme-dns-client is also on my list.

I have three systems I need to get this running. The ACME plugin of OPNsense on the router that by design is independent from anything else on the LAN (still not working, why?), a Linux where everything by design is in docker containers. And a macOS system which I will not touch until the other two (or at least the Linux/docker combo) are working.

My acme-dns service is working now, though (for as far as I can test it). /update works, DNS querying works.

1 Like

YEAH! Thank you Community Leaders and sorry to bother you, but after editing the old certbot form in the flags/parameters, my test run ends with:

Dry run: Skipping creating new lineage for rna.nl
Notifying user: The dry run was successful.
The dry run was successful.

:champagne:

3 Likes

I like to exaggerate a little bit :wink:

Yeah, there are unfortunately a lot of outdated guides on the web.. Some just outdated, other outdated and just incorrect to begin with..

3 Likes

I must admit that my situation has quite a few complications. But especially the lack of clear information made it hard to simply do RTFM. I'm convinced now that macOS will not be a problem (same setup, but without docker and freebsd-like instead of Linux).

The ACME plugin on OPNsense that uses acme.sh has a problem, though.