Unable to determine zone identifier for a NameCheap

pmensik · March 7, 2022, 11:34pm

Hello,

I've been trying to issue a certificate for a domain calamari-collator.polkadotters.com. Domain is hosted on the NameCheap, server is Ubuntu 20 LTS and I have full access to the machine. There's currently no web server as this is meant for an Prometheus metrics endpoint. So these are the steps I did

Add A record to the NameCheap DNS configuration for the calamari-collator.polkadotters.com (this is working)
Generated API token on the NameCheap
Installed certbot and successfully added certbot_dns_namecheap plugin GitHub - schubc/certbot_dns_namecheap: Certbot plugin to provide dns-01 challenge support for namecheap.com
The command I am trying to issue is

certbot certonly \
  --work-dir certbot/workdir \
  --logs-dir certbot/log \
  --config-dir certbot/config \
  -a certbot-dns-namecheap:dns-namecheap \ 
  --certbot-dns-namecheap:dns-namecheap-credentials namecheap.ini \
  --agree-tos \
  --email "ourmail@gmail.com" \
  -d calamari-collator.polkadotters.com \
  --test-cert

However, I am getting Unable to determine zone identifier for calamari-collator.polkadotters.com using zone names: ['calamari-collator.polkadotters.com', 'polkadotters.com', 'com'].

Certbot version is 0.40. I kinda got stucked here and I wonder whether the problem lies in the plugin or I need to define the zone on the side of NameCheap. Thanks a lot for any hints!

_az · March 7, 2022, 11:52pm

Did you see the discussion on this issue? There are a couple of suggestions there.

If you're not opposed to keeping port 80 open on your server's firewall, you could also use Certbot's --standalone mode and avoid having to interact with the Namecheap API.

9peppe · March 7, 2022, 11:53pm

Certbot version is really old. (About as old as Ubuntu 20.04)

I'd double check the rights for your API key.

(Also: you probably don't need to use dns-01 validation)

pmensik · March 8, 2022, 12:03am

Thanks for the reply - yeah, I have whitelisted the IP as well, forgot to mention that. Otherwise it seems that solution was to wait for the API to kick in or either give up and try something else
Hmm, I don't usually like opening ports I don't need but I suppose this the simplest workaround so I'll see, thanks for a suggestion.

pmensik · March 8, 2022, 12:05am

Hmm, ok, is it worth updating it? Yep, the key is correct and I have whitelisted the IP. What do you mean by the dns-01 validation? Sorry for such questions, I am kinda new to this

9peppe · March 8, 2022, 12:11am

I don't know. But each key has different privileges.

As for opening ports, having your DNS credentials on your server is less secure than opening port 80, imho.

pmensik · March 8, 2022, 12:13am

Ok, I'll try the standalone mode tomorrow, thanks

jvanasco · March 8, 2022, 12:14am

ACME challenges can by completed by HTTP-01 and DNS-01 validation.

In your situation, I strongly recommend HTTP-01:

Namecheap had - and possibly still has - a 5 minute read-through cache on their DNS systems. The only way I've been able to deal with acme records on their systems is to "sleep" for 301 seconds after updating a DNS record. If you use HTTP-01 validation, you don't have to deal with this.
Namecheap's API access has too many permissions by default and can be a security risk when used with Certbot, as the credentials can be used to transfer registration of your domain(s). You can eliminate this risk by creating a second namecheap account and granting that account only DNS permissions for your domains.

pmensik · March 8, 2022, 12:24am

Perfect answer, thank you! Yeah, I've read about the permissions and was kinda worried about that. So the HTTP-01 seems to be the way

system · April 7, 2022, 12:25am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.