Unable to determine zone idnetifier for [mydomain]

carrabta · February 26, 2024, 11:40pm

Hello,
Though the topic has been raised several times, I can't work out a solution.
The command:
certbot certonly --dns-linode --dns-linode-credentials ~/.my.credentials -d '*.cartan.hopto.org'
returns the following.
Unable to determine zone identifier for cartan.hopto.org using zone names: ['cartan.hopto.org', 'hopto.org', 'org' ]
I've also tried with OVH plugin and got the exact same result.
Credential file for linode:
dns_linode_key = 4b394ba......
Credential file for OVH:
dns_ovh_endpoint = ovh-eu dns_ovh_application_key = 9a5..... dns_ovh_application_secret = 98...... dns_ovh_consumer_key = 5fbe.....
Also tried replacing ovh-eu by ovh-ca but the result is worse.

My domain is: cartan.hopto.org (No-IP dyn DNS to my home server)
Certbot version: 2.8.0
Webserver (config in progress so not up and running): Nginx 1.24.0
System host: Jail in Truenas 13.0

Would greatly appreciate some advice on how to move this forward, please.
Thanks !

danb35 · February 26, 2024, 11:43pm

Why are you trying to use Linode or OVH DNS authentication, when neither of them hosts the dns for cartan.hopto.org? DNS for that domain is provided by no-ip.org, so that's where you should be making the DNS updates.

carrabta · February 27, 2024, 8:19am

Ah!.... short answer is because I don't fully grasp everything I'm doing here.
I thought the certifying (Ovh or Linode or others) entity for the purpose of SSL could be different from the hosting one.

... From your answer, I understand it is not the case. In which circumstance, I have 2 options:
1/ since there is no plugin for Certbot for No-IP, do a manual config
2/ switch to Ovh, Linode or other to provide me with the dynamic DNS service I need.
I will try those routes and report.
Please do let me know if I'm not heading in the right direction.

Thank you !

rg305 · February 27, 2024, 12:22pm

Do you require a wildcard cert?
[if not, things could get a lot simpler]

carrabta · February 27, 2024, 2:04pm

It is my humble objective, yes.
The reason being that I'm trying to have both a nexcloud service and a Piwigo service on my home (TrueNAS) server, both being protected behind a reverse proxy (Nginx) server.
That set-up being what I understood as recommended in the (very good, I think) guide by Samuel Downling:
https://www.samueldowling.com/2020/07/24/install-nextcloud-on-freenas-iocage-jail-with-hardened-security/

I've already had the Nexcloud version without the reverse proxy up and running very well for 2 years, but am now upgrading the nexcloud version and thought I'd give the reverse proxy arrangement a try.

carrabta · February 27, 2024, 3:37pm

Found the solution, thanks to:

sudo certbot certonly --manual --preferred-challenges dns -d <yourdomain>

Then copy/paste the key given by Certbot into a record on the no-ip interface as described in that website.
The auto-renewal process seems like the next challenge, but one step at a time !

Thanks for your help and pointing out my errors & mis-understandings.
I'll switch this to resolved.
Cheers !

system · March 28, 2024, 3:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot with certbot-dns-ovh fails to identify subdomain zone Help	2	854	November 7, 2023
Unable to Determine Zone Identifier Help	15	11627	March 20, 2019
Error determining zone identifier for [domain] : 403 Client Error: Forbidden for url: https://ca.api.ovh.com/v1/domain/zone Help	5	5548	February 28, 2019
Duckdns Unable to determine zone identifier for {0} using zone names: {1} Help	2	49	December 8, 2024
OVH DNS plugin with zone-specific API access Help	2	3600	December 12, 2019

Unable to determine zone idnetifier for [mydomain]

Related topics