Using 'NameSilo Let's Encrypt' with GitLab CI/CD

Hello,

I'm trying to use NameSilo Let's Encrypt with GitLab CI/CD to automate the SSL certificate renewal for my domain.

When I try to run the script, I get faced with this error:

./authenticator.py-hook command manual-auth exists, but is not executable.

And this warning:

WARNING: venv/bin/python: chmod venv/bin/python: no such file or directory (suppressing repeats)

I'm trying to run this from a virtual environment because at some point I got this message:

WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager.

Am I doing something wrong? I'm not knowledgeable about code and scripting at all, and have never used CI/CD before, so forgive me for my ignorance.

I would really appreciate your help! Thank you!

This is what my .gitlab-ci.yml looks like (not using example.com in the real one):

image: python:latest

stages:
  - build
  - test
  - deploy

variables:
  PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"

cache:
  paths:
    - .cache/pip
    - venv/

before_script:
  - pip install virtualenv
  - virtualenv venv
  - source venv/bin/activate

install:
  stage: build
  script:
    - pip install tldextract untangle
    - pip install certbot

renew:
  stage: test
  script:
    - certbot certonly --manual --email you@example.com --agree-tos --manual-public-ip-logging-ok --preferred-challenges=dns --manual-auth-hook ./authenticator.py --manual-cleanup-hook ./cleanup.py -d *.example.com -d example.com

success:
  stage: deploy
  script:
    - echo "SSL certificate renewed succesfully!"

Hello @rd1, welcome to the Let's Encrypt community. :slightly_smiling_face:

Have you meet the requirements for GitHub - ethauvin/namesilo-letsencrypt: Automatically generate/renew Let's Encrypt certificates with Certbot on NameSilo DNS?
Such as the version of Python; see Set up a Python virtual environment on Certbot Instructions | Certbot

I see it uses Certbot; the current Certbot 1.32.0 Release.
Yet the NameSilo app is 3 years old; does it supporting ACME v2?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

2 Likes

Hi @rd1, and welcome to the LE community forum :slight_smile:

How can you successfully run that within an unattended script?

4 Likes

That message is confusing, in that I can't tell if the file name is:
./authenticator.py
OR
./authenticator.py-hook

The call seems to be to the .py named file.
The message states it does find the file, but the file can't be executed.
If that is indeed the actual problem, you may need to ask about such required file permission(s) in a python forum.

4 Likes

Hi @Bruce5051, thank you for your welcome and for your reply.

As far as I know, the scripts seem to work. As recently as of April this year, a now closed issue on GitHub indicates someone managed to use it with GitLab CI/CD successfully.

I have shared the commands used and the output errors and warnings. My provider is NameSilo, and the script uses API keys to issue the certificate.

Since this issue is about a particular function of the script itself, I do want to preserve the privacy of the domain I want to use it for.

Thank you so much once again.

3 Likes

Yet this is what I see on GitHub

Unfortunately, this may not be the best place to get support for that script.
If they provide older versions of the script, you might get better results there.

3 Likes

I agree that it is confusing. The file name is authenticator.py and it resides in the root folder of the repository where I'm running this pipeline from.

There are some posts in the community talking about the problem (here and here for instance), but I can't make head or tails of it!

I wonder if there is something I should add to my .gitlab-ci.yml to make those files executable.

That is a very likely fix: Adding read/write/execute permissions to that location.
But the "how to" on that is best researched elsewhere - we're not fluent in yml here - LOL

4 Likes

Thank you @rg305
I will try to find out how to do that. I did post this topic on the GitLab CI/CD community, but haven't heard back from anyone yet.

2 Likes

I'd look for that - as a temporary workaround.

4 Likes

I agree with Rudy, YAML is just a terrible data-serialization language :stuck_out_tongue: Especially when it's combined with Docker! :stuck_out_tongue:

But all fun aside, I agree with Rudy (again): you probably need to make the scripts executable.

That other warning with venv/bin/python is very weird, because neither Certbot nor that script you're refering to uses chmod.. So NO clue where it comes from. Especially because you're only showing the error itself without any context around it.

Rudy: I'm pretty sure the script is old enough :stuck_out_tongue: Hasn't been updated for 3 years.

5 Likes

hmm...

Well then, I'm all out of ideas!
LOL

3 Likes

Your chmod +x idea probably is good enough :wink:

4 Likes

@Osiris @rg305 Thank you for your input!

I will have a look again and let you know if I made any progress...

This is the context the chmod warning appears (it gets too confusing for me!):

Preparing the "docker+machine" executor  
Using Docker executor with image python:latest ...
Pulling docker image python:latest ...
Using docker image sha256:00cd1fb8bdcc67527e569dcdf5e4ad9d704b117eb961602804826281d641cac3 for python:latest with digest python@sha256:b941b836b18734f4992a168b579b7c16ff4c3b544782953eeab3a590a7338765 ... 
Preparing environment  
Running on runner-j2nyww-s-project-40996614-concurrent-0 via runner-j2nyww-s-shared-1668505538-657dbc2b...
Getting source from Git repository  
$ eval "$CI_PRE_CLONE_SCRIPT"
Fetching changes with git depth set to 20...
Initialized empty Git repository in /builds/ccssl/ssl/.git/
Created fresh repository.
Checking out a0fbb94d as main...
Skipping Git submodules setup
Restoring cache
Checking cache for default-1-protected...
Downloading cache.zip from https://storage.googleapis.com/gitlab-com-runners-cache/project/40996614/default-1-protected 
WARNING: venv/bin/python: chmod venv/bin/python: no such file or directory (suppressing repeats)
Successfully extracted cache

@rg305 Indeed! Thank you. Managed to make it run by adding:

chmod +x ./ authenticator.py
chmod +x ./ cleanup.py

Now I have an issue with the certificate itself not being issued because the script doesn't appear to add any DNS record at all! It just hangs for about 40 minutes and fails with this message:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: xyz.com
  Type:   unauthorized
  Detail: Incorrect TXT record "eXVxqQJo7U-d6jxn1ua0t_KmB2tGDpmx1oXtFwqX1lM" found at _acme-challenge.xyz.com
Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

I have opened an issue on GitHub hoping the author can shine some light into the issue.

What a headache this has become!

1 Like

You know there are a ton of ACME clients out there - that can't be the only one that can address your needs.

3 Likes

The script finally decided to work and add the DNS records to my domain:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/xyz.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/xyz.com/privkey.pem

However, I don't know what I'm supposed to do now. Do I have to manually install the certificate and key in NameSilo's cPanel? If I have to do this manually each time, I don't understand the point of scheduling the issuing/renewal of the certificate...

Since I'm running this on GitLab CI/CD, these files are actually not saved anywhere anyway!

Feel free to laugh at me for my ignorance...

2 Likes

Where/How did you want to use that cert?

3 Likes

Nope! You are just learning something new. :slightly_smiling_face:

So in assisting your learning NEVER REVEAL the Private Key!
(i.e. the contents of this file)

2 Likes