Yocto Bitbake install of Certbot luadns fails with 'NoneType' object is not callable

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ethantwardy.com

I ran this command: certbot certonly -v -w /var/www/certbot --dns-luadns --dns-luadns-credentials /etc/gadget/luadns.ini

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-luadns, Installer None
Enter email address or hit Enter to skip.
 (Enter 'c' to cancel): et@ethantwardy.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at:
https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): *.ethantwardy.com,ethantwardy.com
Requesting a certificate for *.ethantwardy.com and ethantwardy.com
Performing the following challenges:
dns-01 challenge for Identifier(typ=IdentifierType(dns), value='ethantwardy.com')
dns-01 challenge for Identifier(typ=IdentifierType(dns), value='ethantwardy.com')
Cleaning up challenges
Unexpected error determining zone identifier for ethantwardy.com: 'NoneType' object is not callable
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

nginx version: nginx/1.28.3

The operating system my web server runs on is (include version):

Linux (Yocto-based distribution)

My hosting provider, if applicable, is:

Linode for the VM, LuaDNS for the DNS.

I can login to a root shell on my machine (yes or no, or I don't know): Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 5.5.0

This started happening at certbot 5.4.0 for me. It began with errors in the output of a weekly cron job which ran certbot renew. This script and system was working for years until this point. I upgraded to certbot 5.5.0, thinking that might help, but the error persisted. I blew away my /etc/letsencrypt library and tried to obtain new certificates, but got the same error (output from this command provided above). Thank you for your help!

I can see your consistent history of getting certs. The last successful was issued on Feb22. Based on your history you should have renewed around Apr23. My guess is you have been failing since then. So, it is possible something changed between Feb22 and Apr23 which caused the failure.

Was upgrading to Certbot 5.4 the only change during that period? Because it "feels like" an install issue probably related to that dns-lua plugin.

How do you install Certbot and that plugin? Using pip/venv, snap, or something else?

Thank you for looking at the history! Yes, that timeline sounds about right. As far as I remember, upgrading to certbot was the only thing. I've also been using the dns-luadns plugin for some time.

They're installed using bitbake, the build system for Yocto. Under the hood, that tool downloads a source tarball from PyPi and installs the packages (using Poetry, I think?)

I think you're spot-on with the intuition about the plugin. I was just able to obtain a certificate by installing certbot and the luadns plugin in a venv.

I'll review the versions of libraries in my library. Thank you!

It seems like the issue was that dns-lexicon was not installed, which is a runtime dependency of the certbot-dns-luadns plugin. After installing this package, obtaining and renewing certificates works as expected: