Support for Strato Let'e Encrypt DNS challenge

[psychofaktory]

What provider would you like to see added to NPM?
Strato

Have you checked if a certbot plugin exists?
I found this here:
https://github.com/Buxdehuda/strato-certbot

[chaptergy]

Unfortunately the current version of NPM only supports DNS-challenge providers which have a certbot dns plugin. The link you posted is only a manual auth hook certbot integration, which is not supported. And it seems there currently is no actual certbot dns plugin.

[psychofaktory]

For others with the same problem:

Not a certbot dns plugin, but I've got it managed to get a wildcart cert with the workaround mentioned here:

1. Setup proxy host in NPM (Nginx Proxy Manager) for both domain and wildcard subdomain

2. Setup SSL certificate for just the domain (wildcard input is currently not possible).

Up until here you should have SSL working for the domain, but not the subdomains.

3. In my case NginxProxyManager is a Docker-Container running on Unraid, so /config ist mounted to /mnt/user/appdata/NginxProxyManager

4. Copy auth-hook.py to /config/letsencrypt/renewal-hooks/deploy/

5. Make auth-hook.py executable:
   chmod a+x /config/letsencrypt/renewal-hooks/deploy/auth-hook.py

6. Create strato-auth.json in /config/letsencrypt/renewal-hooks/deploy/
   {
"username": "<username>",
"password": "<password>"
}

7. Replace with open("strato-auth.json") as file: in /config/letsencrypt/renewal-hooks/deploy/auth-hook.py with with open ("/config/letsencrypt/renewal-hooks/deploy/strato-auth.json") as file:

8. Change permissions:
   chmod 0400 /config/letsencrypt/renewal-hooks/deploy/strato-auth.json

9. Modify /config/letsencrypt/renewal/npm-.conf and update the section [renewalparams]:
   authenticator = manual
manual_public_ip_logging_ok = True
manual_auth_hook = /config/letsencrypt/renewal-hooks/deploy/auth-hook.py

10. Extend the certificate (replace <domain>):
    certbot certonly --manual --cert-name npm-5 --expand -d <domain>,*.<domain> --manual-auth-hook=/config/letse ncrypt/renewal-hooks/deploy/auth-hook.py

Now the cert setup in step 2. contains an wildcard-alias an can be assigned to the wildcard subdomain from step 1.

I hope this help some.

[BeSve]

10. Extend the certificate (replace <domain>):
    certbot certonly --manual --cert-name npm-5 --expand -d <domain>,*.<domain> --manual-auth-hook=/config/letse ncrypt/renewal-hooks/deploy/auth-hook.py

Thanks for your how to.
Will this automaticly update the certificate every 90 days or have I do this manualy?
Or is there a way to execute the command mentioned under 10 every n days?

Thanks a lot.

[psychofaktory]

Will this automaticly update the certificate every 90 days or have I do this manualy?

When the SSL certificate is created in step 2, NPP automatically creates a job that regularly renews the certificate.

[Substanzlos]

Hi, some things i have noticed.

(All files mentioned come from here: https://github.com/Buxdehuda/strato-certbot)

• First of, it look's like the auth-hook.py hast changed, point 7. isn't requiered anymore, with open has been removed/replaced.
• There is a new include, so you will need the file certbotstratoapi.py
• you need to install the requirements listed under requirements.txt

Okay, after this, your workaround works, but i get this error message, even so the certificate generation works:

After issuing point 8. of the workaround i get this output.

[...]
Renewing an existing certificate for abc.xyz and *abc.xyz

Hook 'deploy-hook' reported error code 1
Hook 'deploy-hook' ran with error output:
Traceback (most recent call last):
File "/etc/letsencrypt/renewal-hooks/deploy/auth-hook.py", line 42, in
main()
File "/etc/letsencrypt/renewal-hooks/deploy/auth-hook.py", line 25, in main
strato = CertbotStratoApi()
File "/etc/letsencrypt/renewal-hooks/deploy/certbotstratoapi.py", line 17, in init
self.txt_value = os.environ['CERTBOT_VALIDATION']
File "/usr/lib/python3.7/os.py", line 678, in getitem
raise KeyError(key) from None
KeyError: 'CERTBOT_VALIDATION'

Successfully received certificate.
[...]

Any ideas?

[FlixMa]

I modified the code from the aforementioned repository to provide a regular certbot dns authentication plugin, which can be directly integrated into NPM (see here).

If you would like to give it a try, follow these instructions.
The dns plugin configuration in globals/certbot-dns-plugins.js should be adjusted to include the service for Strato:

.
.
.
    //####################################################//
    strato: {
        display_name:        'Strato',
        package_name:        'certbot-dns-strato',
        version_requirement: '~=0.1.1',
        dependencies:        '',
        credentials:         `dns_strato_username = user
dns_strato_password = pass
# uncomment if domain name contains special characters
# insert domain display name as seen on your account page here
# dns_strato_domain_display_name = my-punicode-url.de`,
        full_plugin_name:    'dns-strato',
    },
.
.
.

I was successful using option 2 mentioned in the linked comment.
An exemplary docker-compose.yml could be:

version: '3'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: always
    ports:
      - '80:80'
      - '1080:81'
      - '443:443'
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
      # map custom code into the container to support strato dns
      - ./custom-npm/global/certbot-dns-plugins.js:/app/global/certbot-dns-plugins.js:ro
      - ./custom-npm/frontend/dist:/app/frontend:ro
      
networks:
  default:
    external: true
    name: nginx-proxy-manager

Note that the code is still in an experimental stage.

[Substanzlos]

Nice work. :)

Where do i need to place the files from your repository?

[FlixMa]

Nice work. :)

Where do i need to place the files from your repository?

Thank you :-)

You don't need to touch my repository -- it is just a place for the plugin to live. The code is uploaded to PyPi so it is available from anywhere where there is python pip installed. Thus npm can grab it by itself. You just need to introduce this plugin to npm by inserting the given configuration snippet posted above and then building the npm frontend from this repository.

Once that's done, you can use the build directory and mount it into your docker container at the specific location where the prebuilt frontend was living (you basically shadow it with the new version).

Then you're good to go. In fact I have this setup up and running since my post without any issues :-)

So what you need to do:

1. clone this repository (nginx-proxy-manager, not my plugin)
2. edit globals/certbot-dns-plugins.js as shown above.
3. rebuild the npm frontend using the provided build script: sudo ./scripts/frontend-build
4. mount the new version into your container using the docker-compose.yml as shown above (make sure to adjust the paths to point your local custom build. In my case it's located in ./custom-npm/)

(-: Hope this helps

[Substanzlos]

Thank you. :)

You Pull requests got answered: #2929 (comment)

I've tested the docker image, works like a charm!

Thank you so much for your work!

[Yoshi315161]

Hi guys,

i postet this also in the Pull Request but dont know if anyone sees this there:

i read this and wanted to try it out but i think i dont get it...
how and what for things do i have to put in the challange textfield?

also my strato is locked with 2fa
is there an example file i can use?

sorry but i dont understand the things under user and pass...
and for the SSL Domain i need "*.DOMAIN.COM"? or without the * for wildcard?

this is the example:
dns_strato_username = user
dns_strato_password = pass
'# uncomment if domain name contains special characters
'# insert domain display name as seen on your account page here
'# dns_strato_domain_display_name = my-punicode-url.de

and now how to fill it?

the last two i dont understand...
do i have to remove the # and fill in something?
if i do i get an error....

i testet with:
'*.DOMAIN.com

dns_strato_username = NUMBERS
dns_strato_password = PASSWORD
dns_strato_totp_secret = BUNCH OF NUMBERS AND CARACTERS
dns_strato_totp_devicename = NAME OF TOTP
'# uncomment if domain name contains special characters <-- Leav this as it was
'# DOMAIN.COM
'# dns_strato_domain_display_name = *.DOMAIN.COM

pls help or point me a good example from someone who got it to work. it would be easier then the normal challenge then there are at time internal errors -,- (new request worked...)

thank you so much...

EDIT: have to put ' infront of # to avoid funky things...

[FlixMa]

sorry but i dont understand the things under user and pass... and for the SSL Domain i need "*.DOMAIN.COM"? or without the * for wildcard?

In the topmost field of the basic certificate settings it should say *.domain.com (the CN, the certificate is issued for).
In the custom configuration for strato dns you only need to add your domain name, if it has special characters in it (aka punycode). If that's the case you need to enter the name in the exact same spelling as it appears on your strato domain configuration overview page (on strato.de it's called "Paketübersicht"). In my case it shows without the asterisk. Otherwise, so if you do not provide the dns_strato_domain_display_name, it is inferred from your CN.

I guess you already tried both variants, rights? If that's the case, I might have spotted an error with TFA.
It might be a problem in the code of my python certbot plugin, where the credentials setup function does not include the totp keys.

Since I did not configure it yet (shame on me), this didn't come to light.
Your configuration looks correct:

dns_strato_totp_secret = BUNCH OF NUMBERS AND CARACTERS
dns_strato_totp_devicename = NAME OF TOTP

Please try as I explained, if you did not already do so and report back. Then I will proceed to making the adjustments in code.
Cheers

[Yoshi315161]

hi ho and thx for the answer,

ok then i think its easier to work with pictures...

i testet a lot, but i always get an Error so hier my config (as i understand from your text):

and this is the error i get:

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-30" --agree-tos --email "jxxxxxxxxxx.com" --domains "*.hxxxxxxxxxx.com" --authenticator dns-strato --dns-strato-credentials "/etc/letsencrypt/credentials/credentials-30" Saving debug log to /tmp/letsencrypt-log/letsencrypt.log

`at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)`

Do i have to put something in Strato first? i own the domain but is something to do for the wildcard *.hxxxxxxx.com SSL Cert?

Thank you for your help :)

[Yoshi315161]

Do you have something new for me @FlixMa ?

[FlixMa]

I am sorry, I didn’t have time to do it as I am currently on vacation. I’ll be back in September.

[ThomasKuijper]

I tried the same @Yoshi315161, but im getting the same error.
I tried both with a wildcard and a specific hostname, both gave the same childprocess error.
I disabled TOTP and tried, but same problem.
Maybe strato changed something.

Is there something i can look for in the debug log?

////Update

I checked some more, what i think happens, is that the url you use in your 'certbotstratoapi.py' is for strato.DE
When you login with a login from another country, instead of loggin in right now, it redirects you to the login page for the correct country.

Is it an option to add the API url to the settings?

[FlixMa]

Hey all, sorry for the late reply. I did not know, that strato was serving their page in other countries than Germany. So this actually might be cause for troubles with some users.

In the recent commit I added the option to fully customise the API endpoint:

• custom_api_scheme,
• custom_api_host,
• custom_api_port and
• custom_api_path

You will probably only set the custom_api_host, but yeah, might be nice to have in the future...

I have just published a new version of the certbot strato dns challenge pypi package:
Please pip install this package and test whether your TXT records show up on Strato Management Site.
You can use this snippet for testing:

from certbot_dns_strato.dns_strato import _StratoApi

# change the placeholders and api host to match the one you are logging in to (e.g. '.nl' for the Netherlands).
strato = _StratoApi('your_domain_display_name', custom_api_host='www.strato.nl')
strato.login('my_username', 'my_password')

strato.set_domain_name('your_domain_name')
strato.get_package_id()
strato.get_txt_records()
strato.set_amce_record('hello', 'world')
strato.push_txt_records()

The result should look like this:

I hope the NPM auto-updates the package soon, so you'll be able to use the additional options from inside NPM.
Don't forget to add the mandatory prefix in your NPM wildcard certificate configuration dns_strato_. So custom_api_host needs to be set as dns_strato_custom_api_host = www.strato.nl(e.g. for the Netherlands).

Also please let me know, if this fixes the problem for you, @Yoshi315161.
And thank you @ThomasKuijper so much for investigating.

Cheers

[Yoshi315161]

Hey @FlixMa,
i hope you had a good vacation. My Strato is also in Germany.
I only updated the pip installation and now its working without changing anything..
AWESOME :)

now i have a wildcard with DNS Challange :D (and TOPT)
Thank you so much

my config is the same like the picture above the only difference is that i deletet the last three lines.

[FlixMa]

Hey @Yoshi315161, vacation was alright; thanks for asking. Glad to hear you got it working. Then the issue might actually have been that the 2FA detection was not only broken for other countries, but also for strato.de. That is actually very likely as it was based on user-facing string matching, which of course might change more frequently than an API. I did. change that behaviour to be based on whether you provide 2FA credentials or not, to make it compatible with other languages.

Do you mind sharing how you updated the pip package inside your NPM docker container? This way others can profit as well :)

Have a nice weekend!

[Yoshi315161]

Ofcourse I can.
I have portainer installed in my Docker server.
So I Bash into the NPM Container and just Copied the install Bash from your link and press Enter:
pip install certbot-dns-strato==0.2.0

After that I tested again in NPM and it worked.

You too :)

[Anocos]

So what you need to do:

1. clone this repository (nginx-proxy-manager, not my plugin)

2. edit `globals/certbot-dns-plugins.js` as shown above.

3. rebuild the npm frontend using the provided build script: `sudo ./scripts/frontend-build`

4. mount the new version into your container using the `docker-compose.yml` as shown above (make sure to adjust the paths to point your local custom build. In my case it's located in `./custom-npm/`)

Hi, when I run:
sudo ./scripts/frontend-build
sudo: ./scripts/frontend-build: command not found

frontend-build file does not exist

Any suggestion

[FlixMa]

The script has been moved to a subfolder: scripts/ci/frontend-build

I am not sure if it will work, though. There might have been other breaking changes since spring 2023.

But may I ask, why you want to use those steps? The plugin should already show up without any additional changes since #2929 got merged. So you probably don’t need to build it for yourself :)

[Anocos]

I have updated to the latest version 2.10.4 and I have already seen it
Now I will do tests
Thank you

[Anocos]

When I try to create an SSL certificate it gives an error:

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --agree-tos --email "xxxx@xxxx.es" --domains "xxxxxxxxx.es" --authenticator dns-strato --dns-strato-credentials "/etc/letsencrypt/credentials/credentials-1" Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Socket. (node:internal/child_process:458:11) at Socket.emit (node:events:513:28) at Pipe. (node:net:301:12)

Ofcourse I can. I have portainer installed in my Docker server. So I Bash into the NPM Container and just Copied the install Bash from your link and press Enter: pip install certbot-dns-strato==0.2.0

After that I tested again in NPM and it worked.

You too :)

I have also updated to version 0.2.0 from Portainer

[FlixMa]

Unfortunately I haven't seen this error before. You can try to have a look into the debug log. There might be useful information inside. If you are unsure if this has to do with the strato plugin itself, you might want to post a new issue.

[Anocos]

It's already solved.
It is necessary to put in the Credentials File Content section:
dns_strato_custom_api_host = www.strato.es

In case it helps anyone :)

[FlixMa]

I added a more descriptive configuration template to simplify onboarding for new users. See pull request #3212 for more information.

[Estradamis]

Joining here as the steps provided didnt fix the issue :(

[speede83]

Hey all, apparently Strato did change the way of accessing the individual packages. In the past this was done through an absolute package id. Now this changed to incrementing numbers per account.

Hopefully the uploaded fix 0.2.1 will account for that. The tests on my end are looking fine. Please try to update the pip package and let me know :-) Felix

Thanks a lot. Updated NPM to v2.11.1 and updated the certbot-dns-strato to fix 0.2.1. I instatly was able to renew my wildcard certificat.

[nevyen]

I tried it once again but it didn't work

my Config is:

dns_strato_username = "myloginnumber"
dns_strato_password = "mySecretPasswordWitha$asSpecialChar"

Propagation Seconds = 70

The log gives the following output

2024-02-20 14:29:12,215:DEBUG:acme.client:Storing nonce: 1pTQTQeXzVAON8O3Q591coWeQUvKkxzhPFA_m3dQMlrt4jo7VBI
2024-02-20 14:29:12,218:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-02-20 14:29:12,219:INFO:certbot._internal.auth_handler:dns-01 challenge for mydomain.de
2024-02-20 14:29:12,228:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): www.strato.de:443
2024-02-20 14:29:12,528:DEBUG:urllib3.connectionpool:https://www.strato.de:443 "GET /apps/CustomerService HTTP/1.1" 200 None
2024-02-20 14:29:13,011:DEBUG:urllib3.connectionpool:https://www.strato.de:443 "POST /apps/CustomerService HTTP/1.1" 302 0
2024-02-20 14:29:13,082:DEBUG:urllib3.connectionpool:https://www.strato.de:443 "GET /apps/CustomerService?sessionID=5dc882acc8846e453a5e95c7019079&node=kds_CustomerEntryPage&cID=0&swtssa=gerbksnst0000000000000000 HTTP/1.1" 200 None
2024-02-20 14:29:13,146:DEBUG:urllib3.connectionpool:https://www.strato.de:443 "GET /apps/CustomerService?sessionID=5dc882acc8846e453a5e95c7019079&cID=0&node=kds_CustomerEntryPage HTTP/1.1" 200 None

As you can see my cID above is 0 when I login into my account the cID is 1.

Maybe this is my problem.

[4EverChaos]

Ok got it to work now Thx for the hint FlixMa :) If someone have the same problems with the error:

1. exec in to the container

2. apt update

3. apt install pip

4. apt install nano

5. pip install certbot-dns-strato==0.2.1 --break-system-packages

6. cd global/

7. nano certbot-dns-plugins.json

8. change the version from Strato 0.1.1 to 0.2.1 and save it

9. restart the container

10. Request a new Wildcard within NPM

This helped in my case, thanks for the steps!

[CryPt00n]

Trying to setup a new LXC on proxmox but cannot get it to run. Requesting single subdomain certificates is working fine, but DNS challenge with strato isn't.

Already updated certbot-dns-strato, modified certbot-dns-plugins.json etc. but no success.

2FA is NOT activated & no '#' inside my password.

NPM: v2.11.1 also tried with 2.10

Credentials File Content

dns_strato_username = "XXXXX"
dns_strato_password = "XXXXXXXXXXXX"
#uncomment if youre using two factor authentication:
#dns_strato_totp_devicename = 2fa_device
#dns_strato_totp_secret = 2fa_secret
#
#uncomment if domain name contains special characters
#insert domain display name as seen on your account page here
#dns_strato_domain_display_name = my-punicode-url.de
#
#if youre not using strato.de or another special endpoint you can customise it below
#you will probably only need to adjust the host, but you can also change the complete endpoint url
#dns_strato_custom_api_scheme = https
#dns_strato_custom_api_host = www.strato.de
#dns_strato_custom_api_port = 443
#dns_strato_custom_api_path = "/apps/CustomerService"

Error in NPM

CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log

    at /app/lib/utils.js:16:13
    at ChildProcess.exithandler (node:child_process:410:5)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

letsencrypt.log

2024-03-01 14:41:04,687:DEBUG:certbot._internal.main:certbot version: 2.1.0
2024-03-01 14:41:04,687:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-03-01 14:41:04,687:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-3', '--agree-tos', '--email', 'webmaster@XXXXX.de', '--domains', 'XXXXX.de', '--authenticator', 'dns-strato', '--dns-strato-credentials', '/etc/letsencrypt/credentials/credentials-3']
2024-03-01 14:41:04,687:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#dns-duckdns,PluginEntryPoint#dns-porkbun,PluginEntryPoint#dns-strato,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-03-01 14:41:04,693:DEBUG:certbot._internal.log:Root logging level set at 30
2024-03-01 14:41:04,694:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-strato and installer None
2024-03-01 14:41:04,694:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-strato
Description: Obtain certificates using a DNS TXT record (if you are using Strato for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-strato = certbot_dns_strato.dns_strato:Authenticator
Initialized: <certbot_dns_strato.dns_strato.Authenticator object at 0x798b0eb23f90>
Prep: True
2024-03-01 14:41:04,695:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_strato.dns_strato.Authenticator object at 0x798b0eb23f90> and installer None
2024-03-01 14:41:04,695:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-strato, Installer None
2024-03-01 14:41:04,727:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1596796947', new_authzr_uri=None, terms_of_service=None), 6f0a8cb6b0a20a11d5dc2f93ddbfba38, Meta(creation_dt=datetime.datetime(2024, 3, 1, 13, 37, 36, tzinfo=<UTC>), creation_host='npm.localdomain', register_to_eff=None))>
2024-03-01 14:41:04,727:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-03-01 14:41:05,165:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 01 Mar 2024 13:41:05 GMT
Content-Type: application/json
Content-Length: 752
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "6_Pvodmp9nQ": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2024-03-01 14:41:05,166:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for XXXXX.de
2024-03-01 14:41:05,178:DEBUG:certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
2024-03-01 14:41:05,188:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
2024-03-01 14:41:05,192:DEBUG:acme.client:Requesting fresh nonce
2024-03-01 14:41:05,192:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2024-03-01 14:41:05,333:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 01 Mar 2024 13:41:05 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: iCRP5AvKBZQQDNabOqaNZb8VQSj0sAOmXtGuOTI0WpwW76p--LY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2024-03-01 14:41:05,334:DEBUG:acme.client:Storing nonce: iCRP5AvKBZQQDNabOqaNZb8VQSj0sAOmXtGuOTI0WpwW76p--LY
2024-03-01 14:41:05,335:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "XXXXX.de"\n    }\n  ]\n}'
2024-03-01 14:41:05,343:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTU5Njc5Njk0NyIsICJub25jZSI6ICJpQ1JQNUF2S0JaUVFETmFiT3FhTlpiOFZRU2owc0FPbVh0R3VPVEkwV3B3Vzc2cC0tTFkiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "ftcKQsGnUrRi7tg2DMXnzw3azVcCRJgvHldRbp_WLmI2ov_Z5ys5xcJF5gouD5vbNls1j7c_lklzTW4XqVTONZ1N9DQIfmsxjfN4G-s78GDLIr3xVu9TzaMtWjodZd1cb9jfQbORsBskeU27iVDZDmP91vvIPP4yVIUJC1T5rF6qIaZQVeqm99Kbk5SG_5P_USdvq--z9J72QLoWRXuHvA-kyonnWjECCL9vwhZIGl9ihQkjxTmzWrsBw5TZSac1TJE_bFYnHzbWtgnxfgwWisRatRTJgtqt8x9ByyN6O5TrP2TQ7UJD7xrsT4N8wWiMzjpxudIC56DtAMxS6oNoyQ",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIndvbGV3aWVuc2tpLmRlIgogICAgfQogIF0KfQ"
}
2024-03-01 14:41:05,736:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Fri, 01 Mar 2024 13:41:05 GMT
Content-Type: application/json
Content-Length: 340
Connection: keep-alive
Boulder-Requester: 1596796947
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1596796947/248728721787
Replay-Nonce: iCRP5AvKuHwnj8SJuFgqR7PK3u2C4C33ZccsWzxV0T5YEalgkpg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2024-03-08T13:37:36Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "XXXXX.de"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/321228332677"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1596796947/248728721787"
}
2024-03-01 14:41:05,737:DEBUG:acme.client:Storing nonce: iCRP5AvKuHwnj8SJuFgqR7PK3u2C4C33ZccsWzxV0T5YEalgkpg
2024-03-01 14:41:05,738:DEBUG:acme.client:JWS payload:
b''
2024-03-01 14:41:05,741:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/321228332677:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTU5Njc5Njk0NyIsICJub25jZSI6ICJpQ1JQNUF2S3VId25qOFNKdUZncVI3UEszdTJDNEMzM1pjY3NXenhWMFQ1WUVhbGdrcGciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzMyMTIyODMzMjY3NyJ9",
  "signature": "HApgjJKW2K4bNfizVUGjacGbefTRQaWLGRMKN3pfH4IRsDbiHjI_mg48rUqv85Fh5A2O4vBdoDirSdZie7G3d6yEn0CtEaYvJQidtN7jq8Hs_w-mSJJKpx_lS-NzaRcReEVIHgeiYVrqGHIiPM5bnoEMs5YAKHJdayoZBRcmUNxmV3PgzsX0ywHDor5zdYIt5-XuYxERNrCnBlbc2bn0Cnuc9Zhmo_OHuZ1vR-FPuFv5h0iHiHrr4R4v6WgpooRdGM_FRa6Bj077z3_B-MgGKKFXxzFbqdED_15xRHXgjPzZHKnZy1ankVPSovvcZuWvcq1Xo8bKpKABxgb6oT0Mgw",
  "payload": ""
}
2024-03-01 14:41:05,893:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 01 Mar 2024 13:41:05 GMT
Content-Type: application/json
Content-Length: 798
Connection: keep-alive
Boulder-Requester: 1596796947
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: iCRP5AvKDvj1FvscYFwwsTlUU1kHvR7yRVh3muiUBT0T4JBLoVQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "XXXXX.de"
  },
  "status": "pending",
  "expires": "2024-03-08T13:37:36Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/321228332677/H8KNtg",
      "token": "grWJn6XTE8BdkTUAselPoSFhquwisYXDt7PsU_XetV4"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/321228332677/I5rWVg",
      "token": "grWJn6XTE8BdkTUAselPoSFhquwisYXDt7PsU_XetV4"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/321228332677/Hl0VMg",
      "token": "grWJn6XTE8BdkTUAselPoSFhquwisYXDt7PsU_XetV4"
    }
  ]
}
2024-03-01 14:41:05,894:DEBUG:acme.client:Storing nonce: iCRP5AvKDvj1FvscYFwwsTlUU1kHvR7yRVh3muiUBT0T4JBLoVQ
2024-03-01 14:41:05,895:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-03-01 14:41:05,896:INFO:certbot._internal.auth_handler:dns-01 challenge for XXXXX.de

Had it running in docker on unraid successful but want to move the critical applications to my proxmox cluster.
I would really appreciate your help here.

EDIT: I just saw, on my existing NPM on Unraid, also v2.11.1 I run into problems too, when renewing the domain (XXXXX.de) which I´ve tried with the new NPM container. When trying with one of my other domains (YYYYY.com), I can renew without problems. I´ve checked both config files, they are the same. So I have no idea why it's not working for that one domain.
In the new container, it is working with my second domain (YYYYY.com) too, with the first one (XXXXX.de) not. Tested with exactly the same settings but ran into the above issue.

[Vientus]

Try to use your package password and your domain.

Go to your strato account and set your package password. Then check, if you can login to your strato account with your domain name (e.g. example.com) as user and for your password use your package password.

If that works, enter those credentials into the Credential File:

dns_strato_username = "example.com"
dns_strato_password = "package password"  
#uncomment if youre using two factor authentication:
#dns_strato_totp_devicename = 2fa_device
#dns_strato_totp_secret = 2fa_secret
#
#uncomment if domain name contains special characters
#insert domain display name as seen on your account page here
#dns_strato_domain_display_name = my-punicode-url.de
#
#if youre not using strato.de or another special endpoint you can customise it below
#you will probably only need to adjust the host, but you can also change the complete endpoint url
#dns_strato_custom_api_scheme = https
#dns_strato_custom_api_host = www.strato.de
#dns_strato_custom_api_port = 443
#dns_strato_custom_api_path = "/apps/CustomerService"

[anubis-genix]

Ok got it to work now Thx for the hint FlixMa :) If someone have the same problems with the error:

1. exec in to the container

2. apt update

3. apt install pip

4. apt install nano

5. pip install certbot-dns-strato==0.2.1 --break-system-packages

6. cd global/

7. nano certbot-dns-plugins.json

8. change the version from Strato 0.1.1 to 0.2.1 and save it

9. restart the container

10. Request a new Wildcard within NPM

And I had assumed that it was just a bug in the older version. It was all the more annoying to discover that it doesn't work with the newer version either. It finally got it to work thanks to your instructions. Thanks a lot!

[CryPt00n]

Try to use your package password and your domain.

Go to your strato account and set your package password. Then check, if you can login to your strato account with your domain name (e.g. example.com) as user and for your password use your package password.

If that works, enter those credentials into the Credential File:

dns_strato_username = "example.com"

dns_strato_password = "package password"  

#uncomment if youre using two factor authentication:

#dns_strato_totp_devicename = 2fa_device

#dns_strato_totp_secret = 2fa_secret

#

#uncomment if domain name contains special characters

#insert domain display name as seen on your account page here

#dns_strato_domain_display_name = my-punicode-url.de

#

#if youre not using strato.de or another special endpoint you can customise it below

#you will probably only need to adjust the host, but you can also change the complete endpoint url

#dns_strato_custom_api_scheme = https

#dns_strato_custom_api_host = www.strato.de

#dns_strato_custom_api_port = 443

#dns_strato_custom_api_path = "/apps/CustomerService"

This finally worked for me! Thank you very much!!! 😁

[CryPt00n]

Hey, again me. Looks like I was able to request a cert for my domain now. but it seems not to be a wildcard. There is no "*" in front of the domain, and we also receive the message from Firefox, that the domain name (subdomain) is missing in the cert.

EDIT: Also, whats interesting, now my default strato credentials are working again for this domain...

[Vientus]

Hey, again me. Looks like I was able to request a cert for my domain now. but it seems not to be a wildcard. There is no "*" in front of the domain, and we also receive the message from Firefox, that the domain name (subdomain) is missing in the cert.

EDIT: Also, whats interesting, now my default strato credentials are working again for this domain...

You added your domain to nginx like domain.com and also *.domain.com? Then you should receive a wildcard cert.

[CryPt00n]

No, I´ve just added "domain.de" to the textbox, like I did in the past. When additionally adding "*.domain.de" I run into an issue.

EDIT: Anyway, now I´m running into the cert limit. ._.

[Vientus]

I am just a noob myself in that area of expertise ;-). But I think, you have to add *.domain.de for receiving a second level subdomain wildcard certificate.

[CryPt00n]

I think I never did this in the past, but it's possible, it got automatically added. Not sure to be honest.
But with adding it, it did not work, as the resolved address is not routed to my server (its checking for *.domain.de).

[kaptewn]

Hi,

I just found this thread and it has helped me greatly in managing to create a cert for my domain on strato.

One small (big) problem though. Even though the cert shows up, and I can use it for my reverse proxy, i get an "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" error when I'm trying to connect to the domain. Why woud that be if I have used the config below?

*.example.se

dns_strato_username = username
dns_strato_password = "password"
dns_strato_domain_display_name = example.se
dns_strato_custom_api_host = www.strato.se

I have tried the full subdomain instead of the wildcard and as display name aswell, but nothing works. The Cert is created with no problems, but I get the version or mismatch error in chrome every time. In firefox the error is "SSL_ERROR_NO_CYPHER_OVERLAP" instead.

If i create a cert for duckdns.org for example, there is no problems at all.

Can anyone elaborate on what I need to do?

EDIT: I solved it myselv by adding the domain to Cloudflare and bypassing Strato DNS completely.
Then I could also just make a DNS challenge to Cloudflare instead of Strato.

[PLanB2008]

After updating to 0.2.1 I could renew the wildcard certificate for one of my two domains. For the other I still get the same error as before. Any hints how to solve this?

Using the https://github.com/Buxdehuda/strato-certbot certbot I can at least receive the fitting certificate, so there it seems to be fixed :)

[wolflu05]

I can confirm that renewal after manually updating to 0.2.1 works. But why is that version not updated in the official docker container?

[PLanB2008]

For me it still only works for the first of my domains.

[pdsccode]

Sadly, neither can I renew my wildcard cert nor can I request a new one with any combination of the settings from above. I tried with updating the python package as well. I still get an "internal error" without any indication to the error itself.

[jclsn]

I could successfully create my wildcard certificate, but still can't reach the subdomains when I select it for the proxy host. Btw it says the domains have to already be created. Does that mean that the wildcard certificate will only be created for the subdomains already added in the Strato account?

[nevyen]

I could successfully create my wildcard certificate, but still can't reach the subdomains when I select it for the proxy host. Btw it says the domains have to already be created. Does that mean that the wildcard certificate will only be created for the subdomains already added in the Strato account?

You need to register your subdomains manually at strato. NGINX can't register Subdomains for you.

You need to register your subdomains and set the ip where they should point to. Or you could set a CNAME to point to the same IP as your DYNDNS Domain.

The Wildcard certificate is valid for all subdomains. No matter if they existed before or after the certificate generation.

[jclsn]

@nevyen I would like it to use the same IP as the DynDNS domain. How do I do this with the CNAME? Shouldn't this be automatically set up? I have DynDNS deactivated for the subdomain and I realized that the IP differs from the main domain. I would assume they are the same.

I am still being greeted with the Strato landing page on the subdomain, so the proxy doesn't seem to work. The certificate for my main domain also is not trusted by Firefox today and it points to my router's WebUI. Yesterday this still worked. Really hard to set this up. DuckDNS was so straight-forward.

[nevyen]

@jclsn for each subdomain you must set the CNAME to the domain you registered in your routers dyndns.
Then the subdomain will automaticly get the ip from the "main" domain.

Referr to https://www.strato.de/faq/domains/wie-kann-ich-bei-strato-meine-dns-eintraege-verwalten/#cname

[FlixMa]

@jclsn Its not about your proxy not working, but rather a wrong configuration in your strato package. Each subdomain can point to a different server, thus strato allowing you to assign different IPs to each subdomain.

If you just need them to all point to the same server (e.g. your npm instance) than you can either set up your router to supply dyndns for all your subdomains or just use CNAME records in your primary domain. CNAME stands for canonical name and are basically the DNS way of saying „this is an alias for that“.

[jclsn]

The link you sent me is an A-record, where I should enter an IP, although I don't understand how this would work with DynDNS. Afaik the IP changes from time to time. I looked at changing the CNAME, but it doesn't accept maindomain.de. Calling the Strato support now. I just wonder why the proxy for the main domain is not working anymore. This is probably a configuration issue with NPM. My DuckDNS proxies are still active and working though.

[jclsn]

So I added maindomain.de. as CNAME and now the FritzBox is complaining about DNS Rebind protection. The Strato customer support didn't know how to help me :D Guess they only have qualified support for corporate customers.

[jclsn]

I just realized it works correctly from outside my network. Just tried it with my phone. As soon as I connect to the wifi thoug, the maindomain.de is showing me the router's web ui and the subdomains gives me the rebind protection warning.

[tbreitha]

I gave up with Strato DNS plugin. I kept my domain with Strato but moved the DNS Records off to a free Account on Cloudflare. Now the certs incl. wildcard working without any issues also renewing them is not a problem anymore.
Cheers
Tom

[jclsn]

Ha, I made it! Seems like you can't use the DynDNS in the FritzBox. Using ddclient works much better!

So here is what I did:

1. Update the certbot-dns-strato plugin to 0.2.1 as mentioned above
2. In your Strato account: Create all you subdomains and don't activate DynDNS for them
3. In your Strato account: Go to subdomain configuration -> DNS configuration -> CNAME-Record -> enter "mydomain.de." including the last dot and save
4. For DynDNS: I had no luck with doing it directly on the FritzBox, as I could only access the website from outside my network. So I used ddclient. Download the ddclient package to your Linux server and use the template posted here to set it up. Just running ddclient and following the instructions will probably also work. SSL will not work with checkip.dyndns.org, so use ssl=no (see). Use your DynDNS credentials here!
5. Create your wildcard certificate in NPM using your Strato account credentials, not your DynDNS credentials!
6. Create your proxies for your subdomains and add the wildcard certificate
7. Don't forget to open ports 80 and 443 for your server on your router to make NPM reachable from outside your network!

[CryPt00n]

When requesting wildcard certificates for my .de domain, i´m still running into issues. The cert request just aborts, with no visible error message. This problem only comes up for .de domains, found my .com and .eu domains from same strato account are working fine. Any idea, what could block me here?

Using Nginx Proxy Manager v2.11.1, certbot-dns-strato v0.2.1

Full log of issue

2024-05-02 16:18:38,612:DEBUG:certbot._internal.main:certbot version: 2.1.0
2024-05-02 16:18:38,612:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-05-02 16:18:38,612:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-52', '--agree-tos', '--email', 'webmaster@domain.de', '--domains', 'domain.de', '--authenticator', 'dns-strato', '--dns-strato-credentials', '/etc/letsencrypt/credentials/credentials-52']
2024-05-02 16:18:38,612:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#dns-duckdns,PluginEntryPoint#dns-porkbun,PluginEntryPoint#dns-strato,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-05-02 16:18:38,619:DEBUG:certbot._internal.log:Root logging level set at 30
2024-05-02 16:18:38,619:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-strato and installer None
2024-05-02 16:18:38,620:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-strato
Description: Obtain certificates using a DNS TXT record (if you are using Strato for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-strato = certbot_dns_strato.dns_strato:Authenticator
Initialized: <certbot_dns_strato.dns_strato.Authenticator object at 0x7e703bb94090>
Prep: True
2024-05-02 16:18:38,620:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_strato.dns_strato.Authenticator object at 0x7e703bb94090> and installer None
2024-05-02 16:18:38,620:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-strato, Installer None
2024-05-02 16:18:38,658:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1598501227', new_authzr_uri=None, terms_of_service=None), 307c450e4e4c8df29a05c7f1e282d970, Meta(creation_dt=datetime.datetime(2024, 3, 2, 14, 50, 24, tzinfo=<UTC>), creation_host='reverse-proxy.localdomain', register_to_eff=None))>
2024-05-02 16:18:38,658:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-05-02 16:18:39,085:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Content-Type: application/json
Content-Length: 747
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "OCi65trDFA8": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2024-05-02 16:18:39,086:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for domain.de
2024-05-02 16:18:39,097:DEBUG:certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/0064_key-certbot.pem
2024-05-02 16:18:39,107:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0064_csr-certbot.pem
2024-05-02 16:18:39,110:DEBUG:acme.client:Requesting fresh nonce
2024-05-02 16:18:39,111:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2024-05-02 16:18:39,251:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: O0afatDIUYo_tvD0qKgcSxmqX1tK9R_NX45BGoQ8WT4UCWOsn-U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2024-05-02 16:18:39,252:DEBUG:acme.client:Storing nonce: O0afatDIUYo_tvD0qKgcSxmqX1tK9R_NX45BGoQ8WT4UCWOsn-U
2024-05-02 16:18:39,252:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "domain.de"\n    }\n  ]\n}'
2024-05-02 16:18:39,260:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTU5ODUwMTIyNyIsICJub25jZSI6ICJPMGFmYXRESVVZb190dkQwcUtnY1N4bXFYMXRLOVJfTlg0NUJHb1E4V1Q0VUNXT3NuLVUiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "TNaLqp0iX0oneAfzg9KFPB5WFMIwk-983BR1hw2ProTI74Str79_tfoXWjx40wIBPFiIG5eQkohC93KrX6iPNFIo9se4OlTJwpYxolUYDehXtyY6yULfpOMXQBcDUxkUARB0cW5ERoyRVz16CHi8oiCxOkYGRwB3St_EOPCYPKNAxAiRSjT-hb4ONIe_9iSRcgeDBGfqwrp104cRnNJB9qVPVOCpqtoM9WzX5pF9TIY6pKI-uX47FPQR9fcZ3_lbFm53a5Iz9Byt7_Bav1wKvZmZf_noK3u66AAHMjSg05bb3hqS2FoJqR1TB0Kc4YIPF_BSX_3CA-ronONwE4dfhA",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIndvbGV3aWVuc2tpLmRlIgogICAgfQogIF0KfQ"
}
2024-05-02 16:18:39,414:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Content-Type: application/json
Content-Length: 340
Connection: keep-alive
Boulder-Requester: 1598501227
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1598501227/265980151337
Replay-Nonce: Y_7AIQuUkd3e3_rcDcX4pgPvzO4_O7YtbF9-GNnBAG3kkijVcoA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2024-05-09T14:10:50Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "domain.de"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/345790981617"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1598501227/265980151337"
}
2024-05-02 16:18:39,415:DEBUG:acme.client:Storing nonce: Y_7AIQuUkd3e3_rcDcX4pgPvzO4_O7YtbF9-GNnBAG3kkijVcoA
2024-05-02 16:18:39,415:DEBUG:acme.client:JWS payload:
b''
2024-05-02 16:18:39,417:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/345790981617:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTU5ODUwMTIyNyIsICJub25jZSI6ICJZXzdBSVF1VWtkM2UzX3JjRGNYNHBnUHZ6TzRfTzdZdGJGOS1HTm5CQUcza2tpalZjb0EiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM0NTc5MDk4MTYxNyJ9",
  "signature": "PNZq4tTE50GX_sy3ClPHI4W9tjzlHLWdvZEpCcHHVUfNxTFCGFPXQNLV-XApHrRlhytrTU6GhuVR7l378zqCOV2z4r5nXQe75t0ZqEeHJ-HE70PGhV6uD3bdpNhKdGSpZ4jmEV50oWUpWEL_AG-WjJx4E_5KV5BC3Xlno-0i9OYRlQqTmi4eki2_8NQAmJMfZliUoqiukSLyuLk126OJqGVdhiiF7Q2G4i36e1VH9VbyadoLbtfv3OAn87dJjpFJM_TBVb2X9HsA_0NnUIFp8YTYOimmRRA4--PZdlFfND0KSR4TdPlDeQoiKnlAJ-fVeA7eXyvybYqYJwyONpUWZw",
  "payload": ""
}
2024-05-02 16:18:39,553:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Content-Type: application/json
Content-Length: 798
Connection: keep-alive
Boulder-Requester: 1598501227
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: O0afatDI0RLN73rcITo_-Hrn3IjJ_80RKuQsTqncpUMtaf7q9jk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "domain.de"
  },
  "status": "pending",
  "expires": "2024-05-09T14:10:50Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/e0m2DA",
      "token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/coLV5g",
      "token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/2sm9nQ",
      "token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
    }
  ]
}
2024-05-02 16:18:39,553:DEBUG:acme.client:Storing nonce: O0afatDI0RLN73rcITo_-Hrn3IjJ_80RKuQsTqncpUMtaf7q9jk
2024-05-02 16:18:39,554:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-05-02 16:18:39,555:INFO:certbot._internal.auth_handler:dns-01 challenge for domain.de

EDIT:
Only difference i found is, that .de domain is trying way more challenges and stays on status "pending" compared to .com. But all domais are routed to my homelab via dyndns and can be used/pinged & i have used the exact same credentials for both.

.de-challenges

HTTP 200
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Content-Type: application/json
Content-Length: 798
Connection: keep-alive
Boulder-Requester: 1598501227
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: O0afatDI0RLN73rcITo_-Hrn3IjJ_80RKuQsTqncpUMtaf7q9jk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "domain.de"
  },
  "status": "pending",
  "expires": "2024-05-09T14:10:50Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/e0m2DA",
      "token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/coLV5g",
      "token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/2sm9nQ",
      "token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
    }
  ]
}
2024-05-02 16:18:39,553:DEBUG:acme.client:Storing nonce: O0afatDI0RLN73rcITo_-Hrn3IjJ_80RKuQsTqncpUMtaf7q9jk
2024-05-02 16:18:39,554:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-05-02 16:18:39,555:INFO:certbot._internal.auth_handler:dns-01 challenge for domain.de

.com challenges

HTTP 200
Server: nginx
Date: Thu, 02 May 2024 15:07:11 GMT
Content-Type: application/json
Content-Length: 572
Connection: keep-alive
Boulder-Requester: 1598501227
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: O0afatDIdLAdBXwvNoaYXhbL05VSQ_hxdNdTa93qwsZcu146X04
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "domain.com"
  },
  "status": "valid",
  "expires": "2024-06-01T14:08:39Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "valid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345789827577/3hjyKg",
      "token": "YIgmMMYgKo7si214ERMxND-lVFb80uxq2TIMyoeHJ4k",
      "validationRecord": [
        {
          "hostname": "domain.com",
          "resolverAddrs": [
            "10.1.12.85:30182"
          ]
        }
      ],
      "validated": "2024-05-02T14:08:39Z"
    }
  ]
}