Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certbot-dns-ovh fails with "Unexpected error determining zone identifier" when zone has a warning #9836

Open
dleborgne opened this issue Nov 6, 2023 · 6 comments
Open

certbot-dns-ovh fails with "Unexpected error determining zone identifier" when zone has a warning #9836

dleborgne opened this issue Nov 6, 2023 · 6 comments

Comments

@dleborgne
Copy link

dleborgne commented Nov 6, 2023
edited

My operating system is :

# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc):

# snap list certbot certbot-dns-ovh
Name             Version  Rev   Tracking       Publisher     Notes
certbot          2.7.4    3462  latest/stable  certbot-eff✓  classic
certbot-dns-ovh  2.7.4    3048  latest/stable  certbot-eff✓  -

I ran this command and it produced this output:

# certbot renew
[...]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mycompany.ovh.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for mycompany.ovh
Failed to renew certificate mycompany.ovh with error: Unexpected error determining zone identifier for mycompany.ovh: Zone mycompany.ovh is not deployed
[...]

## Certbot's behavior differed from what I expected because:
I expected certificates to be renewed

## Here is a Certbot log showing the issue :
2023-11-06 17:42:47,462:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 1473
2023-11-06 17:42:47,853:DEBUG:certbot._internal.main:certbot version: 2.7.4
2023-11-06 17:42:47,853:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/3462/bin/certbot
2023-11-06 17:42:47,853:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2023-11-06 17:42:47,853:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#dns-ovh,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-11-06 17:42:47,892:DEBUG:certbot._internal.log:Root logging level set at 30
[...]
2023-11-06 17:42:47,984:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/mycompany.ovh.conf
2023-11-06 17:42:47,985:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2023-11-06 17:42:47,996:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2023-11-06 17:42:48,259:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2023-11-06 17:42:48,260:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/mycompany.ovh/cert28.pem is signed by the certificate's issuer.
2023-11-06 17:42:48,260:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/mycompany.ovh/cert28.pem is: OCSPCertStatus.GOOD
2023-11-06 17:42:48,261:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2023-11-21 03:49:23 UTC.
2023-11-06 17:42:48,261:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2023-11-06 17:42:48,261:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-ovh and installer None
2023-11-06 17:42:48,262:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-ovh
Description: Obtain certificates using a DNS TXT record (if you are using OVH for DNS).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='dns-ovh', value='certbot_dns_ovh._internal.dns_ovh:Authenticator', group='certbot.plugins')
Initialized: <certbot_dns_ovh._internal.dns_ovh.Authenticator object at 0x7f67f51d6670>
Prep: True
2023-11-06 17:42:48,262:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_ovh._internal.dns_ovh.Authenticator object at 0x7f67f51d6670> and installer None
2023-11-06 17:42:48,262:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-ovh, Installer None
2023-11-06 17:42:48,314:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f67f4de1ca0>)>), contact=('mailto:[REDACTED]',), agreement='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v01.api.letsencrypt.org/acme/reg/20279734', new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), c25168feca204ec8e3fd11ded9f4f254, Meta(creation_dt=datetime.datetime(2017, 8, 22, 19, 25, 26, tzinfo=<UTC>), creation_host='manga.mycompany.ovh', register_to_eff=None))>
2023-11-06 17:42:48,315:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-11-06 17:42:48,315:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-11-06 17:42:48,797:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 752
2023-11-06 17:42:48,797:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 06 Nov 2023 16:42:48 GMT
Content-Type: application/json
Content-Length: 752
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "Ol5Q3MTF1Gs": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-11-06 17:42:48,798:DEBUG:certbot._internal.display.obj:Notifying user: Renewing an existing certificate for mycompany.ovh
2023-11-06 17:42:48,838:DEBUG:acme.client:Requesting fresh nonce
2023-11-06 17:42:48,839:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2023-11-06 17:42:48,988:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-11-06 17:42:48,989:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 06 Nov 2023 16:42:48 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: [REDACTED]
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2023-11-06 17:42:48,989:DEBUG:acme.client:Storing nonce: [REDACTED]
2023-11-06 17:42:48,989:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "mycompany.ovh"\n    }\n  ]\n}'
2023-11-06 17:42:48,991:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "[REDACTED]",
  "signature": "[REDACTED]",
  "payload": "[REDACTED]"
}
2023-11-06 17:42:49,152:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 335
2023-11-06 17:42:49,153:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 06 Nov 2023 16:42:49 GMT
Content-Type: application/json
Content-Length: 335
Connection: keep-alive
Boulder-Requester: 20279734
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/20279734/220322252826
Replay-Nonce: [REDACTED]
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2023-11-13T16:29:03Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "mycompany.ovh"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/281200963876"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/20279734/220322252826"
}
2023-11-06 17:42:49,153:DEBUG:acme.client:Storing nonce: [REDACTED]
2023-11-06 17:42:49,153:DEBUG:acme.client:JWS payload:
b''
2023-11-06 17:42:49,154:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/281200963876:
{
  "protected": "[REDACTED]",
  "signature": "[REDACTED]",
  "payload": ""
}
2023-11-06 17:42:49,307:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/281200963876 HTTP/1.1" 200 795
2023-11-06 17:42:49,307:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 06 Nov 2023 16:42:49 GMT
Content-Type: application/json
Content-Length: 795
Connection: keep-alive
Boulder-Requester: 20279734
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: [REDACTED]
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "mycompany.ovh"
  },
  "status": "pending",
  "expires": "2023-11-13T16:29:03Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/281200963876/U62Ncg",
      "token": "[REDACTED]"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/281200963876/Ls044A",
      "token": "[REDACTED]"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/281200963876/e0g6dQ",
      "token": "[REDACTED]"
    }
  ]
}
2023-11-06 17:42:49,307:DEBUG:acme.client:Storing nonce: QBeJ2muf3g43aZziOzey6w9tsC8F2QBvn8n67SfmvvO4YraybIc
2023-11-06 17:42:49,308:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-11-06 17:42:49,308:INFO:certbot._internal.auth_handler:dns-01 challenge for mycompany.ovh
2023-11-06 17:42:49,351:DEBUG:filelock:Attempting to acquire lock 140084466534432 on /root/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-11-06 17:42:49,351:DEBUG:filelock:Lock 140084466534432 acquired on /root/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-11-06 17:42:49,353:DEBUG:filelock:Attempting to release lock 140084466534432 on /root/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-11-06 17:42:49,353:DEBUG:filelock:Lock 140084466534432 released on /root/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-11-06 17:42:49,391:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): eu.api.ovh.com:443
2023-11-06 17:42:49,415:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "GET /1.0/auth/time HTTP/1.1" 200 10
2023-11-06 17:42:49,441:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "GET /1.0/domain/zone/ HTTP/1.1" 200 None
2023-11-06 17:42:49,491:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "GET /1.0/domain/zone/mycompany.ovh/status HTTP/1.1" 200 None
2023-11-06 17:42:49,494:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 250, in _resolve_domain
    with Client(self._build_lexicon_config(domain_name)):
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/client.py", line 151, in __enter__
    raise e
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/client.py", line 144, in __enter__
    provider.authenticate()
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/_private/providers/ovh.py", line 96, in authenticate
    raise AuthenticationError(f"Zone {domain} is not deployed")
lexicon.exceptions.AuthenticationError: Zone mycompany.ovh is not deployed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common.py", line 76, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 220, in _perform
    resolved_domain = self._resolve_domain(domain)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 261, in _resolve_domain
    raise result2  # pylint: disable=raising-bad-type
certbot.errors.PluginError: Unexpected error determining zone identifier for mycompany.ovh: Zone mycompany.ovh is not deployed

2023-11-06 17:42:49,494:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-11-06 17:42:49,494:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-11-06 17:42:49,526:DEBUG:filelock:Attempting to acquire lock 140084462342736 on /root/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-11-06 17:42:49,526:DEBUG:filelock:Lock 140084462342736 acquired on /root/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-11-06 17:42:49,527:DEBUG:filelock:Attempting to release lock 140084462342736 on /root/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-11-06 17:42:49,527:DEBUG:filelock:Lock 140084462342736 released on /root/.lexicon_tld_set/publicsuffix.org-tlds/de84b5ca2167d4c83e38fb162f2e8738.tldextract.json.lock
2023-11-06 17:42:49,564:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): eu.api.ovh.com:443
2023-11-06 17:42:49,586:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "GET /1.0/auth/time HTTP/1.1" 200 10
2023-11-06 17:42:49,601:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "GET /1.0/domain/zone/ HTTP/1.1" 200 None
2023-11-06 17:42:49,672:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "GET /1.0/domain/zone/mycompany.ovh/status HTTP/1.1" 200 None
2023-11-06 17:42:49,672:DEBUG:certbot.plugins.dns_common_lexicon:Encountered error finding domain_id during deletion: Unexpected error determining zone identifier for mycompany.ovh: Zone mycompany.ovh is not deployed
Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 250, in _resolve_domain
    with Client(self._build_lexicon_config(domain_name)):
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/client.py", line 151, in __enter__
    raise e
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/client.py", line 144, in __enter__
    provider.authenticate()
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/_private/providers/ovh.py", line 96, in authenticate
    raise AuthenticationError(f"Zone {domain} is not deployed")
lexicon.exceptions.AuthenticationError: Zone mycompany.ovh is not deployed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common.py", line 76, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 220, in _perform
    resolved_domain = self._resolve_domain(domain)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 261, in _resolve_domain
    raise result2  # pylint: disable=raising-bad-type
certbot.errors.PluginError: Unexpected error determining zone identifier for mycompany.ovh: Zone mycompany.ovh is not deployed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 250, in _resolve_domain
    with Client(self._build_lexicon_config(domain_name)):
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/client.py", line 151, in __enter__
    raise e
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/client.py", line 144, in __enter__
    provider.authenticate()
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/_private/providers/ovh.py", line 96, in authenticate
    raise AuthenticationError(f"Zone {domain} is not deployed")
lexicon.exceptions.AuthenticationError: Zone mycompany.ovh is not deployed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 231, in _cleanup
    resolved_domain = self._resolve_domain(domain)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 261, in _resolve_domain
    raise result2  # pylint: disable=raising-bad-type
certbot.errors.PluginError: Unexpected error determining zone identifier for mycompany.ovh: Zone mycompany.ovh is not deployed
2023-11-06 17:42:49,673:ERROR:certbot._internal.renewal:Failed to renew certificate mycompany.ovh with error: Unexpected error determining zone identifier for mycompany.ovh: Zone mycompany.ovh is not deployed
2023-11-06 17:42:49,676:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 250, in _resolve_domain
    with Client(self._build_lexicon_config(domain_name)):
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/client.py", line 151, in __enter__
    raise e
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/client.py", line 144, in __enter__
    provider.authenticate()
  File "/snap/certbot-dns-ovh/current/lib/python3.8/site-packages/lexicon/_private/providers/ovh.py", line 96, in authenticate
    raise AuthenticationError(f"Zone {domain} is not deployed")
lexicon.exceptions.AuthenticationError: Zone mycompany.ovh is not deployed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 540, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/main.py", line 1550, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 399, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common.py", line 76, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 220, in _perform
    resolved_domain = self._resolve_domain(domain)
  File "/var/lib/snapd/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 261, in _resolve_domain
    raise result2  # pylint: disable=raising-bad-type
certbot.errors.PluginError: Unexpected error determining zone identifier for mycompany.ovh: Zone mycompany.ovh is not deployed
[...]
certbot.errors.Error: 2 renew failure(s), 0 parse failure(s)
2023-11-06 17:42:51,440:ERROR:certbot._internal.log:2 renew failure(s), 0 parse failure(s)

## Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:
irrelevant for dns challenge
@xZise
Copy link

xZise commented Nov 8, 2023

I assume this might be an issue with OVH. I also get the same exception:

[...]
2023-11-08 18:24:09,988:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): eu.api.ovh.com:443
2023-11-08 18:24:10,128:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "GET /1.0/auth/time HTTP/1.1" 200 10
2023-11-08 18:24:10,186:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "GET /1.0/domain/zone/ HTTP/1.1" 200 12
2023-11-08 18:24:10,282:DEBUG:urllib3.connectionpool:https://eu.api.ovh.com:443 "GET /1.0/domain/zone/example.com/status HTTP/1.1" 200 None
2023-11-08 18:24:10,293:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/home/pi/.local/lib/python3.9/site-packages/certbot/plugins/dns_common_lexicon.py", line 250, in _resolve_domain
    with Client(self._build_lexicon_config(domain_name)):
  File "/home/pi/.local/lib/python3.9/site-packages/lexicon/client.py", line 168, in __enter__
    raise e
  File "/home/pi/.local/lib/python3.9/site-packages/lexicon/client.py", line 161, in __enter__
    provider.authenticate()
  File "/home/pi/.local/lib/python3.9/site-packages/lexicon/_private/providers/ovh.py", line 101, in authenticate
    raise AuthenticationError(f"Zone {domain} is not deployed")
lexicon.exceptions.AuthenticationError: Zone example.com is not deployed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/pi/.local/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/home/pi/.local/lib/python3.9/site-packages/certbot/plugins/dns_common.py", line 76, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/home/pi/.local/lib/python3.9/site-packages/certbot/plugins/dns_common_lexicon.py", line 220, in _perform
    resolved_domain = self._resolve_domain(domain)
  File "/home/pi/.local/lib/python3.9/site-packages/certbot/plugins/dns_common_lexicon.py", line 261, in _resolve_domain
    raise result2  # pylint: disable=raising-bad-type
certbot.errors.PluginError: Unexpected error determining zone identifier for example.com: Zone example.com is not deployed
[...]

@xZise
Copy link

xZise commented Nov 8, 2023

Just in case this is helpful, I've queried the URL /domain/zone/{zoneName}/status via OVH's API console and got the following JSON:

{
  "errors": [],
  "isDeployed": false,
  "warnings": [
    "zone [...] is a CNAME (illegal)",
    "zone [...] is a CNAME (illegal)"
  ]
}

I handled the warnings (which were visible in the UI but also present before I had the issue) and now it reports deployed as true. With that the plugin works again.

I don't know whether handling the warnings or doing anything in the zone changed the flag...

@dleborgne dleborgne changed the title Unexpected error determining zone identifier for mycompany.ovh: Zone mycompany.ovh is not deployed certbot-dns-ovh fails with "Unexpected error determining zone identifier" when zone has a warning Nov 8, 2023
@dleborgne
Copy link
Author

dleborgne commented Nov 8, 2023
edited

Nice catch @xZise ! Fixing the zone warnings returned by /domain/zone/{zoneName}/status allowed the renewal of certificate using certbot-dns-ovh

@e-gaulue
Copy link

This issue title is good and true. And according to me it's a problem.

I always had warnings on my zone since I added SRV record that point to serveur DNS name on my LAN. Example: xmpp service for my company.fr point to xmpp.mycompany.lan. As OVH has no clue of the .lan zone, it considers this record as wrong, but it works really well. All my internal xmpp client (Thunderbird) redirect my user whose email addresses ends with @mycompany.fr to the right internal server.

I should set an internal DNS proxy server to handle it right, but the one embedded in my router is just a kind of dnsmasq and it doesn't allow SRV records. Reason why I ended with this solution, that works well.

But doing this I lose the renewal by certbot-dns-ovh. I looked at the code and didn't see any option to bypass this "is deployed" test. Would be great for me and maybe more.

Regards,

@kornflex
Copy link

Hello,

Same error for me. Same log files too...

Nothing to fix this ?

Thank you

@charliebritton
Copy link
Contributor

charliebritton commented Nov 22, 2023
edited

Also had the same issue. Deleting the record giving me a warning fixed the problem but now I don't have gmail verification on that domain which is annoying.

I think this would be better fixed upstream in the dns-lexicon package, as handling it here would seem a bit workaroundy as there's not enough detail returned in the error message to see if it's just the warning causing the issue?

Somebody has already made an issue in the lexicon repository here so hopefully it gets fixed upstream and we won't have an issue.

Seems OVH made some changes to their API

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@xZise @dleborgne @e-gaulue @kornflex @charliebritton