Setting up Letsencrypt certbot for Gandi
Once in a while certbot fails me, so I decided to dig a bit deeper and set up a more robust updating mechanism. It turned out to be an incorrect API key.
Starting setup ¶
Today certbot broke again:
tim@proteus:~$ sudo certbot --dry-run renew
Plugin legacy name certbot-plugin-gandi:dns may be removed in a future version. Please use dns instead.
Unable to find or delete the DNS TXT record: Unable to get base domain for "vanwerkhoven.org"
Unable to find or delete the DNS TXT record: Unable to get base domain for "vanwerkhoven.org"
Failed to renew certificate vanwerkhoven.org with error: An error occurred adding the DNS TXT record: Unable to get base domain for "vanwerkhoven.org"
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/vanwerkhoven.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
I have these packages installed:
tim@proteus:~$ dpkg -l | grep "certbot\|letsencrypt"
ii certbot 1.12.0-2 all automatically configure HTTPS using Let's Encrypt
ii python3-certbot 1.12.0-2 all main library for certbot
ii python3-certbot-dns-gandi 1.2.5-3 all Gandi LiveDNS plugin for Certbot
ii python3-certbot-nginx 1.10.1-1 all Nginx plugin for Certbot
And this config:
tim@proteus:~$ cat /etc/letsencrypt/renewal/vanwerkhoven.org.conf
# renew_before_expiry = 30 days
version = 1.12.0
archive_dir = /etc/letsencrypt/archive/vanwerkhoven.org
cert = /etc/letsencrypt/live/vanwerkhoven.org/cert.pem
privkey = /etc/letsencrypt/live/vanwerkhoven.org/privkey.pem
chain = /etc/letsencrypt/live/vanwerkhoven.org/chain.pem
fullchain = /etc/letsencrypt/live/vanwerkhoven.org/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = <key>
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = certbot-plugin-gandi:dns
certbot_plugin_gandi:dns_credentials = /etc/letsencrypt/gandi.ini
tim@proteus:~$ sudo cat /etc/letsencrypt/gandi.ini
# live dns v5 api key
certbot_plugin_gandi:dns_api_key=<key>
# optional organization id, remove it if not used
#certbot_plugin_gandi:dns_sharing_id=SHARINGID
And this crontab:
tim@proteus:~$ sudo cat /etc/cron.d/certbot | grep -v ^#
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
Fixing ¶
Plugin legacy name ¶
Change “certbot-plugin-gandi:dns” to “dns” in config files /etc/letsencrypt/renewal/domain.tld and /etc/letsencrypt/gandi.ini
Unable to find or delete the DNS TXT record ¶
Fixed by updating the API key for Gandi livedns. I have two programs using this key, and forgot to update certbot when I renewed the API key.
Clue was here: https://github.com/obynio/certbot-plugin-gandi/issues/11 (github.com)
And in the log files, showing 403 forbidden when trying to connect:
sudo less /var/log/letsencrypt/letsencrypt.log
2024-03-29 11:54:01,778:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2024-03-29 11:54:01,873:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/org HTTP/1.1" 403 112
2024-03-29 11:54:01,874:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for "vanwerkhoven.org"