NginxProxyManager
Bumped certbot-dns-freedns version to 0.2.0
bumped certbot-dns-freedns to 0.2.0 https://pypi.org/project/certbot-dns-freedns/0.2.0/
Fix problems creating the _acme txt entry if you are not a paid subscriber see issue: https://github.com/schleuss/certbot_dns_freedns/issues/1
With current version, the challenge fail and you get an error llike. This fixes #2352
2024-05-13 20:37:35,988:ERROR:certbot._internal.error_handler:Encountered exception during recovery: AttributeError: 'NoneType' object has no attribute 'get'
2024-05-13 20:37:35,990:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/opt/certbot/bin/certbot", line 8, in <module>
sys.exit(main())
^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main
return config.func(config, plugins)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1600, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
resps = self.auth.perform(achalls)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/plugins/dns_common.py", line 76, in perform
self._perform(domain, validation_domain_name, validation)
File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_freedns/dns_freedns.py", line 56, in _perform
self._get_freedns_client().add_txt_record(
File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_freedns/dns_freedns.py", line 115, in add_txt_record
record = self.get_existing_txt(zone_id, record_name, record_content)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_freedns/dns_freedns.py", line 191, in get_existing_txt
zone_data = self._load_domain_data(zone_id, record_name)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_freedns/dns_freedns.py", line 268, in _load_domain_data
full_data = self._load_txt_record(domain_id, freedns_record_id, freedns_record_type)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_freedns/dns_freedns.py", line 286, in _load_txt_record
input_ttl = soup.find("input", recursive=True, attrs={"name": "ttl"}).get("value")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'get'
2024-05-13 20:37:35,994:ERROR:certbot._internal.log:An unexpected error occurred:
2024-05-13 20:37:35,995:ERROR:certbot._internal.log:AttributeError: 'NoneType' object has no attribute 'get'
Tested and working, this fix the TTL issue, but people still have to install zope..
I'll merge this when
zopeis available in the base image
Hi, thanks for taking time to look at this pr, that make sense for zope, is there any timeline available for this ? I see old PR dating back to 2023 regarding this but there's no discussion around it or to why it wasn't accepted. Ex. PR #2756
Thanks, have a good day!
Honestly, it dropped off my radar.. I guess I wasn't sure the solution in #2756 was correct or I didn't understand the python ecosystem enough. It was another contributor who implemented all the DNS plugins stuff way back when.
@arsenicks can you please test again with jc21/nginx-proxy-manager:github-pr-3750 - it should 'just work'
@arsenicks can you please test again with
jc21/nginx-proxy-manager:github-pr-3750- it should 'just work'
I'm trying since an hour and can't figure out why it doesn't work. Tried with my normal subdomain, didn't work, created a new one without luck. I'm tired as hell, I'll retry that after some sleep, I'm not sure if I'm doing something wrong because it should work, the only thing I did with my working install was this:
FROM jc21/nginx-proxy-manager
RUN pip install --no-cache-dir zope certbot-dns-freedns==0.2.0
and when I look into the container those two deps are indeed installed:
[root@docker-bb7f8c5527f3:/app]# pip show certbot-dns-freedns zope |grep -i Version
Version: 0.2.0
Version: 5.10
So, maybe the error is on my end, I'll retry tomorow. Is there any other changes than the zope dependency and the certbot-dns-freedns version to 0.2.0 included in this image VS the latest "normal" image ?
The process goes through and the debug says it's creating the _acme-challenge.subdomain.domain.org, no error but when the plugin says DEBUG:certbot._internal.display.obj:Notifying user: Waiting 120 seconds for DNS changes to propagate
I see no subdomain created, I tried without existing txt record and with an existing one empty, same result. The verification fail.
The crash happen when it tries to cleanup the txt entry. Here's the error I get right now, not relates to the TTL feature, so it's a good news! (this a brand new subdomain I created to test).
2024-05-24 00:01:13,374:DEBUG:certbot_dns_freedns.dns_freedns:domain found: mooo.com with id: 29
2024-05-24 00:01:13,374:DEBUG:certbot_dns_freedns.dns_freedns:using record_name: _acme-challenge.vavache from original: _acme-challenge.vavache.mooo.com
2024-05-24 00:01:14,045:DEBUG:urllib3.connectionpool:https://freedns.afraid.org:443 "POST /subdomain/?limit=29 HTTP/1.1" 200 None
2024-05-24 00:01:14,306:DEBUG:urllib3.connectionpool:https://freedns.afraid.org:443 "GET /subdomain/edit.php?data_id=22827602 HTTP/1.1" 200 None
2024-05-24 00:01:14,334:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/opt/certbot/bin/certbot", line 8, in <module>
sys.exit(main())
^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main
return config.func(config, plugins)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1600, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-05-24 00:01:14,338:ERROR:certbot._internal.log:Some challenges have failed.
Yes I agree something is wrong with the certbot plugin or freedns. When I request a cert, waiting for 15 mins, I see that no TXT record has been created despite seeing a successful API call to freedns.
Well, yeah I remember I had a problem similar to this with the "original" NPM image before adding zope and bumping the freedns version but I can't find my old log to see if it was simply the ttl error or anything else..
I'm trying to debug what's wrong, I'm not sure what's the best way of running the python/certbot in debug/verbose mode
Well, I cracked the propagation time to 600s, added the txt entry by hand and the challenge worked and the _acme txt entry got deleted corectly. So there's something not working as expected on the creation of the txt entry..
Odly enough, when I renew using my "normal" NPM image with zope and latest freedns certbot version it still work without doing anything
Can you tell me if the certbot-dns-freedns package in your "normal" npm image is a different version to v0.1.0 ? Also let me know what the certbot --version is.
And it looks like there's v0.2.0 of the plugin, only a month old. I've tried it out with the github-bump-freedns image tag but it's not working either.
I just had a flash, I might have done the same thing(creating the txt by hand) with my "normal" domain while building debuging the ttl issue a week ago... Is it possible that when renewing a certificate, the acme challenge is not redone or it don't have to create the txt record every time ? If it is, that probably never worked even with the image I tough was working.. I don't know if my explanation is clear enough..
Can you tell me if the
certbot-dns-freednspackage in your "normal" npm image is a different version to v0.1.0 ? Also let me know what thecertbot --versionis.
Sure,
[root@docker-c123427f2943:/app]# pip show certbot-dns-freedns |grep -i version
Version: 0.1.0
[root@docker-c123427f2943:/app]# pip show zope |grep -i version
Version: 5.9
[root@docker-c123427f2943:/app]# certbot --version
certbot 2.10.0
Here's the docker-compose I use to build the image I use normally. It was made that way to fix two things, missing zope and install certbot-dns-freedns==0.2.0. So that's pretty much what we have in the jc21/nginx-proxy-manager:github-pr-3750 image.
nginx-proxy-manager:
# image: 'jc21/nginx-proxy-manager:latest'
container_name: nginx-proxy-manager
build:
context: fix-npm-image/
dockerfile: DockerfileFixNPM
restart: unless-stopped
ports:
- '445:443' # Public HTTPS Port
- '443:443' # Public HTTPS Port
- '8881:81' # Admin Web Port
environment:
- PUID=1000
- PGID=1000
- TZ=America/Toronto # timezone
volumes:
- ${HOME}/.config/nginxproxymanager:/data
- ${HOME}/.config/swag-letsencrypt:/ssl-cert
- /nfsblaw/nginxproxymanager-letsencrypt:/etc/letsencrypt
the content of the dockerfile fix-npm-image/DockerfileFixNPM :
FROM jc21/nginx-proxy-manager
RUN pip install --no-cache-dir zope certbot-dns-freedns==0.2.0
And it looks like there's v0.2.0 of the plugin, only a month old.
That's what my image is using and that was the purpose of this specific PR, to bump the version of certbot-dns-freedns to 0.2.0! :) But 0.2.0 or 0.1.0 does need zope so we're on the right track.
I must test it with my "modified" image and a new domain to validate if it does work or if I was under the impression it worked because the renewal process is different and I had created the txt by hand at that time too.. It does make sense because the image I build on my side add zope and the certbot-dns-freedns plugin version 0.2.0 just like we do in this PR image. I'll try to test it later tonight and get back.
Thanks again for your help!
Just a small update on this issue. I was finally able to take some time and debug the output, I get an error message "The security code was incorrect, please try again.". I sent an email to the afraid.org admin to see if we are supposed to be able to automatically update a subdomain created using a public domain because nothing in the FAQ state this but I saw few places in an acme shell script where this was stated.
So I'll update you on the outcome of this but there's clearly a bad management of the error in the certbot-dns-freedns package..
CI Error:
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
certbot-node: Pulling from nginxproxymanager/nginx-full
Digest: sha256:eaa2ebcb50dd87557c9a8f95a3230128d94cac1ea17800261c036e59378e7d49
Status: Image is up to date for nginxproxymanager/nginx-full:certbot-node
docker.io/nginxproxymanager/nginx-full:certbot-node
[1;34m❯ [1;36mBuilding Frontend ...[0m
yarn install v1.22.22
[1/4] Resolving packages...
[2/4] Fetching packages...
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
error Command failed.
Exit code: 128
Command: git
Arguments: clone https://github.com/tabler/tabler.git /usr/local/share/.cache/yarn/v6/.tmp/e11a93799a52aa978c82015e29fbe309
Directory: /app/frontend
Output:
Cloning into '/usr/local/share/.cache/yarn/v6/.tmp/e11a93799a52aa978c82015e29fbe309'...
error: RPC failed; curl 92 HTTP/2 stream 5 was not closed cleanly: CANCEL (err 8)
error: 5572 bytes of body are still expected
fetch-pack: unexpected disconnect while reading sideband packet
fatal: early EOF
fatal: fetch-pack: invalid index-pack output
![nginxproxymanagerci[bot] avatar](https://avatars.githubusercontent.com/in/231045?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hey guys anything on this? Love all your work thank you so much for this!
Hey guys anything on this? Love all your work thank you so much for this!
Nope, I exchanged few emails with freedns support regarding the security code and they stopped responding so I had to find another way. I used a workaround by using a cname pointing to another domain I own and update via cloudflare dns plugin.. I work..
Since Let’s Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation, you can use CNAME records or NS records to delegate answering the challenge to other DNS zones. This can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone. It can also be used if your DNS provider is slow to update, and you want to delegate to a quicker-updating server.