infinityofspace / certbot_dns_porkbun Goto Github PK

A new TXT record have always the TTL of 600 instead of the min allowed 300. So any quick retries might fail if the old TXT is still not fully deleted on the propagated DNS servers. We should always use the shortest TTL for the TXT record to allow quicker cert generation and retires.

Describe the bug
When you try to renew a domain name, it fails due to commit 6003a6f which added DNS challenge delegation. This happens because the function expects there to be one and if there isn't, it throws a plugin error and causes the challenge to fail as it either never makes the txt challenge record or it causes the propogation time to be reduced to 0 (as the dns challenge after the error immediately checks for the record and fails).

To Reproduce

1. Install certbot 1.12.0(-2) (Version 1.12.0 is the version I have installed, I use debian so the exact version for debian is 1.12.0-2)
2. Install certbot_dns_porkbun via pip by following https://pypi.org/project/certbot-dns-porkbun/
3. Run this command with the relevant information substituted
   certbot --authenticator=dns-porkbun --dns-porkbun-credentials /path/to/porkbun/dns/api/credentials.ini -d domain.test -d "*.domain.test"

Expected behavior
If the plugin can not find any acme-challenge delegate dns records, don't raise an exception and just let it continue and make a record for the domain you supplied
The command should work, renew the certificate, create the txt record, wait for propogation seconds then check for the record, then you get the cert

Certbot command
certbot --authenticator=dns-porkbun --dns-porkbun-credentials /path/to/porkbun/dns/api/credentials.ini -d domain.test -d "*.domain.test"

Versions (please complete the following version information):

• certbot: 1.12.0
• certbot_dns_porkbun: 0.3

Error message
dns.resolver.NXDOMAIN: The DNS query name does not exist: _acme-challenge.domain.test.

Fix
I was able to fix this by replacing line 123 with
return resolver.resolve(f"{domain}", 'A').canonical_name.to_text().rstrip('.')
and line 132 with
return resolver.resolve(f"{domain}", "AAAA").canonical_name.to_text().rstrip('.')
(i.e removing the {ACME_TXT_PREFIX}. part of both)

certbot can be installed using snap, in this case any plugin installed using pip will not be loaded. A snap build of the plugin solves this problem.

Describe the bug
Running the certbot with dns-porkbun as authenticator and passing in API keys via --dns-porkbun-credentials results in the error.

To Reproduce

1. Install certbot and certbot-dns-porkbun
2. Create a credentials file at /etc/letsencrypt/credentials/app-credentials.ini with the content:

dns_porkbun_key=<your-key>
dns_porkbun_secret=<your-key>

3. Run the following command:
   sudo certbot certonly --non-interactive --agree-tos --email "[email protected]" --preferred-challenges dns --authenticator dns-porkbun --dns-porkbun-credentials "/etc/letsencrypt/credentials/app-credentials.ini" --dns-porkbun-propagation-seconds 60 -d "*.<domain>.<tld>" -d "<domain>.<tld>"

Expected behavior
Expected it to run without errors.

Versions (please complete the following version information):

• certbot: 2.7.1
• certbot_dns_porkbun: 0.8

Error message
certbot: error: unrecognized arguments: --dns-porkbun-credentials /etc/letsencrypt/credentials/app-credentials.ini

Additional context
dns-porkbun does show up when i run sudo certbot plugins. Any help would be greatly appreciated!

Describe the bug
I am unable to use dns-porkbun as an authenticator due to the error in the title

PluginEntryPoint#dns-porkbun does not provide IPluginFactory, skipping
PluginEntryPoint#certbot-dns-porkbun:dns-porkbun does not provide IPluginFactory, skipping

To Reproduce

1. Get a machine with debian 11 installed (preferably fresh)
2. Install Certbot nala install certbot (or apt but nala is better imo)
3. Install the certbot plugin pip3 install certbot_dns_porkbun
4. Run the Certbot command detailed below

Expected behavior
When I run the command it should add a dns record, have certbot validate it, delete it and give me the certs.

Certbot command
certbot certonly --non-interactive --agree-tos --email **********@******.com --preferred-challenges dns --authenticator dns-porkbun --dns-porkbun-credentials /path/to/credentials/domain.extension.ini --dns-porkbun-propagation-seconds 60 -d "domain.extension" -d "*.domain.extension"

Versions (please complete the following version information):

• certbot: 1.12.0
• certbot_dns_porkbun: 0.5.1

Error message

PluginEntryPoint#dns-porkbun does not provide IPluginFactory, skipping
PluginEntryPoint#certbot-dns-porkbun:dns-porkbun does not provide IPluginFactory, skipping
PluginEntryPoint#dns-porkbun does not provide IPluginFactory, skipping
PluginEntryPoint#certbot-dns-porkbun:dns-porkbun does not provide IPluginFactory, skipping
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: --dns-porkbun-credentials /path/to/credentials/domain.extension.ini --dns-porkbun-propagation-seconds 60

Additional context
Add any other context about the problem here.

I'm hoping this isn't a "me" problem but no matter what I do I am unable to get wildcard to work via porkbun dns / certbot.

It did work but not I get the error:

2021-05-23 14:24:23,496:DEBUG:urllib3.connectionpool:https://porkbun.com:443 "POST /api/json/v3/dns/create/co.uk HTTP/1.1" 400 None
2021-05-23 14:24:23,499:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/certbot_dns_porkbun/cert/client.py", line 87, in _perform
self.record_ids[validation] = self._get_porkbun_client().dns_create(root_domain, "TXT", validation,
File "/usr/local/lib/python3.9/dist-packages/pkb_client/client.py", line 115, in dns_create
raise Exception("ERROR: DNS create api call was not successfully\n"
Exception: ERROR: DNS create api call was not successfully
Status code: 400
Message: Invalid domain.

I have checked and checked but I can not work out what's wrong.

Describe the bug
Attempting to update/renew certificate on a domain that uses an ALIAS record fails, because it attempts to update the resolved ALIAS domain instead of the domain requested

To Reproduce

1. Set an ALIAS record for a root domain, instead of an A/AAAA record
2. Attempt to create/renew certificate for that domain

Expected behavior
Certificate renewal is successful

Certbot command
certbot certonly -v --test-cert --server https://acme-staging-v02.api.letsencrypt.org/directory --authenticator dns-porkbun --dns-porkbun-credentials /etc/letsencrypt/porkbun/porkbun.ini --cert-name test-d example.com

Versions (please complete the following version information):

• certbot: 2.4.0
• certbot_dns_porkbun: 0.8

Error message

2024-01-01 15:29:04,837:DEBUG:urllib3.connectionpool:https://porkbun.com:443 "POST /api/json/v3/dns/create/dyndns.org HTTP/1.1" 400 None
2024-01-01 15:29:04,843:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/venv/lib/python3.11/site-packages/certbot_dns_porkbun/cert/client.py", line 109, in _perform
    self.record_ids[validation] = self._get_porkbun_client().dns_create(self._root_domain,
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/venv/lib/python3.11/site-packages/pkb_client/client.py", line 119, in dns_create
    raise Exception("ERROR: DNS create api call was not successfully\n"
Exception: ERROR: DNS create api call was not successfully
Status code: 400
Message: Invalid domain.

Note trying to request a cert for "dyndns.org" (the root of the domain that my domain is pointing at with an ALIAS record) and not my domain

This is not a bug report.

I notice the master branch has updated dependencies in requirements.txt to support newer versions of certbot. The latest release available is locked at certbot>=1.18.0,<2.0

Is there any way a new release that supports certbot 2.x could be pushed?

Describe the bug
The acme_challenge records do not get removed once validated.

To Reproduce
Unknown... I have both wildcard and root domains on 1 line with extra -d options????

Expected behavior
The porkbun api doesn't seem to be cleanly handling the delete dns records... unsure why

Certbot command
Docker Compose File

services:
  porkbun-root:
   image: infinityofspace/certbot_dns_porkbun
   platform: linux/arm64/v8
   hostname: cerbot-porkbun-root
   restart: unless-stopped
   volumes:
     - "/storage/docker/certbot/etc/letsencrypt:/etc/letsencrypt"
     - "/storage/docker/certbot/var/lib/letsencrypt:/var/lib/letsencrypt"
     - "/storage/docker/temp-root:/var/log"
     - "/storage/docker/certbot/porkbun/credentials.json:/tmp/credentials.json"
   command: certonly -v --non-interactive --agree-tos --email [email protected] --preferred-challenges dns --authenticator dns-porkbun  --dns-porkbun-credentials /tmp/credentials.json --dns-porkbun-propagation-seconds 600 -d root.xyz -d root.ca -d root.dev -d root.download -d "*.root.xyz"  -d "*.root.ca" -d "*.root.dev" -d "*.root.download"

Versions (please complete the following version information):

• certbot: 2.4.0
• certbot_dns_porkbun: docker: infinityofspace/certbot_dns_porkbun:latest Platform linux/arm64/v8 ``(sha256:9a65965e4a72d37cf2c99740291e46a579f4b91f1b31188b93f2e94354883a2c)

Error message

2024-03-30 21:59:56,369:DEBUG:certbot._internal.error_handler:Encountered signals: [15]
2024-03-30 21:59:56,370:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-03-30 21:59:56,370:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-03-30 21:59:56,976:ERROR:certbot._internal.error_handler:Encountered exception during recovery: certbot.errors.PluginError: ERROR: DNS delete api call was not successfully
2024-03-30 21:59:56,977:DEBUG:certbot._internal.error_handler:Calling signal 15
2024-03-30 21:59:56,977:DEBUG:certbot._internal.log:Exiting abnormally:
2024-03-30 21:59:56,981:ERROR:certbot._internal.log:An unexpected error occurred while handling the authorizations.

Additional context
I have 8 domains using the san feature, 4 of which are the root domains, and 4 are wildcards for the subdomains

I am here through NginxProxyManager/nginx-proxy-manager#1079.

Usually certbot dns plugins are configured with an INI file, which contain the credential information, to prevent the credentials from showing up in the bash history. But this plugin is exclusively configured through command line parameters.

It would be great if a credentials file would also be possible, maybe with command line params taking precedence.

Describe the bug
API calls fail with status 400 and message Invalid domain

To Reproduce

certbot certonly -d '*.domain, domain'

Expected behavior
Complete DNS challenge and renew certificates.

Versions (please complete the following version information):

• certbot: 1.29.0
• certbot_dns_porkbun: 0.6

Error message

Encountered exception during recovery: KeyError: 'loooong key'
ERROR: DNS create api call was not successfully
Status code: 400
Message: Invalid domain.

Describe the bug
The use of -d "domain.tld" works as expected but -d "*.domain.tld" or -d "sub.domain.tld" results in a failed cert generation

To Reproduce
use -d "*.domain.tld" or -d "sub.domain.tld"

Expected behavior
Cert should be processed as expected

Certbot command
certbot certonly --non-interactive --agree-tos --email [email protected] --preferred-challenges dns --authenticator dns-porkbun --dns-porkbun-credentials /config/porkbun.ini --dns-porkbun-propagation-seconds 60 -d "*.domain.tld"

Versions (please complete the following version information):

• certbot: 1.29.0
• certbot_dns_porkbun: 0.4

Error message

Encountered exception during recovery: KeyError: 'LONG_RANDOM_ISH_KEY_HERE'

ERROR: DNS create api call was not successfully

Status code: 400

Additional context
client.py potentially removed the "*." replacement: