Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detailed error messages for humans. #33

Open
soriyath opened this issue Jan 3, 2022 · 0 comments
Open

Detailed error messages for humans. #33

soriyath opened this issue Jan 3, 2022 · 0 comments

Comments

@soriyath
Copy link

soriyath commented Jan 3, 2022

Summary

Error messages could be more detailed in order to help system administrators quickly resolve issues.

See also this short documentation I wrote about this subject: https://github.com/Leading-Works-SaRL/certbot-plugin-gandi/wiki/Troubleshooting

Reproducible steps

  1. Configure Gandi.net, certbot, and certbot-plugin-gandi so that the generation of a letsencrypt certificate works;
  2. Go on the Gandi.net platform, regenerate/rotate the Gandi API Key;
  3. Do not update the configuration on the server that uses certbot;
  4. Attempt to renew the certificate(s) with: certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;
  5. Following error message shows up (possibly per email too if you have it configured accordingly): Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for "x.y.io";
  6. Inspection of logs under /var/log/letsencrypt/letsencrypt.log shows that really it is about authentification, see HTTP Status Code 401:
2022-01-03 20:59:39,583:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:39,820:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/x.y.io HTTP/1.1" 401 264
2022-01-03 20:59:39,847:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,085:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/y.io HTTP/1.1" 401 264
2022-01-03 20:59:40,111:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,361:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/io HTTP/1.1" 401 264
2022-01-03 20:59:40,377:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for "x.y.io"
2022-01-03 20:59:40,392:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,630:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/y.z HTTP/1.1" 401 264
2022-01-03 20:59:40,655:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,896:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/io HTTP/1.1" 401 264
2022-01-03 20:59:40,911:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for "y.io"
2022-01-03 20:59:40,915:ERROR:certbot._internal.renewal:Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for "x.y.io"

SHOULD Behaviour

  1. Configure Gandi.net, certbot, and certbot-plugin-gandi so that the generation of a letsencrypt certificate works;
  2. Go on the Gandi.net platform, regenerate/rotate the Gandi API Key;
  3. Do not update the configuration on the server that uses certbot;
  4. Attempt to renew the certificate(s) with: certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;
  5. Following error message shows up (possibly per email too if you have it configured accordingly): Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: 401 Unauthorized (bad api key?);
  6. Further inspection of the logs shows the error message from the Gandi.net API (format can be modfied, not necessary in JSON format):
{"object": "HTTPUnauthorized", "cause": "Unauthorized", "code": 401, "message": "The server could not verify that you authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad api key), or your access token has expired"}

Furthermore, the Wiki page of the plugin may also document common errors and remediations in a Troubleshooting page.
The Wiki page may be replaced by a TROUBLESHOOTING.md or COMMON_ERRORS.md file committed with the code.

Thank you for the plugin and your time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant