infinityofspace / certbot_dns_duckdns Goto Github PK

certbot can be installed using snap, in this case any plugin installed using pip will not be loaded (see #18 ). A snap build of the plugin solves this problem.

Problem description

Security support for Python 3.7 has been discontinued. So this version should be dropped.
In addition, Python version 3.12 arrived in late 2023 and support should be added to this project.

Solution description

Drop python 3.17 from:

1. unit tests workflow matrix
2. minimum install requirement in setup.py

Add support for python 3.12 to:

1. base docker image
2. pypi classifiers
3. unit tests workflow matrix

Checklist

• I have checked for existing Github issues and there are no issues for the same feature request.

Hi,
I'm trying to use Nginx proxy to emit LetsEncrypt certificates for my custom domains. My domains are CNAME of a subdomain.duckdns.org entity.
However, script seems to fail in the referenced code step after traversing the cname route and reaching the duckdns name.
In particular, i get the following in the logs (below). Not sure why, as such domain shold be the same for other sites without cname alias.

• Any ideas?

Thanks!

Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-7" --agree-tos --email "[email protected]" --domains "subdomain.mydomain.ml" --authenticator dns-duckdns --dns-duckdns-credentials "/etc/letsencrypt/credentials/credentials-7"
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Encountered exception during recovery: certbot.errors.PluginError: The domain "_acme-challenge.mysubdomain.duckdns.org" is not valid a duckdns subdomain.
The domain "_acme-challenge.mysubdomain.duckdns.org" is not valid a duckdns subdomain.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/logs/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

In this plugin, it will override the TXT record before the challenge and clear TXT after the challenge.

According to rfc1464, TXT record support multiple attribute and value. Currently it can be used as DNS SPF record, DNS DMARC record and IPFS DNS link reord.

I would suggest to the following workflow instead:

• Resolve DNS record before dns challenge
• Append the attribute used for dns challenge and send HTTP request to duckdns server
• After dns challenge, send HTTP request with original TXT record to duckdns server

Hi,

While I was trying to install certbot-dns-duckdns on Amrbian (Buster, Rock Pi 4B), I got:

error: snap "certbot-dns-duckdns" is not available on this architecture (arm64) but exists on other architectures (amd64)

in respond to

snap install certbot-dns-duckdns

My final target is accessing OMV NAS with help of letsencrypt.

Any solution?

Eugenius.

Obtaining a wildcard certificate of a domain value like "*.example.duckdns.org" does not work.

Currently the docker builds of amr v6 and v7 are missing for latest, version and unstable tag.

https://hub.docker.com/r/infinityofspace/certbot_dns_duckdns/tags

Hi, I have certbot 0.31.0 installed and installed the plugin using pip3.

phil@marvin:~/wildcard_ssl$ certbot --version
certbot 0.31.0
phil@marvin:~/wildcard_ssl$ pip3 show certbot-dns-duckdns
Name: certbot-dns-duckdns
Version: 0.2
Summary: Obtain certificates using a DNS TXT record for DuckDNS domains
Home-page: https://github.com/infinityofspace/certbot_dns_duckdns
Author: infinityofspace
Author-email: None
License: MIT
Location: /usr/local/lib/python3.7/dist-packages
Requires: requests, zope.interface, certbot, setuptools
Required-by: 
phil@marvin:~/wildcard_ssl$ 

However, when I run a command to get a wildcard cert, certbot does not recognise the --dns-duckdns-token or --dns-duckdns-propagation-seconds directives on the command line:

phil@marvin:~/wildcard_ssl$ ./get_cert.sh 
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: --dns-duckdns-token <mytoken> --dns-duckdns-propagation-seconds 60

get_cert.sh:

certbot certonly \
  --non-interactive \
  --agree-tos \
  --email [email protected] \
  --preferred-challenges dns \
  --authenticator dns-duckdns \
  --dns-duckdns-token <my-token> \
  --dns-duckdns-propagation-seconds 60 \
  -d "*.my-site.duckdns.org"

Older versions of certbot does not support the current examples syntax. See #2

Describe the bug
Unable to use certbot_dns_duckdns as the command is unrecognized

certbot: error: unrecognized arguments: --dns-duckdns-token █████ --dns-duckdns-propagation-seconds 60

It can see the plugin is there

certbot plugins

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT

* dns-duckdns
Description: Obtain certificates using a DNS TXT record for DuckDNS domains
Interfaces: Authenticator, Plugin
Entry point: dns-duckdns = certbot_dns_duckdns.cert.client:Authenticator

* standalone
Description: Spin up a temporary webserver
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Versions (please complete the following version information):

• certbot: [you can use certbot --version to get the version]
• certbot_dns_duckdns: [you can use pip show certbot_dns_duckdns to get the version]

Certbot version: 1.29.0.1
cerbot_dns_duckdns version: 1.1

Additional context
Add any other context about the problem here.

Hi when I request a certificate for my duckDNS domain (normal and wildcard), I get the following error and the application fails to generate a certificate.

...
Calling registered functions
Cleaning up challenges
Encountered exception during recovery: certbot.errors.PluginError
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/certbot_dns_duckdns/cert/client.py", line 56, in _perform
    self._get_duckdns_client().set_txt_record(domain, validation)
  File "/usr/local/lib/python3.7/dist-packages/certbot_dns_duckdns/duckdns/client.py", line 49, in set_txt_record
    assert VALID_DUCKDNS_DOMAIN_REGEX.match(domain)
AssertionError

Do you have any ideas what might cause this? If you need more info from my end let me know.
Thanks in advance!

Describe the bug
i think its not realy but but i think do someting stuppid tho
i am trying to install certbot-dns-duckdns formt here but with no luck i am able to install tho but when its done i do certbot plugins to check the list i only get

• nginx
• standalone
• webroot

i have installed snapd aswell and installed the rest trough docker it self
can you help me pin point the error ( i use the ubuntu 22.04 as adminuser thats the name i gave the account while installing ubuntu 22.04)

oh and i got if i trust the certbot-dns-duckdns packge i needed to do this "snap set certbot trust-plugin-with-root=ok" so i did
i also did just know a remove and reinstalled the certbot-dns-duckdns packge

please help me xD i have no clue on what to do!!

Describe the bug

Not really a bug, but more of a packaging issue. Currently, certbot-dns-duckdns depends on requests 2.26:

However, recently Gentoo has removed requests 2.26.0 from their repository in favor of 2.27.

To Reproduce

• Install Certbot;
• Install certbot-dns-duckdns;
• Have requests 2.26.x available on the system;
• Notice that certbot plugins lists the certbot-dns-duckdns plugin;
• Make sure only requests 2.27.x is available on the system;
• Notice that certbot plugins doesn't list the certbot-dns-duckdns plugin any longer.

Expected behavior

• certbot-dns-duckdns should be available when only requests 2.27.x is available

Certbot command

certbot plugins

Versions (please complete the following version information):

• certbot: latest from git
• certbot_dns_duckdns: 0.7.2

Additional context

When I change requests~=2.26.0 to requests~=2.26 everything works again. Is pinning requests to 2.26 really necessary or does the plugin also work with 2.27.x?

Describe the bug
certbot_dns_duckdns docker in loop reboot with v.05 but works with v.04

To Reproduce
start the docker

Expected behavior
A clear and concise description of what you expected to happen.

Certbot command
I use the following docker-compose: (part only)
certbot_dns_duckdns:
image: infinityofspace/certbot_dns_duckdns:v0.4
container_name: certbot_dns_duckdns
environment:
- EMAIL= ${EMAIL_certbot}
- DOMAIN= ${DOMAIN_certbot}
- DUCKDNS_TOKEN= ${TOKEN_duckdns}
- AUTORENEW=true
- PROPAGATION_SECONDS=60
- STAGING=false
- RECREATE=false
- TZ=Europe/Paris

volumes:
  - /home/docker/certs:/etc/letsencrypt
  - /home/docker/certbot:/var/log/letsencrypt
restart: always

Versions (please complete the following version information):

• certbot: embedded in the docker
• certbot_dns_duckdns: 0.4 is working; 0.5 reboots in loop (due to restart: always)
  Additional context
  i use a very simple xxx.duckdns.org domain.

I tried and use the docker-compose exemple but it is crashing as well with v0.5
short term solution: keep v0.4 version

Hi
In the last version, the docker stops at the end of the “certonly” process.
Thus it is mandatory to create a “complex” crontab line I order to renew the certificate at regular intervals.
“Complex”as the line has to be changed to be consistent with volumes of the existing docker-compose .
Why don’t you use the “renew” option with an embedded cron inside the container ( as it was in the 0.4 version) ?
The certbot manual is clear:

This command attempts to renew any previously-obtained certificates that expire in less than 30 days. The same plugin and options that were used at the time the certificate was originally issued will be used for the renewal attempt, unless you specify other plugins or options. Unlike certonly, renew acts on multiple certificates and always takes into account whether each one is near expiry. Because of this, renew is suitable (and designed) for automated use, to allow your system to automatically renew each certificate when appropriate. Since renew only renews certificates that are near expiry it can be run as frequently as you want - since it will usually take no action.

“ renew is suitable and designed for automated use”
This is not a bug but a demand more consistent with docker philosophy in my mind
Thanks by advance
Regards
PHILIPPE

I'm looking for a way to host a https website with nginx and with a dns from duck-dns.

Is there a way to do it ?

When I try to use the example command with nginx, it gives me this error:

Too many flags setting configurators/installers/authenticators 'dns-duckdns' -> 'nginx'

Is this the right tool to do what I want to do ?
And if yes what is the right way to do it ?

Add some note to the installation guide, because the plugin must be installed with root rights if certbot used with root rights.
Otherwise the plugin can not be found by certbot. See #2

Hello! Thx for nice plugin!

Describe the bug

Automatic reneweal by systemd timer always failed. But certbot renew works fine.

'Namespace' object has no attribute 'dns_duckdns_propagation_seconds'. Skipping.

To Reproduce

systemctl start snap.certbot.renew.service
or
snap run certbot.renew

Expected behavior

root@HMS:~# systemctl status snap.certbot.renew.service
● snap.certbot.renew.service - Service for snap application certbot.renew
     Loaded: loaded (/etc/systemd/system/snap.certbot.renew.service; static; vendor preset: enabled)
     Active: failed (Result: exit-code) since Thu 2021-08-19 19:58:11 MSK; 12min ago
TriggeredBy: ● snap.certbot.renew.timer
    Process: 171958 ExecStart=/usr/bin/snap run --timer=00:00~24:00/2 certbot.renew (code=exited, status=1/FAILURE)
   Main PID: 171958 (code=exited, status=1/FAILURE)

Aug 19 19:58:06 HMS systemd[1]: Starting Service for snap application certbot.renew...
Aug 19 19:58:11 HMS certbot.renew[171958]: Renewal configuration file /etc/letsencrypt/renewal/XXXXXXXXXXXXX.duckdns.org.conf (cert: XXXXXXXXXXXXX.duckdns.org) produced an une>
Aug 19 19:58:11 HMS certbot.renew[171958]: 0 renew failure(s), 1 parse failure(s)
Aug 19 19:58:11 HMS systemd[1]: snap.certbot.renew.service: Main process exited, code=exited, status=1/FAILURE
Aug 19 19:58:11 HMS systemd[1]: snap.certbot.renew.service: Failed with result 'exit-code'.
Aug 19 19:58:11 HMS systemd[1]: Failed to start Service for snap application certbot.renew.

[3]+  Stopped                 systemctl status snap.certbot.renew.service
root@HMS:~# snap run certbot.renew
Renewal configuration file /etc/letsencrypt/renewal/XXXXXXXXXXXXX.duckdns.org.conf (cert: XXXXXXXXXXXXX.duckdns.org) produced an unexpected error: 'Namespace' object has no attribute 'dns_duckdns_propagation_seconds'. Skipping.
0 renew failure(s), 1 parse failure(s)
root@HMS:~# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/XXXXXXXXXXXXX.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-duckdns, Installer None
Simulating renewal of an existing certificate for XXXXXXXXXXXXX.duckdns.org
Performing the following challenges:
dns-01 challenge for XXXXXXXXXXXXX.duckdns.org
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/XXXXXXXXXXXXX.duckdns.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/XXXXXXXXXXXXX.duckdns.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Certbot command

certbot certonly --non-interactive --agree-tos --email [email protected] --preferred-challenges dns --authenticator dns-duckdns --dns-duckdns-token XXXXXXXXXX --dns-duckdns-propagation-seconds 60 -d "XXXXXXXXXXX.duckdns.org"

Versions (please complete the following version information):

• certbot: 1.15.0
• certbot_dns_duckdns: 0.6

Additional context
Add any other context about the problem here.

OS info

running in docker latest tag

Docker image

• I am using the docker image.

certbot_dns_duckdns version

i cant get this from inside the container as it exist before i can exec into it

certbot version

i cant get this from inside the container as it exist before i can exec into it

Bug description

cant retrive both a wildcard and domain cert using docker-compose

Expected behaviour description

both the doamin ands wild card certs should be in made

Relevant log output

✔ Container certbot_dns_duckdns  Created                                                     0.0s 
Attaching to certbot_dns_duckdns
certbot_dns_duckdns  | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot_dns_duckdns  | Account registered.
certbot_dns_duckdns  | Requesting a certificate for ######.duckdns.org and *.########.duckdns.org
certbot_dns_duckdns  | Waiting 30 seconds for DNS changes to propagate
certbot_dns_duckdns  | An unexpected error occurred:
certbot_dns_duckdns  | requests.exceptions.ConnectionError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
certbot_dns_duckdns  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
certbot_dns_duckdns exited with code 1

Command

version: "3.9"
services:
  certbot:
    image: "infinityofspace/certbot_dns_duckdns:latest"
    container_name: "certbot_dns_duckdns"
    volumes:
      - "./data/letsencrypt:/etc/letsencrypt"
      - "./data/logs:/var/log/letsencrypt"
    command: certonly
      --non-interactive
      --agree-tos
      --email ########################
      --preferred-challenges dns
      --expand
      --authenticator dns-duckdns
      --dns-duckdns-token #################
      --dns-duckdns-propagation-seconds 30
      -d *.$HOST
      -d $HOST
 

this gave me the above error i have also tried

version: "3.9"
services:
  certbot:
    image: "infinityofspace/certbot_dns_duckdns:latest"
    container_name: "certbot_dns_duckdns"
    volumes:
      - "./data/letsencrypt:/etc/letsencrypt"
      - "./data/logs:/var/log/letsencrypt"
    command: certonly
      --non-interactive
      --agree-tos
      --email #################################
      --preferred-challenges dns
      --expand
      --authenticator dns-duckdns
      --dns-duckdns-token ###############################
      --dns-duckdns-propagation-seconds 30
      --staging
      -d "*.${HOST}"
  certbot1:
    image: "infinityofspace/certbot_dns_duckdns:latest"
    container_name: "certbot1_dns_duckdns"
    volumes:
      - "./data/letsencrypt:/etc/letsencrypt"
      - "./data/logs:/var/log/letsencrypt"
    command: certonly
      --non-interactive
      --agree-tos
      --email ##############################
      --preferred-challenges dns
      --expand
      --authenticator dns-duckdns
      --dns-duckdns-token ##########################
      --dns-duckdns-propagation-seconds 30
      --staging
      -d "${HOST}"

this also fails as it detecs there another instance running and exists

### DNS records

```shell
how do i get this

Steps to reproduce

run the docker compose file with a valid host from duckdns

Additional context

i have used nginx proxy manager before and it has made wildcard and domain certs is there any alternative way to do this?

Checklist

• I have checked for existing Github issues for the same bug.
• I have checked to see if there is a newer version that already fixes this error.

The use of the plugin as a local installation as well as a Docker image should allow the use of multiple DuckDNS domains without multiple docker containers or command calls.

Describe the bug
This plugin requires requests ~= 2.28 but the currently released version of Certbot ships with requests 2.27.1.

The version incompatibility results in the crash reported at https://community.letsencrypt.org/t/certbot-running-error/183105.

To Reproduce
Install the Certbot snap, install this plugin snap, connect the plugin, and run certbot plugins.

Expected behavior
It should not crash.

Versions (please complete the following version information):

• certbot: 1.29.0
• certbot_dns_duckdns: 1.0

Additional context
Because it makes no sense to install this without Certbot and Certbot already specifies a version constraint for requests, I think the requests dependency could be relaxed here, perhaps just >=2.0,<3.0.

It would be greatly appreciated if a new version of this plugin could be published on snap, as it is broken for users at the moment. Thank you for your work.

Describe the bug
in the setup.py are Undeclared dependency / setup.py and requirements.txt are out of sync

To Reproduce
pip3 install certbot_dns_duckdns

Describe the bug
In b3183bd, this plugin became dependent on the dnspython module, but did not explicitly declare that dependency.

We received a report at https://community.letsencrypt.org/t/no-module-named-dns/169350 which appears to be a result of that omission.

To Reproduce
See thread.

Expected behavior
See thread

Certbot command
See thread

Versions (please complete the following version information):

• certbot: 1.22
• certbot_dns_duckdns: 0.7

Usually certbot dns plugins are configured with an INI file, which contain the credential information, to prevent the credentials from showing up in the bash history. But this plugin is exclusively configured through command line parameters.

It would be great if a credentials file would also be possible, maybe with command line params taking precedence.

The current documentation does not contain any information on how to use the certificate outside the container.

The docker image can not be used without the env PROPAGATION_SECONDS value