Bumped certbot-dns-freedns version to 0.2.0

[arsenicks]

bumped certbot-dns-freedns to 0.2.0 https://pypi.org/project/certbot-dns-freedns/0.2.0/

Fix problems creating the _acme txt entry if you are not a paid subscriber see issue: schleuss/certbot_dns_freedns#1

With current version, the challenge fail and you get an error llike. This fixes #2352

2024-05-13 20:37:35,988:ERROR:certbot._internal.error_handler:Encountered exception during recovery: AttributeError: 'NoneType' object has no attribute 'get'
2024-05-13 20:37:35,990:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1600, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
    resps = self.auth.perform(achalls)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/plugins/dns_common.py", line 76, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_freedns/dns_freedns.py", line 56, in _perform
    self._get_freedns_client().add_txt_record(
  File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_freedns/dns_freedns.py", line 115, in add_txt_record
    record = self.get_existing_txt(zone_id, record_name, record_content)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_freedns/dns_freedns.py", line 191, in get_existing_txt
    zone_data = self._load_domain_data(zone_id, record_name)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_freedns/dns_freedns.py", line 268, in _load_domain_data
    full_data = self._load_txt_record(domain_id, freedns_record_id, freedns_record_type)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot_dns_freedns/dns_freedns.py", line 286, in _load_txt_record
    input_ttl = soup.find("input", recursive=True, attrs={"name": "ttl"}).get("value")
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'get'
2024-05-13 20:37:35,994:ERROR:certbot._internal.log:An unexpected error occurred:
2024-05-13 20:37:35,995:ERROR:certbot._internal.log:AttributeError: 'NoneType' object has no attribute 'get'

[arsenicks]

Tested and working, this fix the TTL issue, but people still have to install zope..

[jc21]

I'll merge this when zope is available in the base image

[arsenicks]

I'll merge this when zope is available in the base image

Hi, thanks for taking time to look at this pr, that make sense for zope, is there any timeline available for this ? I see old PR dating back to 2023 regarding this but there's no discussion around it or to why it wasn't accepted. Ex. PR #2756

Thanks, have a good day!

[jc21]

Honestly, it dropped off my radar.. I guess I wasn't sure the solution in #2756 was correct or I didn't understand the python ecosystem enough. It was another contributor who implemented all the DNS plugins stuff way back when.

[jc21]

@arsenicks can you please test again with jc21/nginx-proxy-manager:github-pr-3750 - it should 'just work'

[arsenicks]

@arsenicks can you please test again with jc21/nginx-proxy-manager:github-pr-3750 - it should 'just work'

I'm trying since an hour and can't figure out why it doesn't work. Tried with my normal subdomain, didn't work, created a new one without luck. I'm tired as hell, I'll retry that after some sleep, I'm not sure if I'm doing something wrong because it should work, the only thing I did with my working install was this:

FROM jc21/nginx-proxy-manager
RUN pip install --no-cache-dir zope certbot-dns-freedns==0.2.0

and when I look into the container those two deps are indeed installed:

[root@docker-bb7f8c5527f3:/app]# pip show certbot-dns-freedns zope |grep -i Version
Version: 0.2.0
Version: 5.10

So, maybe the error is on my end, I'll retry tomorow. Is there any other changes than the zope dependency and the certbot-dns-freedns version to 0.2.0 included in this image VS the latest "normal" image ?

The process goes through and the debug says it's creating the _acme-challenge.subdomain.domain.org, no error but when the plugin says
DEBUG:certbot._internal.display.obj:Notifying user: Waiting 120 seconds for DNS changes to propagate

I see no subdomain created, I tried without existing txt record and with an existing one empty, same result. The verification fail.

The crash happen when it tries to cleanup the txt entry. Here's the error I get right now, not relates to the TTL feature, so it's a good news! (this a brand new subdomain I created to test).

2024-05-24 00:01:13,374:DEBUG:certbot_dns_freedns.dns_freedns:domain found: mooo.com with id: 29
2024-05-24 00:01:13,374:DEBUG:certbot_dns_freedns.dns_freedns:using record_name: _acme-challenge.vavache from original: _acme-challenge.vavache.mooo.com
2024-05-24 00:01:14,045:DEBUG:urllib3.connectionpool:https://freedns.afraid.org:443 "POST /subdomain/?limit=29 HTTP/1.1" 200 None
2024-05-24 00:01:14,306:DEBUG:urllib3.connectionpool:https://freedns.afraid.org:443 "GET /subdomain/edit.php?data_id=22827602 HTTP/1.1" 200 None
2024-05-24 00:01:14,334:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1600, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-05-24 00:01:14,338:ERROR:certbot._internal.log:Some challenges have failed.

[jc21]

Yes I agree something is wrong with the certbot plugin or freedns. When I request a cert, waiting for 15 mins, I see that no TXT record has been created despite seeing a successful API call to freedns.

[arsenicks]

Well, yeah I remember I had a problem similar to this with the "original" NPM image before adding zope and bumping the freedns version but I can't find my old log to see if it was simply the ttl error or anything else..

I'm trying to debug what's wrong, I'm not sure what's the best way of running the python/certbot in debug/verbose mode

[arsenicks]

Well, I cracked the propagation time to 600s, added the txt entry by hand and the challenge worked and the _acme txt entry got deleted corectly. So there's something not working as expected on the creation of the txt entry..

Odly enough, when I renew using my "normal" NPM image with zope and latest freedns certbot version it still work without doing anything

[jc21]

Can you tell me if the certbot-dns-freedns package in your "normal" npm image is a different version to v0.1.0 ? Also let me know what the certbot --version is.

And it looks like there's v0.2.0 of the plugin, only a month old. I've tried it out with the github-bump-freedns image tag but it's not working either.

[arsenicks]

I just had a flash, I might have done the same thing(creating the txt by hand) with my "normal" domain while building debuging the ttl issue a week ago... Is it possible that when renewing a certificate, the acme challenge is not redone or it don't have to create the txt record every time ? If it is, that probably never worked even with the image I tough was working.. I don't know if my explanation is clear enough..

Can you tell me if the certbot-dns-freedns package in your "normal" npm image is a different version to v0.1.0 ? Also let me know what the certbot --version is.

Sure,

[root@docker-c123427f2943:/app]# pip show certbot-dns-freedns |grep -i version
Version: 0.1.0
[root@docker-c123427f2943:/app]# pip show zope |grep -i version
Version: 5.9
[root@docker-c123427f2943:/app]# certbot --version
certbot 2.10.0

Here's the docker-compose I use to build the image I use normally. It was made that way to fix two things, missing zope and install certbot-dns-freedns==0.2.0. So that's pretty much what we have in the jc21/nginx-proxy-manager:github-pr-3750 image.

  nginx-proxy-manager:
#    image: 'jc21/nginx-proxy-manager:latest'
    container_name: nginx-proxy-manager
    build:
        context: fix-npm-image/
        dockerfile: DockerfileFixNPM
    restart: unless-stopped
    ports:
      - '445:443' # Public HTTPS Port
      - '443:443' # Public HTTPS Port
      - '8881:81' # Admin Web Port

    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Toronto # timezone
    volumes:
      - ${HOME}/.config/nginxproxymanager:/data
      - ${HOME}/.config/swag-letsencrypt:/ssl-cert
      - /nfsblaw/nginxproxymanager-letsencrypt:/etc/letsencrypt

the content of the dockerfile fix-npm-image/DockerfileFixNPM :

FROM jc21/nginx-proxy-manager
RUN pip install --no-cache-dir zope certbot-dns-freedns==0.2.0

And it looks like there's v0.2.0 of the plugin, only a month old.

That's what my image is using and that was the purpose of this specific PR, to bump the version of certbot-dns-freedns to 0.2.0! :) But 0.2.0 or 0.1.0 does need zope so we're on the right track.

I must test it with my "modified" image and a new domain to validate if it does work or if I was under the impression it worked because the renewal process is different and I had created the txt by hand at that time too.. It does make sense because the image I build on my side add zope and the certbot-dns-freedns plugin version 0.2.0 just like we do in this PR image. I'll try to test it later tonight and get back.

Thanks again for your help!

[arsenicks]

Just a small update on this issue. I was finally able to take some time and debug the output, I get an error message "The security code was incorrect, please try again.". I sent an email to the afraid.org admin to see if we are supposed to be able to automatically update a subdomain created using a public domain because nothing in the FAQ state this but I saw few places in an acme shell script where this was stated.

So I'll update you on the outcome of this but there's clearly a bad management of the error in the certbot-dns-freedns package..

[arsenicks]

Never got a reply on my last two email. I'll try to ask again..

[nginxproxymanagerci]

CI Error:

/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
certbot-node: Pulling from nginxproxymanager/nginx-full
Digest: sha256:eaa2ebcb50dd87557c9a8f95a3230128d94cac1ea17800261c036e59378e7d49
Status: Image is up to date for nginxproxymanager/nginx-full:certbot-node
docker.io/nginxproxymanager/nginx-full:certbot-node
�[1;34m❯ �[1;36mBuilding Frontend ...�[0m
yarn install v1.22.22
[1/4] Resolving packages...
[2/4] Fetching packages...
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
error Command failed.
Exit code: 128
Command: git
Arguments: clone https://github.com/tabler/tabler.git /usr/local/share/.cache/yarn/v6/.tmp/e11a93799a52aa978c82015e29fbe309
Directory: /app/frontend
Output:
Cloning into '/usr/local/share/.cache/yarn/v6/.tmp/e11a93799a52aa978c82015e29fbe309'...
error: RPC failed; curl 92 HTTP/2 stream 5 was not closed cleanly: CANCEL (err 8)
error: 5572 bytes of body are still expected
fetch-pack: unexpected disconnect while reading sideband packet
fatal: early EOF
fatal: fetch-pack: invalid index-pack output