obynio / certbot-plugin-gandi Goto Github PK

View Code? Open in Web Editor NEW

195.0 9.0 27.0 42 KB

Certbot plugin for authentication using Gandi LiveDNS

Home Page: https://pypi.org/project/certbot-plugin-gandi/

License: MIT License

Python 93.90% Shell 6.10%

gandi-livedns certbot-plugin wildcard-certificates certbot gandi-api letsencrypt letsencrypt-plugin

certbot-plugin-gandi's Introduction

I caught fire coding 🔥

The spark I was missing ignited the instant I installed my first Linux as a kid. Since then, I can't get enough. I'm now working as a Site Reliability Engineer, ensuring everything runs smoothly. Usually, you can find me at my desk, sipping my cafe con leche while reading the latest headlines on Hacker News. But in any case, you can also get in touch below.

Twitter: https://twitter.com/obynio
LinkedIn: https://www.linkedin.com/in/yohannleon
Instagram: https://www.instagram.com/yohann

I love ≡𝐺𝑂 and spend too much time on Github, but core focuses of interest also includes SRE, AWS, Edge Networking, Linux, Python, Django, Docker, Kubernetes. I typically ask my family to point out which of these are Pokemons 😉

certbot-plugin-gandi's People

Contributors

Stargazers

Watchers

certbot-plugin-gandi's Issues

Instructions typos ?

Hi,

I think there is a typo in this command:

certbot certonly --authenticator dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi/gandi.ini gandi.ini -d domain.com

the --dns-gandi-credentials option should be followed by only one file path (there are two pointing to the gandi.ini file).

Also, when running the plugin, using /root/gandi.ini as configuration, I get the following error:

Missing property in credentials configuration file /root/gandi.ini:
 * Property "dns_gandi_api_key" not found (should be API key for Gandi account).

It works with this:

# live dns v5 api key
dns_gandi_api_key=<key>

Gandi LiveDNS API communication stopped working

Hi, since a little while I'm getting these errors:

Unable to find or delete the DNS TXT record: <No reason given>
Failed to renew certificate subdomain.example.com with error: An error occurred adding the DNS TXT record: <No reason given>

In the log files I find this:

2022-07-23 18:48:09,169:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-07-23 18:48:09,299:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/subdomain.example.com HTTP/1.1" 404 108
2022-07-23 18:48:09,301:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-07-23 18:48:09,534:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/example.com HTTP/1.1" 200 532
2022-07-23 18:48:09,537:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-07-23 18:48:09,795:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/example.com/records/_acme-challenge.subdomain/TXT HTTP/1.1" 200 209
2022-07-23 18:48:09,797:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-07-23 18:48:10,210:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "PUT /api/v5/domains/example.com/records/_acme-challenge.subdomain/TXT HTTP/1.1" 400 151
2022-07-23 18:48:10,212:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: <No reason given>
2022-07-23 18:48:10,212:ERROR:certbot._internal.renewal:Failed to renew certificate subdomain.example.com with error: An error occurred adding the DNS TXT record: <No reason given>

I tried rotating the key, installing the latest plugin version, etc, but nothing seems to help.

It seems I'm getting a HTTP status code of 200 on GET, but 400 on PUT.

Any ideas?

Plugin removed in future version ?

Hi,

With certbot 1.10.1 i've this warning :

Plugin legacy name certbot-plugin-gandi:dns may be removed in a future version. Please use dns instead.

What is DNS plugin ?

Cordialy

Getting logger.warning on 3rd party plugins prefixes despite not using them

I am getting the warning that I see in the code:

logger.warning("Certbot is moving to remove 3rd party plugins prefixes. Please use --authenticator dns-gandi --dns-gandi-credentials")

certbot plugins gives:

2022-11-10 08:59:48,203:DEBUG:certbot._internal.log:Root logging level set at 30
2022-11-10 08:59:48,205:DEBUG:certbot._internal.main:Expected interfaces: None
2022-11-10 08:59:48,206:DEBUG:certbot._internal.main:Filtered plugins: PluginsRegistry(PluginEntryPoint#dns,PluginEntryPoint#dns-gandi,PluginEntryPoint#dns-ovh,PluginEntryPoint#nginx,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-11-10 08:59:48,208:DEBUG:certbot._internal.display.obj:Notifying user: * dns
Description: Obtain certificates using a DNS TXT record (if you are using Gandi
for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns = certbot_plugin_gandi.main:Authenticator

* dns-gandi
Description: Obtain certificates using a DNS TXT record (if you are using Gandi
for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-gandi = certbot_plugin_gandi.main:Authenticator

* dns-ovh
Description: Obtain certificates using a DNS TXT record (if you are using OVH
for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-ovh = certbot_dns_ovh._internal.dns_ovh:Authenticator

* nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator

* standalone
Description: Spin up a temporary webserver
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator

but with some certbot certonly --force-renew -d example.com, I am getting:

2022-11-10 09:52:22,879:DEBUG:certbot._internal.main:certbot version: 1.31.0
2022-11-10 09:52:22,880:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2022-11-10 09:52:22,880:DEBUG:certbot._internal.main:Arguments: ['--force-renew', '-d', 'degramont.fr']
2022-11-10 09:52:22,880:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-plugin-gandi:dns,PluginEntryPoint#certbot-plugin-gandi:dns-gandi,PluginEntryPoint#dns,PluginEntryPoint#dns-gandi,PluginEntryPoint#dns-ovh,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-11-10 09:52:28,403:DEBUG:certbot._internal.log:Root logging level set at 30
2022-11-10 09:52:28,406:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2022-11-10 09:52:28,420:WARNING:certbot_plugin_gandi.main:Certbot is moving to remove 3rd party plugins prefixes. Please use --authenticator dns-gandi --dns-gandi-credentials

I get the warning from certbot with the line:

plugins = plugins_disco.PluginsRegistry.find_all()

Not getting the warning with the certbot plugins command and the line:

filtered = plugins.visible().ifaces(ifaces)

cron expression wrong?

Hi!

First of all, thanks for your work on this plugin.

I've entered the cron expression provided in the README into a cron verifier:

https://crontab.guru/#*_1_*_*_1

It claims to run
“At every minute past hour 1 on Monday.”

Should't it be something like: "0 0 * * 0" instead?

Gandi API changes

"There will be no future developments on this API, as we are merging to our new REST api endpoint, which is documented at https://api.gandi.net/docs/livedns/"

Do you plan to support the new api ?

Property "certbot_plugin_gandi:dns_api_key" not found

Setting dns_gandi_api_key=APIKEY in gandi.ini as mentioned in the docs, I get the following error:

Attempting to renew cert (example.org) from /etc/letsencrypt/renewal/example.org.conf produced an unexpected error: Missing property in credentials configuration file /etc/letsencrypt/gandi.ini:
 * Property "certbot_plugin_gandi:dns_api_key" not found (should be API key for Gandi account).. Skipping.

The correct property seems to be certbot_plugin_gandi:dns_api_key instead.

Thanks for this plugin!

Systemd renewal timer fails with error "Namespace' object has no attribute 'dns_gandi_credentials'"

As the title says. The automatic renewal (without setting up a cronjob) fails with said message.
Editing /etc/letsencrypt/renewal/domain.tld.conf by hand, replacing dns_gandi_credentials with dns-gandi-credentials fixes this.
I can't tell yet if automatic renewal does work, but that change got rid of the error.

Versions:
certbot 1.31.0
certbot-plugin-gandi 1.4.0

Both installed with pip.

certbot: error: unrecognized arguments: --dns-gandi-credentials /etc/letsencrypt/gandi.ini

root@www:/etc/letsencrypt# certbot certonly --authenticator dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi.ini -d mydomain.tld
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --dns-gandi-credentials /etc/letsencrypt/gandi.ini

root@www:/etc/letsencrypt# apt search livedns
Sorting... Done
Full Text Search... Done
python3-certbot-dns-gandi/stable,now 1.2.5-3 all [installed]
Gandi LiveDNS plugin for Certbot

module 'urllib' has no attribute 'quote'

I get an error when I run this command with Python 3.6.7 installed on Ubuntu 18:

certbot certonly -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials gandi.ini -d domain.com -d \*.domain.com --server https://acme-v02.api.letsencrypt.org/directory

Error message:

Encountered exception during recovery: 
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/local/lib/python3.6/dist-packages/certbot/auth_handler.py", line 132, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/local/lib/python3.6/dist-packages/certbot/plugins/dns_common.py", line 57, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/local/lib/python3.6/dist-packages/certbot_plugin_gandi/main.py", line 48, in _perform
    error = gandi_api.add_txt_record(self._get_gandi_config(), domain, validation_name, validation)
  File "/usr/local/lib/python3.6/dist-packages/certbot_plugin_gandi/gandi_api.py", line 89, in add_txt_record
    return _update_record(cfg, domain, name, requester)
  File "/usr/local/lib/python3.6/dist-packages/certbot_plugin_gandi/gandi_api.py", line 69, in _update_record
    base_domain = _get_base_domain(cfg, domain)
  File "/usr/local/lib/python3.6/dist-packages/certbot_plugin_gandi/gandi_api.py", line 48, in _get_base_domain
    response = _request(cfg, 'GET', ('domains', candidate_base_domain))
  File "/usr/local/lib/python3.6/dist-packages/certbot_plugin_gandi/gandi_api.py", line 42, in _request
    url = _get_url(*segs)
  File "/usr/local/lib/python3.6/dist-packages/certbot_plugin_gandi/gandi_api.py", line 36, in _get_url
    '/'.join(urllib.quote(seg, safe='') for seg in segs)
  File "/usr/local/lib/python3.6/dist-packages/certbot_plugin_gandi/gandi_api.py", line 36, in <genexpr>
    '/'.join(urllib.quote(seg, safe='') for seg in segs)
AttributeError: module 'urllib' has no attribute 'quote'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/certbot/error_handler.py", line 108, in _call_registered
    self.funcs[-1]()
  File "/usr/local/lib/python3.6/dist-packages/certbot/auth_handler.py", line 316, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/local/lib/python3.6/dist-packages/certbot/plugins/dns_common.py", line 76, in cleanup
    self._cleanup(domain, validation_domain_name, validation)
  File "/usr/local/lib/python3.6/dist-packages/certbot_plugin_gandi/main.py", line 54, in _cleanup
    error = gandi_api.del_txt_record(self._get_gandi_config(), domain, validation_name)
  File "/usr/local/lib/python3.6/dist-packages/certbot_plugin_gandi/gandi_api.py", line 97, in del_txt_record
    return _update_record(cfg, domain, name, requester)
  File "/usr/local/lib/python3.6/dist-packages/certbot_plugin_gandi/gandi_api.py", line 69, in _update_record
    base_domain = _get_base_domain(cfg, domain)
  File "/usr/local/lib/python3.6/dist-packages/certbot_plugin_gandi/gandi_api.py", line 48, in _get_base_domain
    response = _request(cfg, 'GET', ('domains', candidate_base_domain))
  File "/usr/local/lib/python3.6/dist-packages/certbot_plugin_gandi/gandi_api.py", line 42, in _request
    url = _get_url(*segs)
  File "/usr/local/lib/python3.6/dist-packages/certbot_plugin_gandi/gandi_api.py", line 36, in _get_url
    '/'.join(urllib.quote(seg, safe='') for seg in segs)
  File "/usr/local/lib/python3.6/dist-packages/certbot_plugin_gandi/gandi_api.py", line 36, in <genexpr>
    '/'.join(urllib.quote(seg, safe='') for seg in segs)
AttributeError: module 'urllib' has no attribute 'quote'
An unexpected error occurred:
AttributeError: module 'urllib' has no attribute 'quote'
Please see the logfiles in /var/log/letsencrypt for more details.

I think it's similar to this but I'm not sure. Any ideas how to resolve?

Unable to find or delete the DNS TXT record: Access was denied to this resource.

The steps to install and configure this plugin seems fairly straight forward. I've installed it with pip3 (as a --user), certbot plugins lists it, and I've put the API key into gandi.ini (no quotes, direcctly after certbot_plugin_gandi:dns_api_key=).

I forgot to chmod it at first, but got a reminder when I ran it for the first time, so 600 it is.

Now I'm stuck with the topic error (access denied to resource) and I don't know where to look for logs / more information.

on the admin panel at gandi I see no entries, and I got a relatively new version of certbot (tried with 0.28 and 0.35).

Any ideas how to get this working?

Add option to use different domain on Gandi then requested for the certificate

Hi!

I have the following setup:

main.tld without DNS API access on a random domain provider
other.tld at Gandi with Live DNS API
I have CNAMEs pointing from main.tld to other.tld (also on all subdomains)

In order to manually update my main.tld certs, I change the TXT values on my other.tld entries to the TXT values from certbot's main.tld responses
The use of a "throwaway" domain for validation is described in the DNS-01 challenge docs (https://letsencrypt.org/docs/challenge-types/)

So my current issue with the plugin is that I need to request main.tld certs but certbot-plugin-gandi should use a different domain (on Gandi DNS) to make my main.tld CNAME entries work

It would be nice to have a parameter in the gandi.ini to provide a "custom" domain name that the plugin should use instead of the domain that was given with certbots "-d" parameter

something like:

# Gandi personal access token
dns_gandi_token=PERSONAL_ACCESS_TOKEN
dns_gandi_verify_domain=other.tld

Plugin broke since certbot 2.x

see: certbot/certbot#9485

[BUG] unrecognized arguments while following the instructions

I am currently trying to use this plugin on my debian 10 server to obtain a wildcard certificate. I followed every step, but when it came to the certbot command, it fails with the error

certbot: error: unrecognized arguments: --dns-gandi-credentials /etc/letsencrypt/gandi/gandi.ini

How to use this plugin from pip and ansible

This is just to help others that try to do this and have run into issues with certbot snap installation. I was trying to come up with a clean install method to use with ansible, and I've got it working successfully with this config (on Ubuntu):

- name: Install certbot system dependencies
  ansible.builtin.apt:
    package:
      - python3
      - python3-virtualenv
      - libaugeas0
    state: present
    update_cache: yes
  tags: certbot

- name: Install certbot from pip
  ansible.builtin.pip:
    name: certbot
    virtualenv: /opt/certbot
  tags: certbot

- name: Link certbot into path
  ansible.builtin.file:
    src: /opt/certbot/bin/certbot
    dest: /usr/bin/certbot
    state: link
  tags: certbot

- name: Install certbot gandi DNS plugin
  ansible.builtin.pip:
    name: certbot-plugin-gandi
    virtualenv: /opt/certbot
  tags: gandi

This installs using virtualenv, as the EFF recommends, but this means that the gandi plugin needs to be installed in the same virtualenv, or certbot won't see it. HTH.

certbot: error: unrecognized arguments: --certbot-plugin-gandi:dns-credentials gandi.ini

Installed the gandi plugin and tried to run the following command:

sudo certbot certonly -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials gandi.ini -d XXXXX.nl -d \*.XXXXX.nl --server https://acme-v02.api.letsencrypt.org/directory

Certbot returns the following error:
certbot: error: unrecognized arguments: --certbot-plugin-gandi:dns-credentials gandi.ini

Using the latest certbot, version 0.31.0.

Am I missing something here?

error: unrecognized arguments: --dns-gandi-credentials

Hello, I have this error
I tried with the old configuration of the pluging but without better result
my certbot version is 1.13.0

can someone help me?

sudo certbot certonly --authenticator dns-gandi --dns-gandi-credentials /opt/certbot/gandi.ini -d XXX.yyy -d *.XXX.yyy --server https://acme-v02.api.letsencrypt.org/directory
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

[How to] use certbot plugin gandi not in CLI

Hi,

Current behavior :

I am generating certs well with certbot/gandi-plugin on NASs, but to do that i am forced to share my DNS_GANDI_KEY with NASs.

The finality :

I would like to integrate the certificate generation process in a python app (django on Gandi instance). With this, my clients will not know my DNS_GANDI_KEY anymore. My app will be the only one that knows this api key. I will provide the certificates to each NAS.

What i want :

I am looking for some python code that is using certbot and plugin-gandi (or needs some adaptations to use it), and make me able to generate my certs using only python (no shell, and i dont want to use subprocess that is calling python app/lib... ).

What i did :

I tried to dig into the code of certbot/gandi-plugin, but I didnt find a good entry point yet.

Any help?

Merci pour la lib', super boulot!

Ressources :

PS : just found this, that's more or less what i am looking for (in my case i will use DNS-Challenge)
https://gist.github.com/gpjt/2bd2a223b410d8fcfb782d0df1be2e00

improvement: sharing ID parameter

Hello.
After a little while running with home made manual hooks, I decided to try and use "official" plugin, but as my case requires the use of sharing ID, I forked your project and made the required changes. Then my question is: would you want this to be merged (or redo it your own way: since I am not really used to Python programming, I may have made it the wrong way... even if it happens to work) or should I just keep it for my personal use ?

Regards,
GB

Error when attempting wildcard certificate

I get this:

Performing the following challenges:
dns-01 challenge for example.com
Cleaning up challenges
Unable to find or delete the DNS TXT record: Unable to get base domain for "example.com"
An error occurred adding the DNS TXT record: Unable to get base domain for "example.com"

When obtaining the certificate without wildcard, it all works fine.

certbot: error: unrecognized arguments: --certbot-plugin-gandi:dns-credentials gandi.ini

Hello.
I'm trying to use your plugin but sadly I got a unrecognized arguments error...

certbot certonly -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials gandi.ini -d [domain] --dry-run
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Sadly, I see nothing helpful in letsencypt logs...

Too bad, this plugin seems great.

I'm using Centos 7.8.2003
Certbot 1.7.0
certbot-plugin-gandi 1.2.5 from pip3

Detailed error messages for humans.

Summary

Error messages could be more detailed in order to help system administrators quickly resolve issues.

See also this short documentation I wrote about this subject: https://github.com/Leading-Works-SaRL/certbot-plugin-gandi/wiki/Troubleshooting

Reproducible steps

Configure Gandi.net, certbot, and certbot-plugin-gandi so that the generation of a letsencrypt certificate works;
Go on the Gandi.net platform, regenerate/rotate the Gandi API Key;
Do not update the configuration on the server that uses certbot;
Attempt to renew the certificate(s) with: certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;
Following error message shows up (possibly per email too if you have it configured accordingly): Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for "x.y.io";
Inspection of logs under /var/log/letsencrypt/letsencrypt.log shows that really it is about authentification, see HTTP Status Code 401:

2022-01-03 20:59:39,583:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:39,820:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/x.y.io HTTP/1.1" 401 264
2022-01-03 20:59:39,847:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,085:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/y.io HTTP/1.1" 401 264
2022-01-03 20:59:40,111:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,361:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/io HTTP/1.1" 401 264
2022-01-03 20:59:40,377:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for "x.y.io"
2022-01-03 20:59:40,392:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,630:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/y.z HTTP/1.1" 401 264
2022-01-03 20:59:40,655:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): dns.api.gandi.net:443
2022-01-03 20:59:40,896:DEBUG:urllib3.connectionpool:https://dns.api.gandi.net:443 "GET /api/v5/domains/io HTTP/1.1" 401 264
2022-01-03 20:59:40,911:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for "y.io"
2022-01-03 20:59:40,915:ERROR:certbot._internal.renewal:Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: Unable to get base domain for "x.y.io"

SHOULD Behaviour

Configure Gandi.net, certbot, and certbot-plugin-gandi so that the generation of a letsencrypt certificate works;
Go on the Gandi.net platform, regenerate/rotate the Gandi API Key;
Do not update the configuration on the server that uses certbot;
Attempt to renew the certificate(s) with: certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory;
Following error message shows up (possibly per email too if you have it configured accordingly): Failed to renew certificate y.io with error: An error occurred adding the DNS TXT record: 401 Unauthorized (bad api key?);
Further inspection of the logs shows the error message from the Gandi.net API (format can be modfied, not necessary in JSON format):

{"object": "HTTPUnauthorized", "cause": "Unauthorized", "code": 401, "message": "The server could not verify that you authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad api key), or your access token has expired"}

Furthermore, the Wiki page of the plugin may also document common errors and remediations in a Troubleshooting page.
The Wiki page may be replaced by a TROUBLESHOOTING.md or COMMON_ERRORS.md file committed with the code.

Thank you for the plugin and your time.

Awesome project, thank you!!

Just wanted to say thanks. Keep up the great work.

Public key for signing releases missing

Howdy,

First off, thanks for maintaining certbot-plugin-gandi. I noticed a while back you seem to have changed the signing key for the releases on pypi, but there wasn't any notice of change and the public key doesn't appear to be online anywhere.

The last release was signed by 86866EAF84F46D74E263C078D80EC4E1F40970E5, and this is currently what's holding up Debian for updating.

~Unit 193

[Debian] Error: unrecognized arguments: --certbot-plugin-gandi:dns-credentials gandi.ini

tl;dr: On Debian, it seems this plugin doesn't work with certbot 0.35 provided by certbot-auto or pip, only with certbot 0.28 installed from debian-backports. See these instructions.

I'm getting this error message while trying to use this plugin I'm very grateful for.

~# certbot --version
certbot 0.28.0
~# certbot renew -v -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials gandi.ini --server https://acme-v02.api.letsencrypt.org/directory --cert-name example.com-0002    usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --certbot-plugin-gandi:dns-credentials gandi.ini
~# certbot certonly -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials gandi.ini -d example.com -d \*.example.com --server https://acme-v02.api.letsencrypt.org/directory -v --dry-run
usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --certbot-plugin-gandi:dns-credentials gandi.ini

Is it just my version of certbot that needs to be updated? I'm using the default Debian package so it isn't exactly the most recent.

add parameter like --dns-gandi-propagation-seconds

Some time i need to use --debug-challenges to wait more than 10 second for propagation.
All plugin's are parameter like --dns--propagation-seconds
Can you add this parameter?

Regards,

Plugin don't work debian 10

Hello,
I am on debian 10 and have certbot 0.39.0.
When I do
sudo certbot certonly -a certbot-plugin-gandi:dns \ --certbot-plugin-gandi:dns-credentials gandi.ini -d mydomain.fr \ --server https://acme-v02.api.letsencrypt.org/directory
I got this error:
`usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

AttributeError: 'module' object has no attribute 'parse'

Trying to run the following on Ubuntu 18:

certbot certonly -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials /path/to/gandi.ini -d \*.sub.domain.com --server https://acme-v02.api.letsencrypt.org/directory

Throws the following error:

Encountered exception during recovery:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/certbot/error_handler.py", line 108, in _call_registered
    self.funcs[-1]()
  File "/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 310, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/dns_common.py", line 76, in cleanup
    self._cleanup(domain, validation_domain_name, validation)
  File "/usr/local/lib/python2.7/dist-packages/certbot_plugin_gandi/main.py", line 54, in _cleanup
    error = gandi_api.del_txt_record(self._get_gandi_config(), domain, validation_name)
  File "/usr/local/lib/python2.7/dist-packages/certbot_plugin_gandi/gandi_api.py", line 97, in del_txt_record
    return _update_record(cfg, domain, name, requester)
  File "/usr/local/lib/python2.7/dist-packages/certbot_plugin_gandi/gandi_api.py", line 69, in _update_record
    base_domain = _get_base_domain(cfg, domain)
  File "/usr/local/lib/python2.7/dist-packages/certbot_plugin_gandi/gandi_api.py", line 48, in _get_base_domain
    response = _request(cfg, 'GET', ('domains', candidate_base_domain))
  File "/usr/local/lib/python2.7/dist-packages/certbot_plugin_gandi/gandi_api.py", line 42, in _request
    url = _get_url(*segs)
  File "/usr/local/lib/python2.7/dist-packages/certbot_plugin_gandi/gandi_api.py", line 36, in _get_url
    '/'.join(urllib.parse.quote(seg, safe='') for seg in segs)
  File "/usr/local/lib/python2.7/dist-packages/certbot_plugin_gandi/gandi_api.py", line 36, in <genexpr>
    '/'.join(urllib.parse.quote(seg, safe='') for seg in segs)
AttributeError: 'module' object has no attribute 'parse'
An unexpected error occurred:
AttributeError: 'module' object has no attribute 'parse'

Any pointers would be appreciated.

Configuration of plugin in cli.ini

Thanks for the great plugin, that is much appreciated!

First of all, all works when run from the command line, there are no issues.

Now I am trying to put the necessary arguments into the /etc/letsencrypt/cli.ini which is read by certbot (at least on Debian systems). The content there now looks like

# Because we are using logrotate for greater flexibility, disable the
# internal certbot logrotation.
max-log-backups = 0
authenticator = certbot-plugin-gandi:dns
certbot-plugin-gandi:dns-credential = /etc/letsencrypt/gandi.ini

Unfortunately, this is not accepted by certbot conf file parser:

certbot: error: ambiguous option: --certbot-plugin-gandi could match --certbot-plugin-gandi:dns-propagation-seconds, --certbot-plugin-gandi:dns-credentials

it seems to break at the colon.

Do you know a way around this? Other plugins don't use the colon notation.

Thanks

Norbert

Unable to get base domain

I'm running a debian bullseye system with the package python3-certbot-dns-gandi version 1.2.5-3. Recently communication with Gandi Livedns Api stopped working (as already mentioned in #35). I manually applied a446c6c (#34), but it's still not working.

$ certbot renew --cert-name domain.tld --dry-run --debug-challenges
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.tld.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns, Installer nginx
Simulating renewal of an existing certificate for domain.tld and www.domain.tld
Performing the following challenges:
dns-01 challenge for domain.tld
dns-01 challenge for www.domain.tld
Cleaning up challenges
Unable to find or delete the DNS TXT record: Unable to get base domain for "domain.tld"
Unable to find or delete the DNS TXT record: Unable to get base domain for "www.domain.tld"
Failed to renew certificate domain.tld with error: An error occurred adding the DNS TXT record: Unable to get base domain for "domain.tld"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/domain.tld/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Somehow there is probably a wrong query somewhere. It's probably the function _get_base_domain in gandi_api.py, but I'm not that fluent in python.

Full log of above request.

2022-08-11 10:21:04,133:DEBUG:certbot._internal.main:certbot version: 1.12.0
2022-08-11 10:21:04,134:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2022-08-11 10:21:04,134:DEBUG:certbot._internal.main:Arguments: ['--cert-name', 'domain.tld', '--dry-run', '--debug-challenges']
2022-08-11 10:21:04,134:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-plugin-gandi:dns,PluginEntryPoint#dns,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-08-11 10:21:04,179:DEBUG:certbot._internal.log:Root logging level set at 20
2022-08-11 10:21:04,179:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-08-11 10:21:04,180:DEBUG:certbot.display.util:Notifying user: Processing /etc/letsencrypt/renewal/domain.tld.conf
2022-08-11 10:21:04,187:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f602813db80> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f602813db80>
2022-08-11 10:21:04,187:DEBUG:certbot._internal.cli:Var dry_run=True (set by user).
2022-08-11 10:21:04,187:DEBUG:certbot._internal.cli:Var server={'dry_run', 'staging'} (set by user).
2022-08-11 10:21:04,187:DEBUG:certbot._internal.cli:Var account={'server'} (set by user).
2022-08-11 10:21:04,205:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-08-11 10:21:04,213:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-08-11 10:21:04,214:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/domain.tld/cert6.pem is signed by the certificate's issuer.
2022-08-11 10:21:04,216:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/domain.tld/cert6.pem is: OCSPCertStatus.GOOD
2022-08-11 10:21:04,221:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2022-08-27 21:55:06 UTC.
2022-08-11 10:21:04,221:INFO:certbot._internal.renewal:Cert is due for renewal, auto-renewing...
2022-08-11 10:21:04,221:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns and installer nginx
2022-08-11 10:21:06,185:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f6028351790>
Prep: True
2022-08-11 10:21:06,186:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns
Description: Obtain certificates using a DNS TXT record (if you are using Gandi for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns = certbot_plugin_gandi.main:Authenticator
Initialized: <certbot_plugin_gandi.main.Authenticator object at 0x7f6027dcca60>
Prep: True
2022-08-11 10:21:06,186:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_plugin_gandi.main.Authenticator object at 0x7f6027dcca60> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f6028351790>
2022-08-11 10:21:06,186:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns, Installer nginx
2022-08-11 10:21:06,207:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/64105154', new_authzr_uri=None, terms_of_service=None), 80897d43a455c9f61fe330fa0eb2cffd, Meta(creation_dt=datetime.datetime(2022, 8, 11, 7, 0, 20, tzinfo=<UTC>), creation_host='localhost', register_to_eff=None))>
2022-08-11 10:21:06,208:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2022-08-11 10:21:06,209:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2022-08-11 10:21:06,657:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 822
2022-08-11 10:21:06,657:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 11 Aug 2022 08:21:06 GMT
Content-Type: application/json
Content-Length: 822
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/get/draft-aaron-ari/renewalInfo/",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert",
  "ypX3PU-Xdw4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2022-08-11 10:21:06,658:DEBUG:certbot.display.util:Notifying user: Simulating renewal of an existing certificate for domain.tld and www.domain.tld
2022-08-11 10:21:07,529:DEBUG:acme.client:Requesting fresh nonce
2022-08-11 10:21:07,529:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2022-08-11 10:21:07,681:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-08-11 10:21:07,681:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 11 Aug 2022 08:21:07 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001OPdzQDnygyXeH852luRDB9-sFGqz7V9nOhUa4qaPHFo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2022-08-11 10:21:07,681:DEBUG:acme.client:Storing nonce: 0001OPdzQDnygyXeH852luRDB9-sFGqz7V9nOhUa4qaPHFo
2022-08-11 10:21:07,682:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "domain.tld"\n    },\n    {\n      "type": "dns",\n      "value": "www.domain.tld"\n    }\n  ]\n}'
2022-08-11 10:21:07,687:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC82NDEwNTE1NCIsICJub25jZSI6ICIwMDAxT1BkelFEbnlneVhlSDg1Mmx1UkRCOS1zRkdxejdWOW5PaFVhNHFhUEhGbyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "g7c_GV9PbiaRp5CpJHUhaDA9q0Z8yU-G1ki62Qh_GWYmogDrDkBlJRxHbmSmguPyt2f_9puLQqQ5URE7fDM1gufeqURjAFYVDagD3zrvg9ENShIOdewFaWGkuHhJ1_uDbrWYQTrIo4B0lb79GHKpzC8KLWfv_UdCe51QpGx5hjOQFJ82IjpdTcwAifHV8_O9MtiT7BL136h8Uq1JVEg-USkFKUpZ3NSAJTvkZx6RaB5fXfdRu3xdeEKBuWM2vYIfPae4uczVPxKHKggu_AQqT24uF7GjrakeKv25UczT3AZwcawdB6Hw0NNE2g7q4mz9zRq407TG7ZXqYi0nlBaIQyyhvfWkth-0JzaxtBvk3ojEc6c0h8OzIP8M_3IDE31e_i32S0AYupY8RZgvp3Bo73uThvCep1Yj2_Y_WGp9Y2qiG-O9wjNZTYVerB7A7kKoe-KncKHnGYYoZOhVXpJRiDcXczTm4FRFlfiUZpBIh2EaZE7KJ3BSEr2jILDh4bfFedKNMOKbbSKxBHUbvQQLCIWWrlGrROx0Z2L1_C2aKKPdBtnX2IT9FnIcyRgGHLydym4frzerMYcQI0wFK3d6eVRiJ11wzyJjy7zF0CpEDWXniPXItL_fWMHEq8oE05n8lz-FMunGbkYJvRT34phM9MF7B4WmZb8tPpUS_qP8pS4",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImVsc2llLnBob3RvIgogICAgfSwKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInd3dy5lbHNpZS5waG90byIKICAgIH0KICBdCn0"
}
2022-08-11 10:21:07,840:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 491
2022-08-11 10:21:07,840:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 11 Aug 2022 08:21:07 GMT
Content-Type: application/json
Content-Length: 491
Connection: keep-alive
Boulder-Requester: 64105154
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/64105154/3598910284
Replay-Nonce: 0001GHoPcPHV2jJPvmhW6jS9dKUAfp9krFkfmTOovQoOmgM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2022-08-18T07:00:23Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "domain.tld"
    },
    {
      "type": "dns",
      "value": "www.domain.tld"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3302248624",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3302248634"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/64105154/3598910284"
}
2022-08-11 10:21:07,840:DEBUG:acme.client:Storing nonce: 0001GHoPcPHV2jJPvmhW6jS9dKUAfp9krFkfmTOovQoOmgM
2022-08-11 10:21:07,840:DEBUG:acme.client:JWS payload:
b''
2022-08-11 10:21:07,846:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3302248624:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC82NDEwNTE1NCIsICJub25jZSI6ICIwMDAxR0hvUGNQSFYyakpQdm1oVzZqUzlkS1VBZnA5a3JGa2ZtVE9vdlFvT21nTSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMzAyMjQ4NjI0In0",
  "signature": "Cp9-EURpOaZfJdSp_KFYunxeXr1cA4KO4jaJf-7n1Tqyi_dL0zxNWXnZG0RVRnOb7osDoSYDRHlJYNc1pzxAPSqavGYiTbE6x17L-gGUg-dIVxhvKyJYJ2MTzuMvPisffXApHYR7cLQrH8rqT0gUTJdvVaHxSCZRU7J8oZrcWxtAfm0I8SihxUcHvT3ATNbeAWNcKInjAZuJvGM8K2fquSxtQMuFDi3vRzCa3I6WG6r3SOw15KbzOUOjtX3GFqgZZrRTCrPGFHxYXeGi8c1m0zXFDLOfVHtxSJ4YKJR7TVoOi-nN4osTtNsE8O4wwEajZlaKxxeE_Zbxw97b4vBD6BBdnk3caD6sNu4dgCIjpQkNo1zIF-o_8MBO33vhdkVAHY2B7Lf8AK3SQZb1YI25t6vRrOaF8bdL9Wr0YmPXOGVqvRQ21-_8Sg8Nyw0pTH9MapGxK8lzh7o2VB7ndRS1kqnLq3OfSNUn59u9gDFEJlkk0-0anuDF5EbUXgb43-15iIM_uivI3lrBfaVWRfqY_4U2gnhETxazAgePLzZbONeOfXhDCqTorTVqbPxgC2LoQ8JhR6-SxQti5lDv0QZDxF_El69_y0FtcT5w7eS1s49beAJ2Q70quQOrPdAS75Q58QJIscjajPt22E-RrN-9XX9rCPrVmJdCCPxDg2KbMMI",
  "payload": ""
}
2022-08-11 10:21:07,997:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/3302248624 HTTP/1.1" 200 813
2022-08-11 10:21:07,997:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 11 Aug 2022 08:21:07 GMT
Content-Type: application/json
Content-Length: 813
Connection: keep-alive
Boulder-Requester: 64105154
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001GdE6mL5grL4M7aKhivpOf5_-KbAn_tjWDBkOSxvG2rQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "domain.tld"
  },
  "status": "pending",
  "expires": "2022-08-18T07:00:23Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3302248624/32jdHg",
      "token": "rvUcqCUcheEoeiAEXMT-C78AFO9Xc9wh_87WGpyo8qw"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3302248624/OW6X2g",
      "token": "rvUcqCUcheEoeiAEXMT-C78AFO9Xc9wh_87WGpyo8qw"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3302248624/jIPRsA",
      "token": "rvUcqCUcheEoeiAEXMT-C78AFO9Xc9wh_87WGpyo8qw"
    }
  ]
}
2022-08-11 10:21:07,997:DEBUG:acme.client:Storing nonce: 0001GdE6mL5grL4M7aKhivpOf5_-KbAn_tjWDBkOSxvG2rQ
2022-08-11 10:21:07,997:DEBUG:acme.client:JWS payload:
b''
2022-08-11 10:21:08,003:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3302248634:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC82NDEwNTE1NCIsICJub25jZSI6ICIwMDAxR2RFNm1MNWdyTDRNN2FLaGl2cE9mNV8tS2JBbl90aldEQmtPU3h2RzJyUSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMzAyMjQ4NjM0In0",
  "signature": "XVI0EX8tx6AMIzJo2ckJYY47pWxgmoonE2vinLmL7cfo6wrXjzpfau7ixpPFjWyJwq68b_Rrd5dfKyWD4ugxeCVuNSHzMglA9LHyc8RDTNsA3g9mimE3H_YRg4THD2BsJhan8tztFnz-1CMuw0ZJxYrtNZ2Ooj-06yvgvb0_hqKTMs-q0HrdT9Ww05DuzfYhYVXBYlQMV9Az73zhZlRgVncfz_h-OPyXaQOTr66VlGGGPOc3Lz0D7h0NG2-GHD7LltQgskL0FhfV222K3JU7c8yW91hGBrp5J_OYW0JrRicD9OwBVLdwoV6K8cGVveiwIP09YAn6WadXQ1ak6aaqPvBfqFHt78USiyUnOa_2dJuE2t4hJBSupzK2ZggxktmIfDpHAclcPJliKp8HgsA9ucFZltJRaOw9FTdjw2JPa2YlEMuijOtaXUlCG5EkKz_dpSfET-rixxUwJeQ7hsjYZ8HFWlm1-hpB-ofCzMuOMowhm1tJ7QfFBulL2EQrkgikd3E1WF_R0QYnvvU1sHy2hYFBJsLwp8OvzyApvpPSP-dWF-7UcFE9syJNt-rQbIKK0mGn5TqT-MelyWyzyfIL8kPA3BSPAGUpN1Uea-KByolwmdlOaCzzx1TggPnnaV25FsqkzKOPe9M2K-62HF2w7615xhCfkdokcZmEMs5ArUc",
  "payload": ""
}
2022-08-11 10:21:08,153:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/3302248634 HTTP/1.1" 200 817
2022-08-11 10:21:08,154:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 11 Aug 2022 08:21:08 GMT
Content-Type: application/json
Content-Length: 817
Connection: keep-alive
Boulder-Requester: 64105154
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00010M8vyS9R9mnzrmCCzPUt5_vbB4Jr149WPjj7An2gBlg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.domain.tld"
  },
  "status": "pending",
  "expires": "2022-08-18T07:00:23Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3302248634/COfA3g",
      "token": "s3cQWnxR0ptUATieKmmklTb-gitdjsjcHnpnL-aH1WI"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3302248634/QxrSJg",
      "token": "s3cQWnxR0ptUATieKmmklTb-gitdjsjcHnpnL-aH1WI"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3302248634/CgJcbw",
      "token": "s3cQWnxR0ptUATieKmmklTb-gitdjsjcHnpnL-aH1WI"
    }
  ]
}
2022-08-11 10:21:08,154:DEBUG:acme.client:Storing nonce: 00010M8vyS9R9mnzrmCCzPUt5_vbB4Jr149WPjj7An2gBlg
2022-08-11 10:21:08,154:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-08-11 10:21:08,154:INFO:certbot._internal.auth_handler:dns-01 challenge for domain.tld
2022-08-11 10:21:08,155:INFO:certbot._internal.auth_handler:dns-01 challenge for www.domain.tld
2022-08-11 10:21:08,156:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.gandi.net:443
2022-08-11 10:21:08,247:DEBUG:urllib3.connectionpool:https://api.gandi.net:443 "GET /v5/livedns/domains/domain.tld HTTP/1.1" 400 None
2022-08-11 10:21:08,249:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.gandi.net:443
2022-08-11 10:21:08,301:DEBUG:urllib3.connectionpool:https://api.gandi.net:443 "GET /v5/livedns/domains/photo HTTP/1.1" 400 None
2022-08-11 10:21:08,303:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 70, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/dns_common.py", line 57, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/lib/python3/dist-packages/certbot_plugin_gandi/main.py", line 59, in _perform
    raise errors.PluginError('An error occurred adding the DNS TXT record: {0}'.format(error))
certbot.errors.PluginError: An error occurred adding the DNS TXT record: Unable to get base domain for "domain.tld"

2022-08-11 10:21:08,303:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-08-11 10:21:08,303:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-08-11 10:21:08,304:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.gandi.net:443
2022-08-11 10:21:08,356:DEBUG:urllib3.connectionpool:https://api.gandi.net:443 "GET /v5/livedns/domains/domain.tld HTTP/1.1" 400 None
2022-08-11 10:21:08,357:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.gandi.net:443
2022-08-11 10:21:08,410:DEBUG:urllib3.connectionpool:https://api.gandi.net:443 "GET /v5/livedns/domains/photo HTTP/1.1" 400 None
2022-08-11 10:21:08,411:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for "domain.tld"
2022-08-11 10:21:08,412:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.gandi.net:443
2022-08-11 10:21:08,465:DEBUG:urllib3.connectionpool:https://api.gandi.net:443 "GET /v5/livedns/domains/www.domain.tld HTTP/1.1" 400 None
2022-08-11 10:21:08,467:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.gandi.net:443
2022-08-11 10:21:08,518:DEBUG:urllib3.connectionpool:https://api.gandi.net:443 "GET /v5/livedns/domains/domain.tld HTTP/1.1" 400 None
2022-08-11 10:21:08,520:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.gandi.net:443
2022-08-11 10:21:08,571:DEBUG:urllib3.connectionpool:https://api.gandi.net:443 "GET /v5/livedns/domains/photo HTTP/1.1" 400 None
2022-08-11 10:21:08,572:WARNING:certbot_plugin_gandi.main:Unable to find or delete the DNS TXT record: Unable to get base domain for "www.domain.tld"
2022-08-11 10:21:08,573:ERROR:certbot._internal.renewal:Failed to renew certificate domain.tld with error: An error occurred adding the DNS TXT record: Unable to get base domain for "domain.tld"
2022-08-11 10:21:08,573:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 485, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1234, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 123, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 345, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 374, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 70, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/dns_common.py", line 57, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/lib/python3/dist-packages/certbot_plugin_gandi/main.py", line 59, in _perform
    raise errors.PluginError('An error occurred adding the DNS TXT record: {0}'.format(error))
certbot.errors.PluginError: An error occurred adding the DNS TXT record: Unable to get base domain for "domain.tld"

2022-08-11 10:21:08,573:DEBUG:certbot.display.util:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-08-11 10:21:08,573:ERROR:certbot._internal.renewal:All simulated renewals failed. The following certificates could not be renewed:
2022-08-11 10:21:08,574:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/domain.tld/fullchain.pem (failure)
2022-08-11 10:21:08,574:DEBUG:certbot.display.util:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-08-11 10:21:08,574:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.12.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1413, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1317, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 510, in handle_renewal_request
    raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2022-08-11 10:21:08,574:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

Support for certbot snap installation mode

Hello, first, thanks a lot for your plugin.
I've been using it for a long time along with a cetbot-auto installation.
This kind of installation is unfortunately not anymore available for my OS (Debian).

So I have to switch to the officially supported "snap" installation mode described here

The problem is I don't know how to install your plugin with this mode.
pip install certbot-plugin-gandi does work but is no detected by the snap installation

Can you please help me ?
Thanks !

Certificate acquisition fails with "Unable to get base domain [...]"

I've read through the documentation extensively, viewed both open and closed issues and even looked at the source code - I cannot figure out what the problem is.

I've censored the domain deliberately.

Setup on an Ubuntu 22.04:

apt-get install certbot python3-pip
pip3 install certbot-plugin-gandi

Content of /root/Gandi.ini with censored API key:

dns_gandi_api_key=aaabbbfffdddeeeff

The key is 100% correct.

Command to aquire the cert:

certbot certonly --authenticator dns-gandi --dns-gandi-credentials /root/Gandi.ini -d subdomain.domain.tld --post-hook "systemctl reload nginx"

Error message on the console:

Requesting a certificate for subdomain.domain.tld
Unable to find or delete the DNS TXT record: Unable to get base domain for "subdomain.domain.tld"

Notable lines from the log file:

2022-11-19 12:03:37,591:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-11-19 12:03:37,591:INFO:certbot._internal.auth_handler:dns-01 challenge for subdomain.domain.tld
2022-11-19 12:03:37,592:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.gandi.net:443
2022-11-19 12:03:37,844:DEBUG:urllib3.connectionpool:https://api.gandi.net:443 "GET /v5/livedns/domains/subdomain.domain.tld HTTP/1.1" 403 105
2022-11-19 12:03:37,846:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.gandi.net:443
2022-11-19 12:03:38,715:DEBUG:urllib3.connectionpool:https://api.gandi.net:443 "GET /v5/livedns/domains/domain.tld HTTP/1.1" 403 105
2022-11-19 12:03:38,717:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.gandi.net:443
2022-11-19 12:03:39,843:DEBUG:urllib3.connectionpool:https://api.gandi.net:443 "GET /v5/livedns/domains/tld HTTP/1.1" 403 105
2022-11-19 12:03:39,844:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 70, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/dns_common.py", line 67, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/local/lib/python3.10/dist-packages/certbot_plugin_gandi/main.py", line 59, in _perform
    raise errors.PluginError('An error occurred adding the DNS TXT record: {0}'.format(error))
certbot.errors.PluginError: An error occurred adding the DNS TXT record: Unable to get base domain for "subdomain.domain.tld"

2022-11-19 12:03:39,845:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-11-19 12:03:39,845:INFO:certbot._internal.auth_handler:Cleaning up challenges

What's the catch? What else can I do to narrow down the problem?

Plugin broken due to authentication change (API Key deprecated by Gandi)

Hello,
This plugin is currently broken as it uses the deprecated authentication scheme with with the API Key, according to the official documentation.

In order to fix that, the "_headers" function must be modified as follows (replace Apikey with Bearer):

def _headers(cfg):
    return {
        'Content-Type': 'application/json',
        'Authorization': 'Bearer ' + cfg.api_key
    }