Support for Strato Let'e Encrypt DNS challenge #1154
Comments
psychofaktory
added
the
dns provider request
|
Unfortunately the current version of NPM only supports DNS-challenge providers which have a certbot dns plugin. The link you posted is only a manual auth hook certbot integration, which is not supported. And it seems there currently is no actual certbot dns plugin. |
chaptergy
added
the
no certbot plugin available
|
For others with the same problem: Not a certbot dns plugin, but I've got it managed to get a wildcart cert with the workaround mentioned here:
Up until here you should have SSL working for the domain, but not the subdomains.
Now the cert setup in step 2. contains an wildcard-alias an can be assigned to the wildcard subdomain from step 1. I hope this help some. |
Thanks for your how to. Thanks a lot. |
When the SSL certificate is created in step 2, NPP automatically creates a job that regularly renews the certificate. |
|
Hi, some things i have noticed. (All files mentioned come from here: https://github.com/Buxdehuda/strato-certbot)
Okay, after this, your workaround works, but i get this error message, even so the certificate generation works: After issuing point 8. of the workaround i get this output. [...] Hook 'deploy-hook' reported error code 1 Successfully received certificate. Any ideas? |
|
I modified the code from the aforementioned repository to provide a regular certbot dns authentication plugin, which can be directly integrated into NPM (see here). If you would like to give it a try, follow these instructions. .
.
.
//####################################################//
strato: {
display_name: 'Strato',
package_name: 'certbot-dns-strato',
version_requirement: '~=0.1.1',
dependencies: '',
credentials: `dns_strato_username = user
dns_strato_password = pass
# uncomment if domain name contains special characters
# insert domain display name as seen on your account page here
# dns_strato_domain_display_name = my-punicode-url.de`,
full_plugin_name: 'dns-strato',
},
.
.
.I was successful using option 2 mentioned in the linked comment. version: '3'
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: always
ports:
- '80:80'
- '1080:81'
- '443:443'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
# map custom code into the container to support strato dns
- ./custom-npm/global/certbot-dns-plugins.js:/app/global/certbot-dns-plugins.js:ro
- ./custom-npm/frontend/dist:/app/frontend:ro
networks:
default:
external: true
name: nginx-proxy-managerNote that the code is still in an experimental stage. |
|
Nice work. :) Where do i need to place the files from your repository? |
Thank you :-) You don't need to touch my repository -- it is just a place for the plugin to live. The code is uploaded to PyPi so it is available from anywhere where there is python pip installed. Thus npm can grab it by itself. You just need to introduce this plugin to npm by inserting the given configuration snippet posted above and then building the npm frontend from this repository. Once that's done, you can use the build directory and mount it into your docker container at the specific location where the prebuilt frontend was living (you basically shadow it with the new version). Then you're good to go. In fact I have this setup up and running since my post without any issues :-) So what you need to do:
(-: Hope this helps |
|
Thank you. :) You Pull requests got answered: #2929 (comment) I've tested the docker image, works like a charm! Thank you so much for your work! |
|
Hi guys, i postet this also in the Pull Request but dont know if anyone sees this there: i read this and wanted to try it out but i think i dont get it... also my strato is locked with 2fa sorry but i dont understand the things under user and pass... this is the example: and now how to fill it? the last two i dont understand... i testet with: dns_strato_username = NUMBERS pls help or point me a good example from someone who got it to work. it would be easier then the normal challenge then there are at time internal errors -,- (new request worked...) thank you so much... EDIT: have to put ' infront of # to avoid funky things... |
In the topmost field of the basic certificate settings it should say I guess you already tried both variants, rights? If that's the case, I might have spotted an error with TFA. Since I did not configure it yet (shame on me), this didn't come to light.
Please try as I explained, if you did not already do so and report back. Then I will proceed to making the adjustments in code. |
|
hi ho and thx for the answer, ok then i think its easier to work with pictures... i testet a lot, but i always get an Error so hier my config (as i understand from your text): 
and this is the error i get:
Do i have to put something in Strato first? i own the domain but is something to do for the wildcard Thank you for your help :) |
|
Do you have something new for me @FlixMa ? |
|
I am sorry, I didn’t have time to do it as I am currently on vacation. I’ll be back in September. |
|
I tried the same @Yoshi315161, but im getting the same error. Is there something i can look for in the debug log? ////Update I checked some more, what i think happens, is that the url you use in your 'certbotstratoapi.py' is for strato.DE Is it an option to add the API url to the settings? |
|
Hey all, sorry for the late reply. I did not know, that strato was serving their page in other countries than Germany. So this actually might be cause for troubles with some users. In the recent commit I added the option to fully customise the API endpoint:
You will probably only set the I have just published a new version of the certbot strato dns challenge pypi package: from certbot_dns_strato.dns_strato import _StratoApi
# change the placeholders and api host to match the one you are logging in to (e.g. '.nl' for the Netherlands).
strato = _StratoApi('your_domain_display_name', custom_api_host='www.strato.nl')
strato.login('my_username', 'my_password')
strato.set_domain_name('your_domain_name')
strato.get_package_id()
strato.get_txt_records()
strato.set_amce_record('hello', 'world')
strato.push_txt_records()The result should look like this: I hope the NPM auto-updates the package soon, so you'll be able to use the additional options from inside NPM. Also please let me know, if this fixes the problem for you, @Yoshi315161. Cheers |
|
Hey @FlixMa, now i have a wildcard with DNS Challange :D (and TOPT) my config is the same like the picture above the only difference is that i deletet the last three lines. |
|
Hey @Yoshi315161, vacation was alright; thanks for asking. Glad to hear you got it working. Then the issue might actually have been that the 2FA detection was not only broken for other countries, but also for strato.de. That is actually very likely as it was based on user-facing string matching, which of course might change more frequently than an API. I did. change that behaviour to be based on whether you provide 2FA credentials or not, to make it compatible with other languages. Do you mind sharing how you updated the pip package inside your NPM docker container? This way others can profit as well :) Have a nice weekend! |
|
Ofcourse I can. After that I tested again in NPM and it worked. You too :) |
Hi, when I run: frontend-build file does not exist Any suggestion |
|
The script has been moved to a subfolder: I am not sure if it will work, though. There might have been other breaking changes since spring 2023. But may I ask, why you want to use those steps? The plugin should already show up without any additional changes since #2929 got merged. So you probably don’t need to build it for yourself :) |
|
I have updated to the latest version 2.10.4 and I have already seen it |
|
When I try to create an SSL certificate it gives an error:
I have also updated to version 0.2.0 from Portainer |
|
Unfortunately I haven't seen this error before. You can try to have a look into the debug log. There might be useful information inside. If you are unsure if this has to do with the strato plugin itself, you might want to post a new issue. |
|
It's already solved. In case it helps anyone :) |
|
I added a more descriptive configuration template to simplify onboarding for new users. See pull request #3212 for more information. |
|
After updating to 0.2.1 I could renew the wildcard certificate for one of my two domains. For the other I still get the same error as before. Any hints how to solve this? Using the https://github.com/Buxdehuda/strato-certbot certbot I can at least receive the fitting certificate, so there it seems to be fixed :) |
|
I can confirm that renewal after manually updating to 0.2.1 works. But why is that version not updated in the official docker container? |
|
For me it still only works for the first of my domains. |
|
Sadly, neither can I renew my wildcard cert nor can I request a new one with any combination of the settings from above. I tried with updating the python package as well. I still get an "internal error" without any indication to the error itself. |
|
I could successfully create my wildcard certificate, but still can't reach the subdomains when I select it for the proxy host. Btw it says the domains have to already be created. Does that mean that the wildcard certificate will only be created for the subdomains already added in the Strato account? |
You need to register your subdomains manually at strato. NGINX can't register Subdomains for you. You need to register your subdomains and set the ip where they should point to. Or you could set a CNAME to point to the same IP as your DYNDNS Domain. The Wildcard certificate is valid for all subdomains. No matter if they existed before or after the certificate generation. |
|
@nevyen I would like it to use the same IP as the DynDNS domain. How do I do this with the CNAME? Shouldn't this be automatically set up? I have DynDNS deactivated for the subdomain and I realized that the IP differs from the main domain. I would assume they are the same. I am still being greeted with the Strato landing page on the subdomain, so the proxy doesn't seem to work. The certificate for my main domain also is not trusted by Firefox today and it points to my router's WebUI. Yesterday this still worked. Really hard to set this up. DuckDNS was so straight-forward. |
|
@jclsn for each subdomain you must set the CNAME to the domain you registered in your routers dyndns. Referr to https://www.strato.de/faq/domains/wie-kann-ich-bei-strato-meine-dns-eintraege-verwalten/#cname |
|
@jclsn Its not about your proxy not working, but rather a wrong configuration in your strato package. Each subdomain can point to a different server, thus strato allowing you to assign different IPs to each subdomain. If you just need them to all point to the same server (e.g. your npm instance) than you can either set up your router to supply dyndns for all your subdomains or just use CNAME records in your primary domain. CNAME stands for canonical name and are basically the DNS way of saying „this is an alias for that“. |
|
The link you sent me is an A-record, where I should enter an IP, although I don't understand how this would work with DynDNS. Afaik the IP changes from time to time.
I looked at changing the CNAME, but it doesn't accept maindomain.de. Calling the Strato support now. I just wonder why the proxy for the main domain is not working anymore. This is probably a configuration issue with NPM. My DuckDNS proxies are still active and working though.
|
|
So I added maindomain.de. as CNAME and now the FritzBox is complaining about DNS Rebind protection. The Strato customer support didn't know how to help me :D Guess they only have qualified support for corporate customers.
|
|
I just realized it works correctly from outside my network. Just tried it with my phone. As soon as I connect to the wifi thoug, the maindomain.de is showing me the router's web ui and the subdomains gives me the rebind protection warning.
|
|
I gave up with Strato DNS plugin. I kept my domain with Strato but moved the DNS Records off to a free Account on Cloudflare. Now the certs incl. wildcard working without any issues also renewing them is not a problem anymore. |
|
Ha, I made it! Seems like you can't use the DynDNS in the FritzBox. Using ddclient works much better! So here is what I did:
|
|
When requesting wildcard certificates for my .de domain, i´m still running into issues. The cert request just aborts, with no visible error message. This problem only comes up for .de domains, found my .com and .eu domains from same strato account are working fine. Any idea, what could block me here? Using Nginx Proxy Manager v2.11.1, certbot-dns-strato v0.2.1 Full log of issue
2024-05-02 16:18:38,612:DEBUG:certbot._internal.main:certbot version: 2.1.0
2024-05-02 16:18:38,612:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-05-02 16:18:38,612:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-52', '--agree-tos', '--email', '[email protected]', '--domains', 'domain.de', '--authenticator', 'dns-strato', '--dns-strato-credentials', '/etc/letsencrypt/credentials/credentials-52']
2024-05-02 16:18:38,612:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#dns-duckdns,PluginEntryPoint#dns-porkbun,PluginEntryPoint#dns-strato,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-05-02 16:18:38,619:DEBUG:certbot._internal.log:Root logging level set at 30
2024-05-02 16:18:38,619:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-strato and installer None
2024-05-02 16:18:38,620:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-strato
Description: Obtain certificates using a DNS TXT record (if you are using Strato for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-strato = certbot_dns_strato.dns_strato:Authenticator
Initialized: <certbot_dns_strato.dns_strato.Authenticator object at 0x7e703bb94090>
Prep: True
2024-05-02 16:18:38,620:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_strato.dns_strato.Authenticator object at 0x7e703bb94090> and installer None
2024-05-02 16:18:38,620:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-strato, Installer None
2024-05-02 16:18:38,658:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1598501227', new_authzr_uri=None, terms_of_service=None), 307c450e4e4c8df29a05c7f1e282d970, Meta(creation_dt=datetime.datetime(2024, 3, 2, 14, 50, 24, tzinfo=<UTC>), creation_host='reverse-proxy.localdomain', register_to_eff=None))>
2024-05-02 16:18:38,658:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-05-02 16:18:39,085:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Content-Type: application/json
Content-Length: 747
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"OCi65trDFA8": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2024-05-02 16:18:39,086:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for domain.de
2024-05-02 16:18:39,097:DEBUG:certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/0064_key-certbot.pem
2024-05-02 16:18:39,107:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0064_csr-certbot.pem
2024-05-02 16:18:39,110:DEBUG:acme.client:Requesting fresh nonce
2024-05-02 16:18:39,111:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2024-05-02 16:18:39,251:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: O0afatDIUYo_tvD0qKgcSxmqX1tK9R_NX45BGoQ8WT4UCWOsn-U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
2024-05-02 16:18:39,252:DEBUG:acme.client:Storing nonce: O0afatDIUYo_tvD0qKgcSxmqX1tK9R_NX45BGoQ8WT4UCWOsn-U
2024-05-02 16:18:39,252:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "domain.de"\n }\n ]\n}'
2024-05-02 16:18:39,260:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTU5ODUwMTIyNyIsICJub25jZSI6ICJPMGFmYXRESVVZb190dkQwcUtnY1N4bXFYMXRLOVJfTlg0NUJHb1E4V1Q0VUNXT3NuLVUiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
"signature": "TNaLqp0iX0oneAfzg9KFPB5WFMIwk-983BR1hw2ProTI74Str79_tfoXWjx40wIBPFiIG5eQkohC93KrX6iPNFIo9se4OlTJwpYxolUYDehXtyY6yULfpOMXQBcDUxkUARB0cW5ERoyRVz16CHi8oiCxOkYGRwB3St_EOPCYPKNAxAiRSjT-hb4ONIe_9iSRcgeDBGfqwrp104cRnNJB9qVPVOCpqtoM9WzX5pF9TIY6pKI-uX47FPQR9fcZ3_lbFm53a5Iz9Byt7_Bav1wKvZmZf_noK3u66AAHMjSg05bb3hqS2FoJqR1TB0Kc4YIPF_BSX_3CA-ronONwE4dfhA",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIndvbGV3aWVuc2tpLmRlIgogICAgfQogIF0KfQ"
}
2024-05-02 16:18:39,414:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Content-Type: application/json
Content-Length: 340
Connection: keep-alive
Boulder-Requester: 1598501227
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1598501227/265980151337
Replay-Nonce: Y_7AIQuUkd3e3_rcDcX4pgPvzO4_O7YtbF9-GNnBAG3kkijVcoA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"status": "pending",
"expires": "2024-05-09T14:10:50Z",
"identifiers": [
{
"type": "dns",
"value": "domain.de"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/345790981617"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1598501227/265980151337"
}
2024-05-02 16:18:39,415:DEBUG:acme.client:Storing nonce: Y_7AIQuUkd3e3_rcDcX4pgPvzO4_O7YtbF9-GNnBAG3kkijVcoA
2024-05-02 16:18:39,415:DEBUG:acme.client:JWS payload:
b''
2024-05-02 16:18:39,417:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/345790981617:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTU5ODUwMTIyNyIsICJub25jZSI6ICJZXzdBSVF1VWtkM2UzX3JjRGNYNHBnUHZ6TzRfTzdZdGJGOS1HTm5CQUcza2tpalZjb0EiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM0NTc5MDk4MTYxNyJ9",
"signature": "PNZq4tTE50GX_sy3ClPHI4W9tjzlHLWdvZEpCcHHVUfNxTFCGFPXQNLV-XApHrRlhytrTU6GhuVR7l378zqCOV2z4r5nXQe75t0ZqEeHJ-HE70PGhV6uD3bdpNhKdGSpZ4jmEV50oWUpWEL_AG-WjJx4E_5KV5BC3Xlno-0i9OYRlQqTmi4eki2_8NQAmJMfZliUoqiukSLyuLk126OJqGVdhiiF7Q2G4i36e1VH9VbyadoLbtfv3OAn87dJjpFJM_TBVb2X9HsA_0NnUIFp8YTYOimmRRA4--PZdlFfND0KSR4TdPlDeQoiKnlAJ-fVeA7eXyvybYqYJwyONpUWZw",
"payload": ""
}
2024-05-02 16:18:39,553:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Content-Type: application/json
Content-Length: 798
Connection: keep-alive
Boulder-Requester: 1598501227
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: O0afatDI0RLN73rcITo_-Hrn3IjJ_80RKuQsTqncpUMtaf7q9jk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "domain.de"
},
"status": "pending",
"expires": "2024-05-09T14:10:50Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/e0m2DA",
"token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/coLV5g",
"token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/2sm9nQ",
"token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
}
]
}
2024-05-02 16:18:39,553:DEBUG:acme.client:Storing nonce: O0afatDI0RLN73rcITo_-Hrn3IjJ_80RKuQsTqncpUMtaf7q9jk
2024-05-02 16:18:39,554:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-05-02 16:18:39,555:INFO:certbot._internal.auth_handler:dns-01 challenge for domain.deEDIT: .de-challenges
HTTP 200
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Content-Type: application/json
Content-Length: 798
Connection: keep-alive
Boulder-Requester: 1598501227
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: O0afatDI0RLN73rcITo_-Hrn3IjJ_80RKuQsTqncpUMtaf7q9jk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "domain.de"
},
"status": "pending",
"expires": "2024-05-09T14:10:50Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/e0m2DA",
"token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/coLV5g",
"token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/2sm9nQ",
"token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
}
]
}
2024-05-02 16:18:39,553:DEBUG:acme.client:Storing nonce: O0afatDI0RLN73rcITo_-Hrn3IjJ_80RKuQsTqncpUMtaf7q9jk
2024-05-02 16:18:39,554:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-05-02 16:18:39,555:INFO:certbot._internal.auth_handler:dns-01 challenge for domain.de.com challenges
HTTP 200
Server: nginx
Date: Thu, 02 May 2024 15:07:11 GMT
Content-Type: application/json
Content-Length: 572
Connection: keep-alive
Boulder-Requester: 1598501227
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: O0afatDIdLAdBXwvNoaYXhbL05VSQ_hxdNdTa93qwsZcu146X04
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "domain.com"
},
"status": "valid",
"expires": "2024-06-01T14:08:39Z",
"challenges": [
{
"type": "dns-01",
"status": "valid",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345789827577/3hjyKg",
"token": "YIgmMMYgKo7si214ERMxND-lVFb80uxq2TIMyoeHJ4k",
"validationRecord": [
{
"hostname": "domain.com",
"resolverAddrs": [
"10.1.12.85:30182"
]
}
],
"validated": "2024-05-02T14:08:39Z"
}
]
} |
Did you finally resolve this for .de domains? Having the same issue here |
Unfortunately not. There where some recommendations later, but i switched to zoraxy in the meanwhile and never looked back. Wildcard ist there not possible for strato but tested it and it looked good. Edit: Check this out, if Both of your Domains are in the Same Package, it could be this issue. So updating the cert it Plugin to 0.2.2 should fix it. |
|
With Strato I could solve by adding mydomain.de. as CNAMEAm 20.07.2024 um 09:20 schrieb markist ***@***.***>:
When requesting wildcard certificates for my .de domain, i´m still running into issues. The cert request just aborts, with no visible error message. This problem only comes up for .de domains, found my .com and .eu domains from same strato account are working fine. Any idea, what could block me here?
Using Nginx Proxy Manager v2.11.1, certbot-dns-strato v0.2.1
Full log of issue
EDIT: Only difference i found is, that .de domain is trying way more challenges and stays on status "pending" compared to .com. But all domais are routed to my homelab via dyndns and can be used/pinged & i have used the exact same credentials for both.
.de-challenges
.com challenges
Did you finally resolve this for .de domains? Having the same issue here
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
This worked for me Instruction
Credentials File Content for example Result
|
|
with activated 2FA certificate requests for subdomains or wildcards cause errors. Disabled 2FA "solves" the problem :)
|
|
Hi!
I can see that I'm been using the version certbot-dns-strato==0.2.2 I have to configure something in strato? Thanks in advance! |
|
Finally I get my wildcard certificate after some attemtps. I think I just had to wait a few hours becouse is a new domain. Thanks! For use this wildcard to subdomains like sub1.mydomain.com I have to configure something in stratos? Becouse it's not working 🙄 the one I generated for duckdns I didn't have to do anything and works. |
|
Had to set up a new machine with npm and ran into some problems when using certbot-dns-strato==0.2.1 Updating to version 0.2.2 fixed it
Im using 2FA as described by noname1001
|
This solution worked immediately for me. Thank you very much. What happens when there is a new version of the container? Do I have to perform this customization again after each pull? |
Yes, if the package version is not updated in the next image the modification has to be done again. |
|
Is this still functional? I installed strato certbot to 0.2.2 and updated the .json as mentioned. However, I always get in NPM. |
|
No idea. I moved to Ionos some time ago, because they have better domain packages with almost unlimited subdomains. |
|
Just tried it with NPM 2.12.3 and can confirm it works with @Loman0815 's guide:
|
and others
What provider would you like to see added to NPM?
Strato
Have you checked if a certbot plugin exists?
I found this here:
https://github.com/Buxdehuda/strato-certbot
The text was updated successfully, but these errors were encountered: