Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Letsencrypt verification fails for wildcard certificates using namecheap provider
See original GitHub issueI’m trying to get a wildcard certificate for my domain. I’ve replaced sensitive data below (like domain, api-key and api-username). When my domain.conf looks like this:
*.example.com example.com
I get the following output:
#### Registering Let's Encrypt account if needed ####
Saving debug log to /var/log/letsencrypt/letsencrypt.log
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
#### Creating missing certificates if needed (~1min for each) ####
>>> Creating a certificate for domain(s): -d *.example.com -d example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.com
Output from authenticator.sh:
Arguments: Namespace(action='create', auth_client_ip='127.0.0.1', auth_sandbox=False, auth_token=None, auth_username=None, content='CHALLENGE-01', delegated=None, domain='example.com', identifier=None, log_level='DEBUG', name='_acme-challenge.example.com.', priority=None, provider_name='namecheap', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=1 HTTP/1.1" 200 650
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=2 HTTP/1.1" 200 440
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 642
Remote: 3
To set: 4
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.setHosts HTTP/1.1" 200 432
Output from authenticator.sh:
Arguments: Namespace(action='create', auth_client_ip='127.0.0.1', auth_sandbox=False, auth_token=None, auth_username=None, content='CHALLENGE-02', delegated=None, domain='example.com', identifier=None, log_level='DEBUG', name='_acme-challenge.example.com.', priority=None, provider_name='namecheap', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=1 HTTP/1.1" 200 649
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=2 HTTP/1.1" 200 440
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 732
Remote: 4
To set: 5
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.setHosts HTTP/1.1" 200 433
Waiting for verification...
Cleaning up challenges
Output from cleanup.sh:
Arguments: Namespace(action='delete', auth_client_ip='127.0.0.1', auth_sandbox=False, auth_token=None, auth_username=None, content='CHALLENGE-01', delegated=None, domain='example.com', identifier=None, log_level='DEBUG', name='_acme-challenge.example.com.', priority=None, provider_name='namecheap', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=1 HTTP/1.1" 200 649
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=2 HTTP/1.1" 200 440
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 794
list_records: [{'type': 'TXT', 'name': '_acme-challenge.example.com', 'ttl': '1800', 'content': 'CHALLENGE-01', 'id': '136346101'}]
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 794
Remote: 5
To set: 4
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.setHosts HTTP/1.1" 200 431
Output from cleanup.sh:
Arguments: Namespace(action='delete', auth_client_ip='127.0.0.1', auth_sandbox=False, auth_token=None, auth_username=None, content='CHALLENGE-02', delegated=None, domain='example.com', identifier=None, log_level='DEBUG', name='_acme-challenge.example.com.', priority=None, provider_name='namecheap', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=1 HTTP/1.1" 200 649
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=2 HTTP/1.1" 200 440
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 732
list_records: [{'type': 'TXT', 'name': '_acme-challenge.example.com', 'ttl': '1800', 'content': 'CHALLENGE-02', 'id': '136346792'}]
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 732
Remote: 4
To set: 3
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.setHosts HTTP/1.1" 200 432
Failed authorization procedure. example.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "CHALLENGE-01" found at _acme-challenge.example.com
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: example.com
Type: unauthorized
Detail: Incorrect TXT record
"CHALLENGE-01" found at
_acme-challenge.example.com
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
### Revoke and delete certificates if needed ####
### Reloading supervisord configuration ###
After changing the domain.conf to
*.example.com
everything works out fine:
#### Registering Let's Encrypt account if needed ####
Saving debug log to /var/log/letsencrypt/letsencrypt.log
There is an existing account; registration of a duplicate account with this command is currently unsupported.
#### Creating missing certificates if needed (~1min for each) ####
>>> Creating a certificate for domain(s): -d *.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
Output from authenticator.sh:
Arguments: Namespace(action='create', auth_client_ip='127.0.0.1', auth_sandbox=False, auth_token=None, auth_username=None, content='CHALLENGE-01', delegated=None, domain='example.com', identifier=None, log_level='DEBUG', name='_acme-challenge.example.com.', priority=None, provider_name='namecheap', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=1 HTTP/1.1" 200 648
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=2 HTTP/1.1" 200 441
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 641
Remote: 3
To set: 4
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.setHosts HTTP/1.1" 200 432
Waiting for verification...
Cleaning up challenges
Output from cleanup.sh:
Arguments: Namespace(action='delete', auth_client_ip='127.0.0.1', auth_sandbox=False, auth_token=None, auth_username=None, content='CHALLENGE-01', delegated=None, domain='example.com', identifier=None, log_level='DEBUG', name='_acme-challenge.example.com.', priority=None, provider_name='namecheap', ttl=None, type='TXT')
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=1 HTTP/1.1" 200 650
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.getList&Page=2 HTTP/1.1" 200 440
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 732
list_records: [{'type': 'TXT', 'name': '_acme-challenge.example.com', 'ttl': '1800', 'content': 'CHALLENGE-01', 'id': '136348636'}]
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.getHosts&SLD=example&TLD=com HTTP/1.1" 200 732
Remote: 4
To set: 3
Starting new HTTPS connection (1): api.namecheap.com
https://api.namecheap.com:443 "POST /xml.response?ApiUser=MY_USERNAME&ApiKey=MY_API_KEY&UserName=MY_USERNAME&ClientIP=127.0.0.1&Command=namecheap.domains.dns.setHosts HTTP/1.1" 200 431
Running deploy-hook command: deploy-hook.sh
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-07-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
### Revoke and delete certificates if needed ####
### Reloading supervisord configuration ###
I’m not sure why this happens but it looks like the requests sent to letsencrypt and the verification arguments are overwriting each other before the verification of the first request finished.
One more thing, I started the container like this:
sudo docker run \
-dit \
--restart=always \
--name letsencrypt-dnsbot \
--volume /..blabla../domains.conf:/etc/letsencrypt/domains.conf \
--volume /..blabla../data:/etc/letsencrypt \
--env 'LETSENCRYPT_USER_MAIL=mail@example.com' \
--env 'LEXICON_PROVIDER=namecheap' \
--env 'LEXICON_NAMECHEAP_USERNAME=MY_USERNAME' \
--env 'LEXICON_NAMECHEAP_TOKEN=MY_API_KEY' \
--env 'LEXICON_NAMECHEAP_CLIENT_IP=MY_IP' \
adferrand/letsencrypt-dns
but still the ClientIP sent to namecheap is127.0.0.1 in the logs.
I am not sure if I’m doing something wrong, could you help me out here?
Best regards & thank you in advance!
Issue Analytics
- State:
- Created 5 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
How can I complete the domain control validation (DCV) for ...
This is called domain control validation (DCV). When you are activating your certificate, you will be presented with three methods of DCV to...
Read more >Creating Wildcard Cert that includes base domain - Help
My hosting provider, if applicable, is: Namecheap ... You must use a dns-01 challenge for a wildcard domain name. Complete Certificate ...
Read more >Add wildcard Let's Encrypt certifications with Namecheap |
Let's Encrypt recently added wildcard certifications but it ... This allows Let's Encrypt to verify with your domain name provider rather ...
Read more >Feature request: dns01 for namecheap · Issue #646 - GitHub
I have a dozen domains with Namecheap but I can't use dns01 validation (for wildcard domains) with cert-manager since there is no mechanism...
Read more >How to Install a Free SSL Certificate on Namecheap (with ...
Learn how to install an SSL certificate for free on your Namecheap website. We will use the acme script to add an SSL...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Did you tried to increase the timeout of lexicon between insertion and deletion of the txt records ? It is the env variable LEXICON_SLEEP_TIME on my docker (default 30), in seconds.
Sorry, I must have missed your answer. I’ll try this today and update this comment accordingly!
//edit
It works like a charm now. I feel sorta stupid for not trying this by myself… Thank you, mate!