Certbot autorenew failing (Linode API old version?)
Sorry for sounding like a newb, but I can't remember how I even set up Let's Encrypt autorenew in the first place - I'm not good at server admin, so as long as things are running, I ignore it (bad habit, I know) and then I forget what I did.
I have started getting notifications from both monit and "Let's Encrypt Expiry Bot" that my SSL certs are not staying topped up (expiring in 19 days). I assumed I had a cron job to check daily or weekly and top it off if less than a month left, but there is nothing related in any of my cron directories, so I don't know what was keeping them updated before now. When I run certbot renew --dry-run, I get:
Processing /etc/letsencrypt/renewal/mydomain.com.conf
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator dns-linode, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for mydomain.com and *.mydomain.com
Performing the following challenges:
dns-01 challenge for mydomain.com
dns-01 challenge for mydomain.com
Starting new HTTPS connection (1): api.linode.com
Cleaning up challenges
Starting new HTTPS connection (1): api.linode.com
Failed to renew certificate mydomain.com with error: Unexpected error determining zone identifier for mydomain.com: Linode api error: [{u'ERRORCODE': 16, u'ERRORMESSAGE': u'Linode API v3 is no longer active. Please use Linode API v4: https://www.linode.com/docs/api'}]
Did API v3 shut down in the last couple months? The doc page linked in the error text is just a man page for people actually writing API calls - it doesn't say anything about converting some utility from running v3 to v4.
The file /etc/letsencrypt/renewal/mydomain.com.conf has this:
# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/mydomain.com
cert = /etc/letsencrypt/live/mydomain.com/cert.pem
privkey = /etc/letsencrypt/live/mydomain.com/privkey.pem
chain = /etc/letsencrypt/live/mydomain.com/chain.pem
fullchain = /etc/letsencrypt/live/mydomain.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = [a long number]
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = dns-linode
installer = nginx
dns_linode_credentials = /root/.certbot/linode.ini
dns_linode_propagation_seconds = 1000
manual_public_ip_logging_ok = None
Any suggestions of what I should be looking for, or how to fix this?
5 Replies
✓ Best Answer
Solved! I submitted a support ticket to Linode, and Cassandra helped me figure out out. (No, the solution is NOT what she suggested in the post above this one - that was the first thing she asked me to try, but that didn't help.)
It turns out that I didn't have an API token at all. Obviously I did previously, but perhaps all the v3 tokens were automatically removed. Anyway, I needed a new one, which would automatically be a v4 type. So here's what to do:
- In the Linode interface, click on your profile icon in the top right corner and select "API Tokens".
- Click "Create a Personal Access Token", uncheck all the access services except "Domains", and follow other prompts.
- Be sure to copy the key provided in the popup.
- On the server, there should be a linode.ini file for certbot - mine was located at
/root/.certbot/linode.ini. There should be a line that saysdns_linode_key = "..."with your old key inside the quotes. Edit the file and replace that old key with the new key.
That's all I needed to do. My auto renew is working now.
I am facing the same issue on one of my servers. We have been using a venv for Certbot, and it started failing due to the Linode version. I attempted to upgrade the Certbot and Linode API modules using pip, but it didn't work. The following packages are currently at their latest versions:
- Certbot
- Certbot-nginx
- Certbot-dns-linode
- Setuptools-rust
- Linode-api
Despite having the latest versions of these packages, the issue persists.
CassandraD
Linode Staff
Another user who reached out about this issue in the past let us know know they resolved it by updating their linode.ini credentials file to use the newer API version. They did this by adding the following line:
dns_linode_version = 4
I can't say for sure this works, but I think it's worth a shot. I'll follow up if I'm able to figure out a way to test it and confirm it's working.
CassandraD
Linode Staff
Just wanted to say thank you to @OsakaWebbie for coming back to help our other users. I'm glad you were able to figure it out and really appreciate you taking the time to provide an update to help anyone else who might see the same issue in the future.
Thanks for this, @OsakaWebbie! I landed here after receiving an impending certificate expiration email from letsencrypt.org. So I logged in, found the same API error you did (in /var/log/letsencrypt/), and googled "linode letsencrypt api update" to get this fix as the top search result. It's been over 5 years since I put CertBot on autopilot, so my memory was also a bit foggy.
I initially tried adding JUST "dns_linode_version = 4" to my /etc/letsencrypt/renewal/linode_certbot_dns.ini as suggested by @CassandraD above, and then ran "letsencrypt renew", but that triggered a new error:
Failed to renew certificate domain.com with error: Error determining zone identifier for domain.com: 401 Client Error: UNAUTHORIZED for url: https://api.linode.com/v4/domains.
After creating the new domain-only read/write v4 API token at https://cloud.linode.com/profile/tokens , and updating linode_certbot_dns.ini with it, the renewal succeeded.
HTH,
Jason