v3.25.0 truncates domain name leading to Exception with cloudflare

[charleszlu]

In v3.25.0. When using cloudflare as the provider it raises the following exception:

Executing auth hook for domain example.net, lineage example.net.
2024-01-26 08:48:32,230:WARNING:certbot.display.ops:Hook '--manual-auth-hook' for example.net ran with error output:
Error while executing the auth hook:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/site-packages/dnsrobocert/core/hooks.py", line 40, in main
globals()[parsed_args.type](dnsrobocert_config, parsed_args.lineage)
File "/usr/local/lib/python3.11/site-packages/dnsrobocert/core/hooks.py", line 61, in auth
txt_challenge(certificate, profile, token, domain, action="create")
File "/usr/local/lib/python3.11/site-packages/dnsrobocert/core/challenge.py", line 52, in txt_challenge
with Client(ConfigResolver().with_dict(config_dict)) as operations:
File "/usr/local/lib/python3.11/site-packages/lexicon/client.py", line 168, in enter
raise e
File "/usr/local/lib/python3.11/site-packages/lexicon/client.py", line 161, in enter
provider.authenticate()
File "/usr/local/lib/python3.11/site-packages/lexicon/_private/providers/cloudflare.py", line 54, in authenticate
raise AuthenticationError("No domain found)
lexicon.exceptions.AuthenticationError: No domain found

This is due to resolve_zone_name is set to True in file challenge.py, which triggers lexicon's Client to call dns.resolver.zone_for_name(domain). This truncates the domain name from example.net to just net, leading to the exception above. If I manually set resolve_zone_name to False. Everything works the same as in v 3.24.x.

I have tested using:

• Global API key with auth_username and auth_token
• Unscoped API token with auth_token

Both methods give the above exception.

I am using the below config:

acme:
  staging: false
  certs_permissions:
    dirs_mode: 493
    files_mode: 420
  crontab_renew: 0 4 * * *
  email_account: mail@example.net

profiles:
- name: cloudflare
  provider: cloudflare
  provider_options:
    auth_token: <unscoped API token>
  sleep_time: 600

certificates:
- name: example.net
  domains:
  - example.net
  - '*.example.net'
  profile: cloudflare
  pfx:
    export: true
    passphrase: **********
  force_renew: false

[LiskoFINAL]

It's the same on the duckdns provider. I had to downgrade the dnsrobocert docker container to 3.24.2 otherwise the certs can't be issued/renewed for this same reason.

[rexzhang]

In my case(cloudflare, I had set up the email):

2024-05-03 11:20:47 tn-jail-docker dnsrobocert.core.main[21] INFO Starting DNSroboCert.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/dnsrobocert/logs/letsencrypt.log or re-run Certbot with -v for more details.
2024-05-03 11:20:47 tn-jail-docker dnsrobocert.core.main[21] INFO Registering ACME account if needed.
2024-05-03 11:20:47 tn-jail-docker dnsrobocert.core.utils[21] INFO Launching command: /usr/local/bin/python -m dnsrobocert.core.certbot register -n --user-agent-comment DNSroboCert/3.25.0 --preferred-chain "ISRG Root X1" --config-dir /data/dnsrobocert --work-dir /data/dnsrobocert/workdir --logs-dir /data/dnsrobocert/logs -m rex.zhang@gmail.com --agree-tos --server https://acme-v02.api.letsencrypt.org/directory
----------
An unexpected error occurred:
Saving debug log to /data/dnsrobocert/logs/letsencrypt.log
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f5539ca4e60>: Failed to establish a new connection: [Errno -3] Try again'))
2024-05-03 11:20:52 tn-jail-docker dnsrobocert.core.main[21] INFO Creating missing certificates if needed (~1min for each)
2024-05-03 11:20:52 tn-jail-docker dnsrobocert.core.certbot[21] INFO Handling the certificate for domain(s): h.rexzhang.com, *.h.rexzhang.com
2024-05-03 11:20:52 tn-jail-docker dnsrobocert.core.utils[21] INFO Launching command: /usr/local/bin/python -m dnsrobocert.core.certbot certonly -n --user-agent-comment DNSroboCert/3.25.0 --preferred-chain "ISRG Root X1" --config-dir /data/dnsrobocert --work-dir /data/dnsrobocert/workdir --logs-dir /data/dnsrobocert/logs --manual --preferred-challenges=dns --manual-auth-hook "/usr/local/bin/python -m dnsrobocert.core.hooks -t auth -c \"/tmp/tmpdwt709bq/dnsrobocert-runtime.yml\" -l \"h.rexzhang.com\"" --manual-cleanup-hook "/usr/local/bin/python -m dnsrobocert.core.hooks -t cleanup -c \"/tmp/tmpdwt709bq/dnsrobocert-runtime.yml\" -l \"h.rexzhang.com\"" --expand --deploy-hook "/usr/local/bin/python -m dnsrobocert.core.hooks -t deploy -c \"/tmp/tmpdwt709bq/dnsrobocert-runtime.yml\" -l \"h.rexzhang.com\"" --server https://acme-v02.api.letsencrypt.org/directory --cert-name h.rexzhang.com --key-type rsa -d h.rexzhang.com -d *.h.rexzhang.com
You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.

[adferrand]

One year later...

You can now disable this behavior in DNSRoboCert 3.26.1.