Let's Encrypt: Selected DNS Provider: null

Question

Let's Encrypt: Selected DNS Provider: null

Opened this issue 3 months ago · 10 comments

Describe the issue you are experiencing

Let's Encrypt fails to obtain certificate using DNS method.

Log contains these key lines:

[16:51:18] INFO: Selected DNS Provider: null
certbot: error: unrecognized arguments: --null --null-credentials /data/dnsapikey

Used configuration:

email: censored@gmail.com
domains:
  - also.censored.com
certfile: fullchain.pem
keyfile: privkey.pem
challenge: dns
dns:
  provider: dns-dynu
  dynu_auth_token: obviouslycensored

Example configuration in addon documentation:

email: your.email@example.com
domains:
  - your.domain.tld
certfile: fullchain.pem
keyfile: privkey.pem
challenge: dns
dns:
  provider: dns-dynu
  dynu_auth_token: 0123456789abcdef

Issue has existed since the introduction of Dynu DNS support for this add-on, as far as I know. I've previously obtained a certificate by using certbot directly, bypassing this add-on. I just got tired of waiting for someone else to report it.

The slight email formatting difference in the configuration does not seem to be relevant in testing. I think the formatting I initially used and show here was generated by the form.

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Let's Encrypt

What is the version of the add-on?

5.2.1

Steps to reproduce the issue

1.Configure addon using form, possibly edit generated config file.
2. Save configuration and restart addon.
3. Run, and view log.
...

System Health information

System Information

version	core-2024.10.1
installation_type	Home Assistant OS
dev	false
hassio	true
docker	true
user	root
virtualenv	false
python_version	3.12.4
os_name	Linux
os_version	6.6.31-haos-raspi
arch	aarch64
timezone	America/New_York
config_dir	/config

Home Assistant Cloud

logged_in	false
can_reach_cert_server	ok
can_reach_cloud_auth	ok
can_reach_cloud	ok

Home Assistant Supervisor

host_os	Home Assistant OS 13.1
update_channel	stable
supervisor_version	supervisor-2024.10.0
agent_version	1.6.0
docker_version	26.1.4
disk_total	234.3 GB
disk_used	12.4 GB
healthy	true
supported	true
host_connectivity	true
supervisor_connectivity	true
ntp_synchronized	true
virtualization
board	rpi4-64
supervisor_api	ok
version_api	ok
installed_addons	Mosquitto broker (6.4.1), Let's Encrypt (5.2.1), Z-Wave JS UI (3.13.2), openWakeWord (1.10.0), Whisper (2.1.2), Advanced SSH & Web Terminal (19.0.0), Studio Code Server (5.17.1), NGINX Home Assistant SSL proxy (3.11.0), Piper (1.5.2), Rhasspy 3 (en) (0.0.4)

Dashboards

dashboards	2
resources	0
views	7
mode	storage

Recorder

oldest_recorder_run	October 3, 2024 at 4:38 AM
current_recorder_run	October 8, 2024 at 4:49 PM
estimated_db_size	60.46 MiB
database_engine	sqlite
database_version	3.45.3

Anything in the Supervisor logs that might be useful for us?

Logger: homeassistant.components.hassio
Source: components/hassio/websocket_api.py:135
integration: Home Assistant Supervisor (documentation, issues)
First occurred: 4:51:36 PM (5 occurrences)
Last logged: 5:04:34 PM

Failed to to call /addons/core_letsencrypt/stats - Container addon_core_letsencrypt is not running

Anything in the add-on logs that might be useful for us?

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[16:59:32] INFO: Selected DNS Provider: null
[16:59:32] INFO: Use propagation seconds: 60
[16:59:32] INFO: Detecting existing certificate type for censored.censored.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
[16:59:37] INFO: Existing certificate using 'rsa' key type.
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: --null --null-credentials /data/dnsapikey
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

Additional information

No response

Answer 1 · 2024-10-08T21:32:59.000Z

Edited to mark config file samples as code snippets to prevent misleading display errors.

Answer 2 · 2024-10-11T16:22:51.000Z

I'm seeing this as well.

Answer 3 · 2024-10-11T16:39:15.000Z

Strike that. I logged in via SSH and found the config file (/mnt/data/supervisor/addons/data/core_letsencrypt/options.json) and found that the dns key had and empty object. For example:

{
  "domains": [
    "domain1",
    "domain2"
  ],
  "email": "***",
  "keyfile": "privkey.pem",
  "certfile": "fullchain.pem",
  "challenge": "dns",
  "dns": {}
}

I had simply entered the wrong thing in my configuration. When I changed it to look like this it worked.

Answer 4 · 2024-10-11T21:37:26.000Z

If I format mine the same way you did yours, I get:
Failed to save add-on configuration, Missing option 'dns' in root in Let's Encrypt (core_letsencrypt)

I suppose it's noteworthy that I did NOT get that error in my earlier attempts.

I'm on HA OS, and haven't yet found an equivalent store with that json you posted.

Answer 5 · 2024-10-11T22:12:49.000Z

Yeah. I'm on HAOS as well. I don't see anywhere in the UI to specify it either. I recently went to the trouble of setting up ssh access to the host OS specifically so I could workaround a handful of deficiencies in the UI.

I did try the Nginx Proxy Manager, but it doesn't support DNS ACME challenges on my hosting provider. And I think I would have had to manually copy certs into the add-on container...which requires host ssh access.

At least the official NGINX Home Assistant SSL proxy mounts /ssl and the Lets Encrypt add on works with my DNS provider.

Answer 6 · 2024-10-16T06:02:40.000Z

I'm using this addon https://github.com/hassio-addons/addon-ssh for SSH access, and /data and /mnt appear empty with ls -a

Answer 7 · 2024-11-17T20:06:14.000Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Answer 8 · 2024-11-19T19:52:03.000Z

This is still an issue.

Answer 9 · 2024-12-19T21:05:33.000Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Answer 10 · 2024-12-20T05:03:36.000Z

I'm going to keep bumping this until someone actually addresses it.