[GH-ISSUE #1174] DNS Challenge with LuaDNS failing #961

New issue

Closed

opened 2026-02-26 06:35:13 +03:00 by kerem · 8 comments

kerem commented 2026-02-26 06:35:13 +03:00

Owner

Copy link

Originally created by @ParadingLunatic on GitHub (Jun 14, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1174

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes (There was a similar error recently about "invalid argument 'type'" but this appears different.)

Describe the bug
When trying to issue a new or even renew certificates with LuaDNS DNS challenge it's failing

While trying to issue a new SSL cert with DNS challenge receive the following error (email address and domain omitted...was not wildcard)
Error: Command failed: /opt/certbot/bin/certbot certonly --non-interactive --cert-name "npm-18" --agree-tos --email "emailaddres@omitted" --domains "domain.omitted" --authenticator dns-luadns --dns-luadns-credentials "/etc/letsencrypt/credentials/credentials-18"
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --dns-luadns-credentials /etc/letsencrypt/credentials/credentials-18

at ChildProcess.exithandler (node:child_process:326:12)
at ChildProcess.emit (node:events:369:20)
at maybeClose (node:internal/child_process:1067:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)

During Renewal I'm seeing the following error:

[6/14/2021] [11:08:32 AM] [SSL ] › ✖ error Error: Command failed: /opt/certbot/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation

Renewal configuration file /etc/letsencrypt/renewal/npm-15.conf (cert: npm-15) produced an unexpected error: 'Namespace' object has no attribute 'dns_luadns_credentials'. Skipping.

Nginx Proxy Manager Version
Version 2.9.3

To Reproduce
Steps to reproduce the behavior for new SSL cert:

1. Go to SSL Certificates
2. Click on Add SSL Certificate
3. Click on LetsEncrypt
4. Fill out form
5. Select Use a DNS Challenge
6. Choose LuaDNS for the provider
7. Fill out the rest of the info
8. Error above received

Steps to reproduce the behavior for renewal happen automatically. Restarted the docker container.

Expected behavior
After a minute or two, an SSL cert should be issued

Operating System
Docker container on debian

Additional context
I'm not entirely sure when this started to be a problem. I only recently started using DNS challenge and have only had to renew once so whatever broke it, it has been within the last 6 to 9 months.

Originally created by @ParadingLunatic on GitHub (Jun 14, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1174 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes (There was a similar error recently about "invalid argument 'type'" but this appears different.) **Describe the bug** When trying to issue a new or even renew certificates with LuaDNS DNS challenge it's failing While trying to issue a new SSL cert with DNS challenge receive the following error (email address and domain omitted...was not wildcard) Error: Command failed: /opt/certbot/bin/certbot certonly --non-interactive --cert-name "npm-18" --agree-tos --email "emailaddres@omitted" --domains "domain.omitted" --authenticator dns-luadns --dns-luadns-credentials "/etc/letsencrypt/credentials/credentials-18" usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. certbot: error: unrecognized arguments: --dns-luadns-credentials /etc/letsencrypt/credentials/credentials-18 at ChildProcess.exithandler (node:child_process:326:12) at ChildProcess.emit (node:events:369:20) at maybeClose (node:internal/child_process:1067:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) During Renewal I'm seeing the following error: [6/14/2021] [11:08:32 AM] [SSL ] › ✖ error Error: Command failed: /opt/certbot/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Renewal configuration file /etc/letsencrypt/renewal/npm-15.conf (cert: npm-15) produced an unexpected error: 'Namespace' object has no attribute 'dns_luadns_credentials'. Skipping. **Nginx Proxy Manager Version** Version 2.9.3 **To Reproduce** Steps to reproduce the behavior for new SSL cert: 1. Go to SSL Certificates 2. Click on Add SSL Certificate 3. Click on LetsEncrypt 4. Fill out form 5. Select Use a DNS Challenge 6. Choose LuaDNS for the provider 7. Fill out the rest of the info 8. Error above received Steps to reproduce the behavior for renewal happen automatically. Restarted the docker container. **Expected behavior** After a minute or two, an SSL cert should be issued **Operating System** Docker container on debian **Additional context** I'm not entirely sure when this started to be a problem. I only recently started using DNS challenge and have only had to renew once so whatever broke it, it has been within the last 6 to 9 months.

kerem 2026-02-26 06:35:13 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-26 06:35:14 +03:00

Author

Owner

Copy link

@jbonet commented on GitHub (Jun 15, 2021):

It's the certbot / certbot dns plugin version, there is a bug. Manually update certbot and the plugin and it should be good to go.

They should push an updated image with updated certbot...

<!-- gh-comment-id:861381149 --> @jbonet commented on GitHub (Jun 15, 2021): It's the certbot / certbot dns plugin version, there is a bug. Manually update certbot and the plugin and it should be good to go. They should push an updated image with updated certbot...

kerem commented 2026-02-26 06:35:14 +03:00

Author

Owner

Copy link

@chaptergy commented on GitHub (Jun 15, 2021):

@jbonet Could you link the bug if there is any thing available? Just to know what to update to which version. If you are talking about the unexpected keyword issue, the current npm version was updated to include the new certbot version. See https://github.com/jc21/nginx-proxy-manager/issues/1119#issuecomment-846843724 on how to update. But this issue does not seem related to that, however you could wait and check, whether the issue still persists with the new version.

<!-- gh-comment-id:861399526 --> @chaptergy commented on GitHub (Jun 15, 2021): @jbonet Could you link the bug if there is any thing available? Just to know what to update to which version. If you are talking about the [unexpected keyword](https://github.com/jc21/nginx-proxy-manager/issues/1119) issue, the current npm version was updated to include the new certbot version. See https://github.com/jc21/nginx-proxy-manager/issues/1119#issuecomment-846843724 on how to update. But this issue does not seem related to that, however you could wait and check, whether the issue still persists with the new version.

kerem commented 2026-02-26 06:35:14 +03:00

Author

Owner

Copy link

@ParadingLunatic commented on GitHub (Jun 15, 2021):

@jbonet from a shell inside the docker container I ran pip install certbot --upgrade. Didn't seem to make any difference. Is there something else I should be doing?

<!-- gh-comment-id:861801132 --> @ParadingLunatic commented on GitHub (Jun 15, 2021): @jbonet from a shell inside the docker container I ran pip install certbot --upgrade. Didn't seem to make any difference. Is there something else I should be doing?

kerem commented 2026-02-26 06:35:14 +03:00

Author

Owner

Copy link

@chaptergy commented on GitHub (Jun 17, 2021):

Please check with pip show certbot-dns-luadns whether the luaDNS addon is installed at all, and with certbot plugins whether certbot recognizes the plugin.

<!-- gh-comment-id:863527825 --> @chaptergy commented on GitHub (Jun 17, 2021): Please check with `pip show certbot-dns-luadns` whether the luaDNS addon is installed at all, and with `certbot plugins` whether certbot recognizes the plugin.

kerem commented 2026-02-26 06:35:14 +03:00

Author

Owner

Copy link

@ParadingLunatic commented on GitHub (Jun 17, 2021):

certbot plugins:

• dns-luadns
  Description: Obtain certificates using a DNS TXT record (if you are using LuaDNS
  for DNS).
  Interfaces: IAuthenticator, IPlugin
  Entry point: dns-luadns = certbot_dns_luadns._internal.dns_luadns:Authenticator

• standalone
  Description: Spin up a temporary webserver
  Interfaces: IAuthenticator, IPlugin
  Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

• webroot
  Description: Place files in webroot directory
  Interfaces: IAuthenticator, IPlugin
  Entry point: webroot = certbot._internal.plugins.webroot:Authenticator

pip show certbot-dns-luadns
Name: certbot-dns-luadns
Version: 1.8.0
Summary: LuaDNS Authenticator plugin for Certbot
Home-page: https://github.com/certbot/certbot
Author: Certbot Project
Author-email: client-dev@letsencrypt.org
License: Apache License 2.0
Location: /usr/local/lib/python3.7/dist-packages
Requires: acme, zope.interface, certbot, dns-lexicon, setuptools
Required-by:

<!-- gh-comment-id:863556146 --> @ParadingLunatic commented on GitHub (Jun 17, 2021): certbot plugins: * dns-luadns Description: Obtain certificates using a DNS TXT record (if you are using LuaDNS for DNS). Interfaces: IAuthenticator, IPlugin Entry point: dns-luadns = certbot_dns_luadns._internal.dns_luadns:Authenticator * standalone Description: Spin up a temporary webserver Interfaces: IAuthenticator, IPlugin Entry point: standalone = certbot._internal.plugins.standalone:Authenticator * webroot Description: Place files in webroot directory Interfaces: IAuthenticator, IPlugin Entry point: webroot = certbot._internal.plugins.webroot:Authenticator pip show certbot-dns-luadns Name: certbot-dns-luadns Version: 1.8.0 Summary: LuaDNS Authenticator plugin for Certbot Home-page: https://github.com/certbot/certbot Author: Certbot Project Author-email: client-dev@letsencrypt.org License: Apache License 2.0 Location: /usr/local/lib/python3.7/dist-packages Requires: acme, zope.interface, certbot, dns-lexicon, setuptools Required-by:

kerem commented 2026-02-26 06:35:14 +03:00

Author

Owner

Copy link

@chaptergy commented on GitHub (Jun 17, 2021):

Maybe similar issue as https://github.com/jc21/nginx-proxy-manager/issues/1109?

<!-- gh-comment-id:863572407 --> @chaptergy commented on GitHub (Jun 17, 2021): Maybe similar issue as https://github.com/jc21/nginx-proxy-manager/issues/1109?

kerem commented 2026-02-26 06:35:14 +03:00

Author

Owner

Copy link

@ParadingLunatic commented on GitHub (Jun 17, 2021):

It's possible. Just typed which certbot and it returned /usr/local/bin/certbot

If I cd to /opt/certbot/bin and do ./certbot plugins I only get the following

• standalone
  Description: Spin up a temporary webserver
  Interfaces: IAuthenticator, IPlugin
  Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

• webroot
  Description: Place files in webroot directory
  Interfaces: IAuthenticator, IPlugin
  Entry point: webroot = certbot._internal.plugins.webroot:Authenticator

Il tried renaming the certbot under /opt/..... and copy the one from /usr/local/... in its place. It seemed a little better. It at least tried, but timed out. Can't run it again as the initial attempt is apparently still running in the background.

Ok...it took a little extra time but it finally succeeded. So I was at least able to renew my existing cert that was about to expire. I'll try and issue a new cert later.

<!-- gh-comment-id:863575758 --> @ParadingLunatic commented on GitHub (Jun 17, 2021): It's possible. Just typed `which certbot` and it returned /usr/local/bin/certbot If I cd to /opt/certbot/bin and do ./certbot plugins I only get the following * standalone Description: Spin up a temporary webserver Interfaces: IAuthenticator, IPlugin Entry point: standalone = certbot._internal.plugins.standalone:Authenticator * webroot Description: Place files in webroot directory Interfaces: IAuthenticator, IPlugin Entry point: webroot = certbot._internal.plugins.webroot:Authenticator Il tried renaming the certbot under /opt/..... and copy the one from /usr/local/... in its place. It seemed a little better. It at least tried, but timed out. Can't run it again as the initial attempt is apparently still running in the background. Ok...it took a little extra time but it finally succeeded. So I was at least able to renew my existing cert that was about to expire. I'll try and issue a new cert later.

kerem commented 2026-02-26 06:35:14 +03:00

Author

Owner

Copy link

@ParadingLunatic commented on GitHub (Jun 22, 2021):

I noticed 2.9.4 was released. Updated my docker container and tried creating a new SSL cert with the LuaDNS DNS challenge. Initially it failed because certbot was already running. Noticed eventually in my logs I had two old certs that failed to renew. Not sure why the certs still exist for renewal even though they were deleted. Anyway, after doing some manual cleanup of the leftover certs I was able to successfully issue a new cert. I'm going to go ahead and close this as I'm pretty confident the fixes in 2.9.4 also fixed the renewal issue.

<!-- gh-comment-id:865911791 --> @ParadingLunatic commented on GitHub (Jun 22, 2021): I noticed 2.9.4 was released. Updated my docker container and tried creating a new SSL cert with the LuaDNS DNS challenge. Initially it failed because certbot was already running. Noticed eventually in my logs I had two old certs that failed to renew. Not sure why the certs still exist for renewal even though they were deleted. Anyway, after doing some manual cleanup of the leftover certs I was able to successfully issue a new cert. I'm going to go ahead and close this as I'm pretty confident the fixes in 2.9.4 also fixed the renewal issue.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#961

No description provided.