Error determining zone identifier, 403 Client Error: Forbidden for url:

[gctwnl]

I just found out one of my wildcard certs had not renewed and is now expired. Luckily, this i on a backup server and the main one will still be valid for a month. I am running (worked fine until I noticed today)

/usr/bin/docker run --rm \
  -v /var/lib/letsencrypt:/var/lib/letsencrypt \
  -v /etc/letsencrypt:/etc/letsencrypt \
  -v /mnt/ServerData/var/log/letsencrypt:/var/log/letsencrypt \
  --cap-drop=all \
  -e TZ="Europe/Amsterdam" \
  miigotu/certbot-dns-godaddy certbot certonly \
    -v --authenticator dns-godaddy \
    --dns-godaddy-propagation-seconds 900 \
    --dns-godaddy-credentials /var/lib/letsencrypt/godaddy_credentials.ini \
    --keep-until-expiring --non-interactive --expand \
    --server https://acme-v02.api.letsencrypt.org/directory \
    --agree-tos --email "hostmaster@rna.nl" \
    -d rna.nl -d '*.rna.nl'

and the result is:

Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for rna.nl and *.rna.nl
Performing the following challenges:
dns-01 challenge for rna.nl
dns-01 challenge for rna.nl
Cleaning up challenges
Error determining zone identifier for rna.nl: 403 Client Error: Forbidden for url: https://api.godaddy.com/v1/domains/rna.nl.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I suspect (because of the 403) that I've lost access to the API (as per https://community.certifytheweb.com/t/dns-update-failed-godaddy-dns-api-failed-to-determine-root-domain-in-zone/2237/7) as per changed rules of GoDaddy. If so, this is the end of GoDaddy for me. Am I correct? Or is there something that can be done?

[gctwnl]

GoDaddy just confirmed: they sent out an email on April 30th that they would stop providing access to the API to anyone who has less than 50 domains. And they stopped providing it per the day after.

[cguerrero1205]

Hi. I think many of us have migrated to cloudflare as DNS provider, due to the limitation that goDaddy made to their API. Follow the steps described here #81 and you will get the solution to this problem.

[IsaacWG]

GoDaddy just confirmed: they sent out an email on April 30th that they would stop providing access to the API to anyone who has less than 50 domains. And they stopped providing it per the day after.

Their support told me that domains API access is being revoked for accounts with less than 50 domains or 10 domains if you also pay for their "discount domain club". Still not great.

[miigotu]

Might be time to move my domains as well. Imagine being a registrar and taking away features that other registrars offer while also not providing a better way to manage it.

[Chris81T]

I have the same problem here. I'm using GoDaddy, while this is the only supported one, to use a custom domain for Microsoft 365 (Family plan) - needed for MS Outlook.

So I was last year very happy to find this nice certbot project to auto-renew my let's encrypt certificated via dns challenge.

The change from GoDaddy to restrict the api access is not nice. But I have to use GoDaddy, while it's the only supported provider for the MS family plan.

Is there an option to perform the DNS challenge to something else without moving the domain to the new one?

If someone has some tipps, please share it :-)

Thanks!!

[cguerrero1205]

I have the same problem here. I'm using GoDaddy, while this is the only supported one, to use a custom domain for Microsoft 365 (Family plan) - needed for MS Outlook.

So I was last year very happy to find this nice certbot project to auto-renew my let's encrypt certificated via dns challenge.

The change from GoDaddy to restrict the api access is not nice. But I have to use GoDaddy, while it's the only supported provider for the MS family plan.

Is there an option to perform the DNS challenge to something else without moving the domain to the new one?

If someone has some tipps, please share it :-)

Thanks!!

Hello,

No, please note that you only have to transfer the DNS records, not the domain, i.e. the domain is left with godaddy, but the DNS is transferred to claudflare so that you can automatically renew the SSL certificate. Otherwise you would have to do the manual process to renew the certificate.

[Chris81T]

@cguerrero1205 Thank you for your feedback!

It is important for me, that my Outlook E-Mails will also working after setting up Cloudflare. Cloudflare will automatically scan for the existing DNS Records. Is it enough to simply use that scaned entries (the MX and TXT entries have an outlook relation) and change the nameserver in GoDaddy to the provided Cloudflare DNS Url's?

Or is there something else, that have to be configured?

Thank you!

[gctwnl]

I don't want to pay GoDaddy while freeloading at Cloudflare. And GoDaddy's behaviour (mail on 30 April "we changed our blablabla" the mails you get many times, turn off on 1 May). Cloudflare doesn't support .nl, Namecheap has the same problem as GoDaddy (you need to have at least 20 domains and spend more that $50 over the last two years before you get access to the API). Namesilo seems to tick all boxes for me.

[gctwnl]

This is off-topic as it is not using but moving away from the GoDaddy plugin, but maybe people know this. I have now (almost) completed the domain and DNS transfers.

My current config (certbot with GoDaddy plugin) says:

# Options used in the renewal process
[renewalparams]
account = <snip>
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = dns-godaddy
dns_godaddy_propagation_seconds = 900
dns_godaddy_credentials = /var/lib/letsencrypt/godaddy_credentials.ini
key_type = rsa

What should I put in renewalparams in the config to make it work with NameSilo? I saw instructions somewhere but I cannot find them anymore.

[cguerrero1205]

@cguerrero1205 Thank you for your feedback!

It is important for me, that my Outlook E-Mails will also working after setting up Cloudflare. Cloudflare will automatically scan for the existing DNS Records. Is it enough to simply use that scaned entries (the MX and TXT entries have an outlook relation) and change the nameserver in GoDaddy to the provided Cloudflare DNS Url's?

Or is there something else, that have to be configured?

Thank you!

Hello,

When I transferred the DNS to Claudflare, I had to reconfigure the records manually, but it was just a matter of leaving them the same as they were in godaddy, except for the NS records, as they differ between godaddy and claudflare. I don't use the MX record, so I can't give you 100% sure about it. But if you have problems, you can go back to godaddy as DNS.

[cguerrero1205]

Namesilo

Hello,

I think this may help you.

#https://github.com/ethauvin/namesilo-letsencrypt

[Chris81T]

Maybe this is also interesting for people, that "must" use GoDaddy?!

• DNS alias mode
• DNS Api / acmesh

I have to try it out. I'm currently cautious about the DNS change because Microsoft has no longer supported its own domains (email) for the Family Plan since November 2023. Only those that were created before.

Everything is not cool...

[gctwnl]

I haven't been able to get acme.sh on OPNsense working with Cloudflare or NameSilo. OPNsense acme.sh works with the test LE but not with production.

I have dropped that for now and I am looking at hosting my own minimal acme-dns so I become independent from these DNS providers for LE challenges. I am running in some difficulties (acme-dns/acme-dns#354)

acme.sh DNS alias mode makes use of a second domain server for which you do have API access (so e.g. Cloudflare or NameSilo next to GoDaddy) and that is only used for the challenge. That can be another big provider or your own minimal acme-dns.

I have been working on this. I have a acme-dns minimal DNS server running to provide the DNS-01 challenge via a NS for a mai domain. But while it says it stores the challenge it doesn't actually do so.

[gctwnl]

Found my error in setting up acme-dns, I think.