Let's Encrypt with Gandi DNS challenge and API key not working in version 5.0.18

[marcoce7]

Describe the issue you are experiencing

In version 5.0.18 of the Let's Encrypt add-on, renewing with Gandi DNS challenge and API key does not work any more.
The relevant lines in the add-on logs are:

Error parsing credentials configuration '/data/dnsapikey': Duplicate keyword name at line 60.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I didn't change the configuration with respect to a previous version that was working correctly.

I noticed that since #3581 the dns_gandi_api_key is added to /data/dnsapikey in
https://github.com/home-assistant/addons/blob/master/letsencrypt/rootfs/etc/services.d/lets-encrypt/run#L118-L121
but dns_gandi_api_key is added to /data/dnsapikey also in
https://github.com/home-assistant/addons/blob/master/letsencrypt/rootfs/etc/cont-init.d/file-structure.sh#L49
So the duplicated keyword name error make sense.
However, I do not know how to access the Certbot logs and files in the add-on container while running to check this.

If I use gandi_token instead of gandi_api_key in the add-on YAML configurations, renewing the certificate works.

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Let's Encrypt

What is the version of the add-on?

5.0.18

Steps to reproduce the issue

1. Manually start the add-on
2. Let's Encrypt fail to renew the certificate

System Health information

System Information

version	core-2024.5.5
installation_type	Home Assistant OS
dev	false
hassio	true
docker	true
user	root
virtualenv	false
python_version	3.12.2
os_name	Linux
os_version	6.6.28-haos-raspi
arch	aarch64
timezone	Europe/Rome
config_dir	/config

Home Assistant Community Store

GitHub API	ok
GitHub Content	ok
GitHub Web	ok
GitHub API Calls Remaining	5000
Installed Version	1.34.0
Stage	running
Available Repositories	1388
Downloaded Repositories	8

Home Assistant Cloud

logged_in	false
can_reach_cert_server	ok
can_reach_cloud_auth	ok
can_reach_cloud	ok

Home Assistant Supervisor

host_os	Home Assistant OS 12.3
update_channel	stable
supervisor_version	supervisor-2024.05.1
agent_version	1.6.0
docker_version	25.0.5
disk_total	458.4 GB
disk_used	13.5 GB
healthy	true
supported	true
board	yellow
supervisor_api	ok
version_api	ok
installed_addons	Let's Encrypt (5.0.18), Mosquitto broker (6.4.1), ESPHome (2024.5.4), File editor (5.8.0), Zigbee2MQTT (1.38.0-1), Piper (1.5.0), Advanced SSH & Web Terminal (18.0.0), Whisper (2.1.0), CEC Scanner (3.0), Silicon Labs Flasher (0.2.3), Spotify Connect (0.13.0), openWakeWord (1.10.0), Glances (0.21.1), Matter Server (6.0.0), VLC (0.3.0)

Dashboards

dashboards	2
resources	0
views	1
mode	storage

Recorder

oldest_recorder_run	8 April 2024 at 14:11
current_recorder_run	3 June 2024 at 22:58
estimated_db_size	186.50 MiB
database_engine	sqlite
database_version	3.44.2

Anything in the Supervisor logs that might be useful for us?

No response

Anything in the add-on logs that might be useful for us?

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[00:15:00] INFO: Selected DNS Provider: dns-gandi
[00:15:00] INFO: Use propagation seconds: 60
[00:15:02] INFO: Use Gandi gandi_api_key
[00:15:04] INFO: Detecting existing certificate type for example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
[00:15:25] INFO: Existing certificate using 'rsa' key type.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for example.com
Error parsing credentials configuration '/data/dnsapikey': Duplicate keyword name at line 60.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

Additional information

No response

[marconfus]

If you execute docker exec addon_core_letsencrypt cat /data/dnsapikey while the container is running, you can view the contents of the file.
So I can confirm that dns_gandi_api_key is added twice to /data/dnsapikey

[hugoKs3]

Exact same issue on my side.

If I use gandi_token instead of gandi_api_key in the add-on YAML configurations, renewing the certificate works.
This trick does not work for me neither. It throws the following error:

Unable to find or delete the DNS TXT record: Unable to get base domain for "xxxx.com"

[slapin95]

Same
version core-2024.6.1
[11:13:17] INFO: Selected DNS Provider: dns-gandi
[11:13:17] INFO: Use propagation seconds: 60
[11:13:17] INFO: Use Gandi gandi_api_key
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for DOMAIN
Error parsing credentials configuration '/data/dnsapikey': Duplicate keyword name at line 60.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[asayler]

Hit this bug as well. As noted by @marcoce7, I was able to switch to using a Gandi Personal Access Token and the gandi_token config field instead of the legacy API key config to work around the issue. This did require generating a new PAT via the Gandi web interface. API keys have been deprecated by Gandi, so it seems like moving to the token config is probably the right long term move anyway. More info at https://api.gandi.net/docs/authentication/.

[Wookai]

Exact same issue on my side.

If I use gandi_token instead of gandi_api_key in the add-on YAML configurations, renewing the certificate works. This trick does not work for me neither. It throws the following error:

Unable to find or delete the DNS TXT record: Unable to get base domain for "xxxx.com"

Same for me, with the latest update both token and api key give me the "Unable to get base domain for XXX" error.

[slapin95]

Solved for me. I have updated my configuration file
replacing:
gandi_api_key: OLD KEY
by
gandi_token: new TOKEN
Thanks all!

[hugoKs3]

Followed @asayler and @slapin95 advice, works like a charm, thanks!

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[marcoce7]

The issue is still there and not solved.
Switching to gandi_token instead of gandi_api_key is only a workaround.
API keys have been deprecated by Gandi but as far as I know there is no plan for that method to stop being supported, so I think using gandi_api_key with this add-on should still be fixed.