Bootstrap FreeKB - Certbot - Resolve "Forbidden for url"
Certbot - Resolve "Forbidden for url"
Updated:   |  Certbot articles

Let's say something like this is being returned when attempting certbot renew.

~]$ sudo bar/bin/certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for example.com and *.example.com
Failed to renew certificate example.com with error: Error determining zone identifier for example.com: 403 Client Error: Forbidden for url: https://api.godaddy.com/v1/domains/example.com.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

 

Notice the error output includes Forbidden for url: https://api.godaddy.com/v1/domains/example.com. nslookup can be used to determine if your DNS is able to resolve api.godaddy.com to an IP address.

 ~]$ nslookup api.godaddy.com
Server:         172.31.0.2
Address:        172.31.0.2#53

Non-authoritative answer:
api.godaddy.com canonical name = api.godaddy.com.edgekey.net.
api.godaddy.com.edgekey.net     canonical name = e6001.x.akamaiedge.net.
Name:   e6001.x.akamaiedge.net
Address: 104.108.102.254

 

cURL can be used to submit a GET request to the URL that is returning Forbidden for url. In this example, the request returned a response, meaning I able able to submit a GET request to the URL and get a response. It doesn't matter that the response is missing credentials. The only point here is to see if a request and response can be made.

~]$ curl https://api.godaddy.com/v1/domains/example.com
{"code":"MISSING_CREDENTIALS","message":"Unauthorized : Credentials must be specified"}

 

Notice in this example I'm using Go Daddy. Check out my article Create wildcard public private key pair using GoDaddy.

Also notice the output lists /etc/letsencrypt/renewal/example.com.conf as the configuration file. Notice the conf file has dns_godaddy_credentials = /usr/local/certbot/godaddy.ini.

~]$ cat /etc/letsencrypt/renewal/example.com.conf
# renew_before_expiry = 30 days
version = 2.6.0
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = abcdefg123456789abcdefg123456789
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = dns-godaddy
dns_godaddy_propagation_seconds = 900
dns_godaddy_credentials = /usr/local/certbot/godaddy.ini
key_type = ecdsa

 

And the INI file should contain something like this.

~]$ cat /usr/local/certbot/godaddy.ini
dns_godaddy_key = abcdefg123456789abcdefg123456789
dns_godaddy_secret = XYZ123KDJ234MSDF234

 

The INI file should only be readable and writable by the owner of the godaddy.ini file.

~]$ ll /usr/local/certbot/godaddy.ini
-rw------- 1 ec2-user ec2-user 96 May 15  2023 /usr/local/certbot/godaddy.ini

 

At https://developer.godaddy.com you should have created a production API key and secret. You'll want to make sure the key here matches the key in your INI file. There is no way to see the secret.

 

If the issue persists, let's reissue the certbot command with the -v (verbose) flag.

~]$ sudo certbot renew --dry-run -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-godaddy, Installer None
Simulating renewal of an existing certificate for example.com and *.example.com
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.com
Cleaning up challenges
Failed to renew certificate example.com with error: Error determining zone identifier for example.com: 403 Client Error: Forbidden for url: https://api.godaddy.com/v1/domains/example.com.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

 

If you are using Go Daddy, check out this article - https://www.reddit.com/r/godaddy/comments/1bl0f5r/am_i_the_only_one_who_cant_use_the_api/?rdt=42997

Long story short, sometime in 2024, Go Daddy made a change where customers with less than 50 domains can no longer use their production API. 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter ec860f in the box below so that we can be sure you are a human.