hurricane: requesting cert for base and wildcard fails on clean-up

[davidyorke]

Trying to renew a certificate for both the base domain and a wildcard that were originally issued using googledomains (RIP) using Hurricane Electric DNS and getting an error on cleanup. I think the problem is that it's trying to clean-up the same record twice and hurricane is returning a response that is erroneously interpreted as an error. As best I can tell its changing the same _acme-challenge record for both the base domain and wildcard and so when it tries to clean it up the second time, hurricane responds "nochg" and the plug-in is interpreting that as an error instead of proceeding to request the certificate.

Steps to reproduce:

podman run --rm -it -v /home/opc/.config/letsencrypt:/etc/letsencrypt \
ghcr.io/alexzorin/certbot-dns-multi certonly \
 -v -a dns-multi --dns-multi-credentials /etc/letsencrypt/dns-multi.ini \
-d example.com -d "*.example.com" --dry-run

Expected result:
certificate for base domain and wildcard issued which worked correctly under googledomains

Actual result:
Error on clean up. No certificate issued.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-multi, Installer None
Certificate is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for example.com and *.example.com
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.com
Cleaning up challenges
2025/05/15 06:07:10 nochg ".": unchanged content written to TXT record _acme-challenge.example.com
hurricane: unable to communicate with the API server: error: Post "https://dyn.dns.he.net/nic/update": EOF
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[davidyorke]

just for giggles, i tried to add a second _acme-challenge record and add it's update token to the config file to see if the plugin would use one for the base and the other for the wildcard and got the following:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-multi, Installer None
Certificate is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for example.com and *.example.com
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.com
Cleaning up challenges
unknown command
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[alexzorin]

I don't think that the nochg is the cause of the issue. That appears to be a case that the provider is written to handle: https://github.com/go-acme/lego/blob/e9a255df9b04195245545ae8b15c520c54beb369/providers/dns/hurricane/internal/client.go#L110-L112

The EOF looks like the actual culprit. From my own testing, the API should always return a response, whether it's an error, nochg, or good.

EOF means that there was an absence of any response, which doesn't look like an expected behaviour from the provider API side.

I'd try to see whether you hit the same issue while running lego directly: https://github.com/go-acme/lego. If you do, report it to that project.

[morrismichaelc]

@davidyorke I am a fellow LE and HE user wishing to automatic wildcard cert with base domain. I wonder if you made any progress - specifically if you tried LEGO directly as @alexzorin suggested.

I have not yet tried the dns-multi plugin; I'm just now investigating and don't want to break the setup I've got that words for manual updates; I look forward to any input you might have. Thanks!