Letsencrypt renewal error due to Gandi DNS failing to be set using either API Token or PAT

ruihildt

Now I'm starting to wonder when these other gandi domains are going to rotate their letsencrypt certificates and error out as well. 🥶

nebulon

We have to debug this, for a start you can switch that domain over to manual and fixup the A record manually to point to the server's ip

ruihildt

@nebulon Ah right, since the domain was already pointing to the server, it immediately worked after retrying ththe failing task.

nebulon

Since the token works in your CURL example, can you run that from the server itself to see if there might be some IP block/allowlist issue?

joseph

Does the token have read/write access to the domain? How did you create the token in Gandi?

ruihildt

@nebulon I can.

But now I have created a token which can theoretically update all domains.

But I'm starting to think it's Gandi who changed their permission model and actually, while maybe I can access through the UI to many domain where I've been added as a technical contact, it's possible that somehow that permissions still need to be added manually elsewhere.

I'll contact Gandi support next week.

jdaviescoates

I'm interested to know what you discover because I use Gandi too...

SebGG

Hi, today i had the same issue. Cloudron 9.1.5

What was the solution?

Benachrichtigungen
Domain ...... is not configured properly
vor 4 Stunden

Access denied: Gandi DNS error [403] {"object": "HTTPForbidden", "cause": "Forbidden", "code": 403, "message": "Access was denied to this resource."}

joseph

Have you tested if the token works? Check with curl and one of the API calls at https://api.gandi.net/docs/authentication/

SebGG

Got it, yes it was the token, i made a New one (PAT) and it seems that it works
Thanks