Letsencrypt renewal error due to Gandi DNS failing to be set using either API Token or PAT

ruihildt

Since I installed 9.1, I noticed 2 apps I used based on domains from Gandi were not restarting due to letsencrypt provisioning issues. Basically Cloudron can't connect to Gandi either using the legacy API token or the new PAT.

Here's the error:

Gandi DNS error [403] {"object": "HTTPForbidden", "cause": "Forbidden", "code": 403, "message": "Access was denied to this resource."} BoxError: Gandi DNS error [403] {"object": "HTTPForbidden", "cause": "Forbidden", "code": 403, "message": "Access was denied to this resource."}

This also happens when I manually try to change those values directly in the Domains interface. (I tried the Gandi CURL example with the same token, so this is clearly not an error with the token)

What can I do to fix this. I already have a customer complaining their website is down, and I seemingly can't do anything to fix this, since it's letsencrypt related.

ruihildt

Now I'm starting to wonder when these other gandi domains are going to rotate their letsencrypt certificates and error out as well. 🥶

nebulon

We have to debug this, for a start you can switch that domain over to manual and fixup the A record manually to point to the server's ip

ruihildt

@nebulon Ah right, since the domain was already pointing to the server, it immediately worked after retrying ththe failing task.

nebulon

Since the token works in your CURL example, can you run that from the server itself to see if there might be some IP block/allowlist issue?

joseph

Does the token have read/write access to the domain? How did you create the token in Gandi?