i experienced a strange problem. my acme certification has been running fine for a long time but recently failed to renew certificate. Upon checking it seems that failure set upon authorization at dns@desec. My token has not been tampered with. ddclient.conf has same update password which is my token secret. ip address has been duely updated and i can verify at my account. Token still within valid period. My acme secret is exactly same as in my ddclient.conf file. Yet I tested with Api authorization with the same secret and still returned invalid token. I totally cannot comprehend what is going on. If ip address update is successful with same token secret how could authorization fail at all with api access?
Same…
certbot.errors.PluginError: Could not authenticate against deSEC API: b’{“detail”:“Insufficient token permissions.”}’
Also this, running with admin-token:
–authenticator dns-desec --dns-desec-credentials /etc/letsencrypt/secrets/DOMAIN.se.ini -d “DOMAIN.se” -d “*.DOMAIN.se” --post-hook “systemctl reload nginx”
Seems the key is put into my empty TXT instead of creating a _acme-challenge…
—
Okay…
dig TXT _acme-challenge.hiet.se
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> TXT _acme-challenge.hiet.se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22483
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_acme-challenge.hiet.se. IN TXT
;; ANSWER SECTION:
_acme-challenge.hiet.se. 300 IN CNAME hiet.se.
hiet.se. 300 IN TXT “v=spf1 include:_spf.protonmail.ch ~all”
hiet.se. 300 IN TXT “Z46Iy2I1dnRba5PNhhBmAWlrZfg0FCL7FbTJGeIYHJY”
hiet.se. 300 IN TXT “dHJidYX8GGIHYsKpnyb1AYNCrFwcdJP3hXu3Kb4ClfQ”
hiet.se. 300 IN TXT “protonmail-verification=5c31f317f1375fae2154841c83935c26b474d723”
;; Query time: 101 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Dec 08 00:01:48 CET 2025
;; MSG SIZE rcvd: 306
Seems my * wildcard cname post created som issues while having a combination of other post. Might have to create an A post for_acme-challenge. in the future.
Seems to be a new issue, used to work without an A post… or I might just have been lucky until now.