https://go-acme.github.io/lego/dns/godaddy/index.html#additional-configuration

GoDaddy has recently (2024-04) updated the account requirements to access parts of their production Domains API:

Availability API: Limited to accounts with 50 or more domains.
Management and DNS APIs: Limited to accounts with 10 or more domains and/or an active Discount Domain Club plan.

https://community.letsencrypt.org/t/getting-unauthorized-url-error-while-trying-to-get-cert-for-subdomains/217329/12

Related to #2182

You should consider replacing GoDaddy with a DNS provider with a better policy.

If you already own a domain in another DNS provider, you can use the CNAME approach, like that you will be able to still use your GoDaddy domain.

Sadly I have no other solution, the GoDaddy API policies are extremely bad.

Hi,

I should have noted in my original, that the GET URL also appears to work without restriction:

curl --verbose \
  -X GET \
  -H "Authorization: sso-key x:y" \
  -d "" \
  "https://api.godaddy.com/v1/domains/domain.tld/records/TXT/_acme-challenge.infra"

This should allow getting all TXT record for a domain or subdomain. I'm not sure where the "Authenticated user is not allowed access" message is being generated from, the log line just before indicate that it is cleaning up. I'm not sure of the particular API being called at this point though.

2024/09/10 19:19:15 [INFO] [*.subdomain.domain.tld] acme: Cleaning DNS-01 challenge
2024/09/10 19:19:15 [WARN] [*.subdomain.domain.tld] acme: cleaning up failed: godaddy: failed to get all TXT records: unexpected status code: [status code: 403] body: {"code":"ACCESS_DENIED","message":"Authenticated user is not allowed access"}

Sorry, I mixed the 2 endpoints in my head but the problem is the same:

lego uses:

• GET https://api.godaddy.com/v1/domains/example.com/records/TXT/_acme-challenge to get all the TXT records.
• PUT https://api.godaddy.com/v1/domains/example.com/records/TXT/_acme-challenge to add/delete TXT records.

As there are no alternatives to add a TXT record then there is no solution.

After re-checking the doc, there is another endpoint https://developer.godaddy.com/doc/endpoint/domains#/v1/recordAdd

But I guess the limitations are the same as the PUT endpoint.

Also, it seems (from a post on a forum) like the API limitations are not the same for the apex (example.com/_acme-challenge.example.com) or a subdomain (foo.example.com/_acme-challenge.foo.example.com)

But I think this doesn't really change the possibilities.

let me re-clarify here:

I do get the issue with GoDaddy, and would encourage every user to make a formal complaint for a basic API access. However, it will be a commercial decision and so unlikely to change. That said, there appears to be a route to allow the Lego provider to work, but it seems like one particular API is being called which triggers the issue.

If there's a way to get HTTP trace logging out of Lego, I'm more than happy to debug, and locate the specific API being called that causes the issue.

The lego implementation for GoDaddy is basic:

• 2 calls to get all TXT records:
  • https://developer.godaddy.com/doc/endpoint/domains#/v1/recordGet
• one call to update the TXT records:
  • https://developer.godaddy.com/doc/endpoint/domains#/v1/recordReplaceTypeName
• one call to delete the TXT record:
  • https://developer.godaddy.com/doc/endpoint/domains#/v1/recordReplaceTypeName

It's the same call to add and "delete".

So nothing special.

failed to get all TXT records: unexpected status code: [status code: 403] body: {"code":"ACCESS_DENIED","message":"Authenticated user is not allowed access"

The error message is clear: it fails during the clean up when lego gets all domains.

The workflow is this one:

• "present"
  • get all records
  • add the new record
• "cleanup"
  • get all records
  • remove the new record

GoDaddy limitations are extreme: one call can work but 2 calls in a row are not working.

Clearly, you should go away from this DNS provider or use the CNAME approach with another DNS provider.

Found the issue.

The error in question is generated from the godaddy.go:177. The final argument to this call is a blank string. I presume at some point, this meant all records of type. This is passed to client.go:40 where it is placed into the request.

Replicating the call in curl gets the same API error:

curl \
  -X GET \
  -H "Authorization: sso-key x:y" \
  "https://api.godaddy.com/v1/domains/domain.tld/records/TXT/"
{"code":"ACCESS_DENIED","message":"Authenticated user is not allowed access"}

However, placing "_acme-challenge." in the final argument works correctly. 100% of the time.

e.g.

curl \
  -X GET \
  -H "Authorization: sso-key x:y" \
  "https://api.godaddy.com/v1/domains/domain.tld/records/TXT/_acme-challenge.subdomain"
[...]

The "subdomain" part should be the domain(s) between the root of the owned domain in the GoDaddy console and the record. For example requesting "a.b.c.example.com" and "example.com" is the owned domain, then the last part of the request should be "_acme-challenge.a.b.c"

oh I see

Can you try #2270 ?

In fact, there are some API changes because this implementation has been used since 2020 without problems.

Good catch 👍

I modified the implementation to follow your findings and also implemented the DELETE.

I will wait for your feedback about #2270.

Tested. There were some latent issues with the API. I've fixed and attached a diff. Sorry, was having trouble updating the PR.
godaddyfix.diff.patch

Most of your patch was already inside the PR, so I just kept the effective diff.

d424d2d