Issue Digital Ocean DNS extension gives Server Error 500

[Sergio Manzi]

Hello everybody (after such a long time...)!

Environment: Plesk Onyx Version 17.8.11 Update #46 under CentOS Linux 7.6.1810 on a DO VPS, DO DNS extension 1.1.1-37

Issue: Accessing the DO DNS extension I get an error 500 page with:

Type League\OAuth2\Client\Provider\Exception\IdentityProviderException
Message invalid_grant
File DigitalOcean.php
Line 71​

SNAFU: In my DO panel I don't see anymore the API token I used for the DO DNS extension. I don't have any recollection of having deleted it and I tend to exclude anybody else did (2FA activated on my account...), but hey, if it is no there it is not there...

Extra (probably useless) info: in my DO "Security History" I see latest DNS sync was 2 months ago (consistent with changes made on my Plesk panel) and I don't see any entry about the API token having been deleted after that

Catch 22: I generated a new token on DO, but I have no way to enter it into the Plesk extension as it gives me the 500 right away...

Question: Help meeeee!!! Is there a way to set the new token from the command line or by editing some file somewhere?

Many thanks in advance to whomever can give me an hint...

Sergio

 

[MarkM]

Try hitting the path directly?

:8443/modules/digitaloceandns/index.php/index/update-auth-parameters

 

[Sergio Manzi]

Hi Mark! Thanks for taking care of this!

Ehehehheh... great idea, and I swear I was just thinking about the same, but I hadn't the link!

... aaaaand it worked, at first, sending me to the DigitalOcean extension authorization page, but with a kinda expected "Error: Invalid authorization token. Unable to authenticate you." message.

It worked also at the second step, when I clicked on the "Authorize" link on that page and I was sent to a DO page, where I authorized the application (also confirming by clicking on the "Confirm Sending Data" pop-up link), but then.... Error 500, the very same as above, and in the DO API page I still don't have any authorized App...!

In the extensions catalog ( :8443/modules/catalog/index.php/catalog/package/digitaloceandns) the changelog for version 1.1.1 (15 Mar 2019) says:

Updated the authorization token necessary for the extension to operate correctly. If you used the extension earlier than version 1.1.1, you may face issues with existing domains activated in DigitalOcean DNS.

How do I know if my domains were affected?

• On the "Overview" tab of the extension, the domains are now marked as "Disabled" under "DigitalOcean DNS Zone".
• On the "DigitalOcean Authorization" tab of the extension, you see the "Invalid authorization token. Unable to authenticate you" error.

How can I make my domains and extension operational again?

Please do the following:

1. Update the DigitalOcean DNS extension to version 1.1.1 (if it is not done yet).
2. On the "DigitalOcean Authorization" tab of the extension, click Authorize.

This will restore the domains and the extension to operation.

... which seems to imply some change in the authorization method (and some unexpected troubles from the user's POW...). Problem is that (thanks to your advice or it would had been impossible), I just did what they say to do (the update happened automatically), but it didn't work.

My guts says that if we can find where the invalid authorization info is stored in Plesk and get rid of it, I might have some more odds at succeeding...

Anyway, I might be wrong, but I smell a bug here...

Thanks again Mark,

Sergio

 

[Sergio Manzi]

Should I try to remove the extension and re-install it?
Can this give me troubles with my currently active zones at DO?

 

[Sergio Manzi]

... and is this normal?

# cd /usr/local/psa/admin/sbin/modules
# ll
total 20
drwxr-xr-x. 2 root psaadm 4096 Mar 7 2018 firewall
drwxr-xr-x. 2 root root 4096 Jan 25 03:11 letsencrypt
drwxr-xr-x. 2 root root 4096 Dec 18 03:42 rest-api
drwxr-xr-x. 2 root root 4096 Dec 14 2017 syslog-watch
drwxr-xr-x. 2 root psaadm 4096 Mar 13 01:42 watchdog
#

... no sign of anything related to DO DNS...

 

[MarkM]

Seems to be here in the SessionContexts table;

Dropbox - Screenshot 2019-03-23 19.42.22.png


Wonder what happens if you drop that entry? ¯\_(ツ)_/¯

 

[Sergio Manzi]

Hi again, Mark!

I didn't had anything related to DO in my SessionsContext table, but... I successfully hacked around the issue!

• First I identified my "digitaloceandns" module "id" in the Modules table (it is 21 in my case)
• Then in the ModulesSetting table I identified 3 rows having module_id=21 (they have very suspicious names: authRefreshToken, authToken and authTokenExpires)
• I nuked those three rows (actually I didn't: I changed their module_id to 2121, which is not referenced in my Modules table, just to play it safe and be able to quickly revert in case of need...)
• Then I accessed the DO extension from my panel, I was directly sent to the Authorization page, I did it, and..... success!! Everything is fine now!

A couple of further considerations:

• The bug smell is stronger and stronger, so I'm not flagging this as resolved as I'd like someone from Plesk have a look at this.
  
• The value I had in authTokenExpires was 1549979223 that in Unix Time is "Tue, 12 Feb 2019 13:47:03 GMT", waaaay in the past. Could it be that something bad might happen if one doesn't access the DO extension for a long time? It's probably a long shot, but...

Cheers and thanks again,

Sergio

 

[MarkM]

Seems like there should be some automation to keep the auth token fresh....

 

[OlegT]

Could it be that something bad might happen if one doesn't access the DO extension for a long time? It's probably a long shot, but...

Yes, because of this, I had problems with the Let's Encrypt certificate renewal. The extension could not add a TXT record to DNS for verification.
After that, I discovered that DigitalOcean DNS Extension gives Server Error 500

 

[Sergio Manzi]

Hello @OlegT!

So you had the same issue I had? Did you solved it the same way I did?

I think a (semi-)official answer from Plesk to all using this extension would be appropriate:

• Is this a known issue?
• Was it a one-off occurrence due to the modification of the way the extension authenticate itself with DO?
  
• More important, do we have to periodically tickle the DO DNS Extension in order to renew credentials?
• If yes, isn't some kind of automation in the plans?

Cheers,

Sergio

 

[OlegT]

Hello @OlegT!
So you had the same issue I had? Did you solved it the same way I did?

No, I am not an admin and do not know how to edit the Modules table.
I am waiting for the official response from Plesk.

 

[Sergio Manzi]

OK, @OlegT!

In case you're stuck please feel free to get in touch with me with a private message: I can give you or your admin more details about what I did and how it solved my issue...

Cheers,

Sergio

 

[MarkM]

Yes, because of this, I had problems with the Let's Encrypt certificate renewal. The extension could not add a TXT record to DNS for verification.
After that, I discovered that DigitalOcean DNS Extension gives Server Error 500

Sounds to me like two completely separate issues. Just my two cents.

 

[OlegT]

Sounds to me like two completely separate issues. Just my two cents.

Why separate? DigitalOcean DNS Extension doesn't work. This causes problems for other services that are trying to change the DNS settings.

 

[OlegT]

OK, @OlegT!
In case you're stuck please feel free to get in touch with me with a private message: I can give you or your admin more details about what I did and how it solved my issue...

I appreciate your help. My certificates expire after 28 days, so there is still time to wait for the official patch.

 

[OlegT]

Since there is no official response for more than two weeks, I decided to correct the situation myself.
After the second reinstallation of the extension and server reboot, I was able to update the authorization parameters from DO.