Letsencrypt: GoDaddy wildcard certificate error

[rupert12pl]

Describe the issue you are experiencing

The wildcard certificate does not work for letsencrypt.
For full-name domains, the certificate is generated correctly.

Logs:

s6-rc: info: service legacy-services successfully started
21:26:51] INFO: Selected DNS Provider: dns-godaddy
[21:26:51] INFO: Use propagation seconds: 60
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for xxx and 2 more domains
Error determining zone identifier for rob-m.de: 401 Client Error: Unauthorized for url: https://api.godaddy.com/v1/domains/xxx
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Let's Encrypt

What is the version of the add-on?

5.1.3

Steps to reproduce the issue

1. domains: *.domain.com
   2.
2. Authentication credentials

For full-name domains, the certificate is generated correctly.

System Health information

Nothing to repair

Anything in the Supervisor logs that might be useful for us?

No response

Anything in the add-on logs that might be useful for us?

No response

Additional information

No response

[agners]

@dim-0 do you have thoughts on this issue?

[dim-0]

Yes, unfortunately I do.

GoDaddy has changed their account requirements for using the production API.
In case of the DNS-related endpoints, you must be a customer with 10 domains or more and/or subscribe to their premium membership plan (see https://developer.godaddy.com/getstarted - last point under "API Access, Usage, and Limitations").
Insofar I believe, that this has nothing to do with wildcards.

This struck me the same way, as I had been using their API successfully in the past. Also, I don't understand the reason for this artificial limitation.
I should probably add a note to the documentation to warn other users about this caveat.

I myself am now looking for a domain registrar that offers a decent API, DNSSEC, and Whois-Protection. I haven't come to a final conclusion yet, though.

[agners]

I should probably add a note to the documentation to warn other users about this caveat.

Or could we maybe even detect such a setting and error out ahead of calling the API? 🤔 But then, they might fix the API. We probably could just add a warning and let code continue, just in case this gets fixed API side 🤔

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[dim-0]

I should probably add a note to the documentation to warn other users about this caveat.

#3799