dnsimple: scoped access tokens fail

[smaddock]

Welcome

• Yes, I'm using a binary release within 2 latest releases.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

A successful DNS-01 solution

What did you see instead?

403 Permission Denied. Required Scope: zones:*:read

How do you use lego?

Binary

Reproduction steps

1. Create a DNSimple access token with full-access to specific Zones in the DNSimple account https://support.dnsimple.com/articles/api-access-token/#scoped-access-tokens
2. Export that access token as the environment variable DNSIMPLE_OAUTH_TOKEN
3. Run lego to obtain a cert for a domain within the access token's scoped zones, with a DNSimple DNS-01 challenge. E.g., lego -d subdomain.scoped-zone.com --dns dnsimple run

Effective version of lego

lego version 4.22.2 darwin/arm64

Logs

2025/03/04 12:33:30 [INFO] [<redacted>] acme: Obtaining bundled SAN certificate
2025/03/04 12:33:30 [INFO] [<redacted>] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/<redacted>/<redacted>
2025/03/04 12:33:30 [INFO] [<redacted>] acme: Could not find solver for: tls-alpn-01
2025/03/04 12:33:30 [INFO] [<redacted>] acme: Could not find solver for: http-01
2025/03/04 12:33:30 [INFO] [<redacted>] acme: use dns-01 solver
2025/03/04 12:33:30 [INFO] [<redacted>] acme: Preparing to solve DNS-01
2025/03/04 12:33:31 [INFO] [<redacted>] acme: Cleaning DNS-01 challenge
2025/03/04 12:33:31 [WARN] [<redacted>] acme: cleaning up failed: dnsimple: API call failed: GET https://api.dnsimple.com/v2/<redacted>/zones?name_like=<redacted>: 403 Permission Denied. Required Scope: zones:*:read 
2025/03/04 12:33:31 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz/<redacted>/<redacted>
2025/03/04 12:33:31 Could not obtain certificates:
	error: one or more domains had a problem:
[<redacted>] [<redacted>] acme: error presenting token: dnsimple: API call failed: GET https://api.dnsimple.com/v2/<redacted>/zones?name_like=<redacted>: 403 Permission Denied. Required Scope: zones:*:read

Go environment (if applicable)

n/a

[smaddock]

DNSimple released "scoped access tokens" on December 18: https://blog.dnsimple.com/2023/11/scoped-access-tokens/

The current implementation of ‎DNSProvider.getHostedZone in the dnsimple package calls d.client.Zones.ListZones and then parses the list locally.

lego/providers/dns/dnsimple/dnsimple.go

Line 166 in 4675ef7

zones, err := d.client.Zones.ListZones(context.Background(), accountID, &dnsimple.ZoneListOptions{NameLike: &zoneName})

That call requires read access to all the zones in the DNSimple account, which is more permissive access than should be required to complete the DNS-01 challenge.

The call to ListZones in the upstream provider repo could be replaced with a call to GetZone instead. The zoneName is already parsed by this library, which is the only additional parameter in that method call. I have tested the call with a scoped access token via the API and it returns successfully.

[ldez]

Hello,

Could you try my PR #2467?

[smaddock]

Dang you're fast! I will test as soon as Let's Encrypt staging is back up 🤦 https://letsencrypt.status.io/

[smaddock]

Your PR resolves this issue. Thank you!

Using a scoped access token with lego version 4.22.2 darwin/arm64:

2025/03/04 15:21:38 [INFO] [<>] acme: Obtaining bundled SAN certificate
2025/03/04 15:21:38 [INFO] [<>] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/<>/<>
2025/03/04 15:21:38 [INFO] [<>] acme: Could not find solver for: tls-alpn-01
2025/03/04 15:21:38 [INFO] [<>] acme: Could not find solver for: http-01
2025/03/04 15:21:38 [INFO] [<>] acme: use dns-01 solver
2025/03/04 15:21:38 [INFO] [<>] acme: Preparing to solve DNS-01
2025/03/04 15:21:40 [INFO] [<>] acme: Cleaning DNS-01 challenge
2025/03/04 15:21:40 [WARN] [<>] acme: cleaning up failed: dnsimple: API call failed: GET https://api.dnsimple.com/v2/<>/zones?name_like=<>: 403 Permission Denied. Required Scope: zones:*:read 
2025/03/04 15:21:40 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz/<>/<>
2025/03/04 15:21:40 Could not obtain certificates:
	error: one or more domains had a problem:
[<>] [<>] acme: error presenting token: dnsimple: API call failed: GET https://api.dnsimple.com/v2/<>/zones?name_like=<>: 403 Permission Denied. Required Scope: zones:*:read

Using a scoped access token with lego version 19fc36bc0692e2eec3644ed81c35b13f5d5b98c2 darwin/arm64:

2025/03/04 15:21:50 [INFO] [<>] acme: Obtaining bundled SAN certificate
2025/03/04 15:21:50 [INFO] [<>] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/<>/<>
2025/03/04 15:21:50 [INFO] [<>] acme: Could not find solver for: tls-alpn-01
2025/03/04 15:21:50 [INFO] [<>] acme: Could not find solver for: http-01
2025/03/04 15:21:50 [INFO] [<>] acme: use dns-01 solver
2025/03/04 15:21:50 [INFO] [<>] acme: Preparing to solve DNS-01
2025/03/04 15:21:51 [INFO] [<>] acme: Trying to solve DNS-01
2025/03/04 15:21:51 [INFO] [<>] acme: Checking DNS record propagation. [nameservers=1.1.1.1:53,1.0.0.1:53]
2025/03/04 15:21:53 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/03/04 15:22:00 [INFO] [<>] The server validated our request
2025/03/04 15:22:00 [INFO] [<>] acme: Cleaning DNS-01 challenge
2025/03/04 15:22:00 [INFO] [<>] acme: Validations succeeded; requesting certificates
2025/03/04 15:22:00 [INFO] Wait for certificate [timeout: 30s, interval: 500ms]
2025/03/04 15:22:02 [INFO] [<>] Server responded with a certificate.