Have you been using GoDaddy's API for validating your SSL Certificates and updating your DNS records when your ISP changes your public IP? Well, if you are like me and don't have at least 10 domains or an active Discount Domain Club plain, you're getting the {"code":"ACCESS_DENIED","message":"Authenticated user is not allowed access"} error on your API calls. How nice.

I recommend changing registrar to one that has a free API to update your DynDNS scripts and integrations for DNS validations of your SSL certs, like Domeneshop.no for Norwegian users, or Cloudflare if you like to save money on the non-national domains of yours. More on that later.

Denying users access to the DNS API seems a new policy from GoDaddy

This change from GoDaddy seems to be a recent thing, and it's all over the internet, like here and here.

I myself sent an email to [email protected] stating:

I'm writing to air my discontent with the recent (and as far as I can see silent) change in your policy with regards to access to the Domain API (api.godaddy.com).

All the sudden, I now get access denied when trying to use my API Key and API Secret to update DNS records programmatically.I used the API for keeping my semi-dynamic IP updated in DNS, and to generate SSL certificates with DNS validation through the ACME protocol.>>

I've switched the SSL validation to HTTP, but I still have to monitor and manually change my IP address in DNS the next time my provider changes it.

I've been a long time customer of GoDaddy, but I don't feel like a valued customer. Unless this change can be reverted, I'm not sure I'll be a customer of yours the next time my IP address changes.

I really hope you can fix this!

Unfortunately, I didn't get the answers I was hoping for:

My name is XXXX and I am part of the office of the CEO here at GoDaddy.

I've reviewed your query and I would like to advise you that we reserve the right to modify, update, suspend, or discontinue any part or feature of the GoDaddy API at any time and for any reason without any prior notice or liability to you.

We may, at our sole discretion, elect to terminate your eligibility to use the GoDaddy API, or revoke your API keys, if you breach or violate any of these Terms of Use, or for any other reason that we deem appropriate. You agree that we are not liable to you or any third-party for any termination or revocation of your eligibility to use the GoDaddy API, or your API keys, under any circumstances.

You can review all of this and more in this link:

https://developer.godaddy.com/getstarted#overview

The reply seems to imply I've broken some rules - but I can't fathom which rules. And they don't state it explicitly anyway. I decided to move away from GoDaddy. And it's quite easy!

Moving away from GoDaddy

Moving away is really easy. And for me, it was done in minutes.

  1. First, I went to the management page for my GoDaddy-domain, and clicked the Transfer to another registrar-link:

transfer_domain

From here I clicked through a well scripted process, unlocked the domain and got an authorization code to be used at the new registrar. At this point, you should probably export your zone file. GoDaddy doesn't seem to allow other registrars to fetch it, so you must manually enter your DNS records at the new registrar's after the move. You may get a little downtime - but actually not a lot due to the time it takes for DNS to propagate and the existing TTL on your records.

  1. Second, I went to Domeneshop.no which has a special page for incoming domain transfers. I initiated the transfer.

If you instead want to move to Cloudflare, you have to create a website first, then move the Nameservers from GoDaddy to Cloudflare. Once that is taken care of, you can initiate a domain transfer.

  1. Third, instead of waiting 5 days for the process to go through, check your OUTGOING domain transfers in your GoDaddy account and confirm the move.

  2. I updated my domain records.

I've moved all my domains this way. Cloudflare will almost cut your costs in half, compared to GoDaddy, while Domeneshop is about the same price as GoDaddy.

Setting up Dynamic DNS with Domeneshop or Cloudflare on Linux

So, if you host stuff at home, you're probably plagued by the fact that from time to time, your ISP will change your public IP-address. That's a bother for your self-hosted domains. This is how you fix it.

The gists are basically scripts that poll your Public IP for changes. When there is a change, call the Domeneshop API for Dynamic DNS changes, or the Cloudflare API for overwriting a DNS record, and all is good. I host a few domains from home, so polling my Public IP address for changes must be centralized, or I break the rate limit of ipinfo.io, which is 50.000 API calls per month. That's why the two above gists run alongside a script whose only task is to write my newest public IP to a local cache. This script runs every minute, which is 44.640 times in a month with 31 days. Well below the rate limit for ipinfo.io.

I run these scripts in cron - and I make all scripts run every minute. This means you'll have very little downtime when your IP changes. With Domeneshop you'll get maximum of 10+1 minutes downtime, considering a TTL of 600. With Cloudflare you'll get at the most around a minute or two of downtime if you use their proxy function.

Setting up DNS validation for your LetsEncrypt certificates

This is easy too! Domeneshop and Cloudflare both maintain a plugin for certbot, so it's actually included in many automatic tools, like for instance in Traefik. You can run HA behind Traefik instead of for example Nginx, and then Traefik will allow you to set security policies, manage SSL-certificate, etc.

If you experience problems with the Cloudflare proxy, try setting the TLS/SSL mode to "Full (strict)".

If you use whitelisting or IPAllow-lists on your server to allow access to content when you're at home, you need to disable the Cloudflare Proxy function per record. If not, your servers will always think you're connecting from a Cloudflare IP, and those should NOT be white listed!

Previous Post Next Post