Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cannot get Let's Encrypt cert via cloudflare dns challange

See original GitHub issue

I have set a brand new NPM container and I am trying to get SSL certs but keep failing,

Below is the error i get in the logs

[10/29/2020] [8:22:41 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[10/29/2020] [8:22:41 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates via Cloudflare for Cert #2: manage.habibtain.com
[10/29/2020] [8:22:52 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[10/29/2020] [8:22:52 PM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot certonly --non-interactive --cert-name "npm-2" --agree-tos --email "mohsinhassan88@gmail.com" --domains "manage.habibtain.com" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials-2"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None

Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for manage.habibtain.com
Cleaning up challenges

Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.8.13)

I don’t know which part I am missing

i am sure the API key I provided is correct.

Can you please guide me

Issue Analytics

State:
Created 3 years ago
Comments:20 (1 by maintainers)

Top GitHub Comments

5reactions

ikomhoogcommented, Nov 3, 2020

Update: went to test some more and found a temporary solution. the token doesn’t work, but the less secure email and key combination work. instead of the

# Cloudflare API token
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

we need to use

# Cloudflare API token
dns_cloudflare_email=something@hotmail.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

so there might be something wrong with either the token implementation or the cloudflare API (which was down last night).

I hope this helps further debugging.

2reactions

koshiacommented, Feb 26, 2021

I hate to bring a closed issue back to life and it may be something on Cloudflare’s end but can someone confirm for me that I don’t need the TXT records created ahead of time in my DNS Zones when using Cloudflare option? I’m looking at the log when it tries to go out and register letsencrypt - it creates the two TXT records and then deletes it but then fails the challenge. If I set up the TXT records, it wouldn’t match when I resubmit the registration through NPM. Single subdomain works, whole domain and wildcard via DNS Challenge fails via the Zone EDIT API method.