6003 Invalid request headers

I redeployed jc21/nginx-proxy-manager:latest, and afterward, everything appeared to be empty! Now, I'm attempting to create the SSL certificate for the domain, but it's failing with this error.

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-6" --agree-tos --email "tomas@dmz.se" --domains "*.dmz.se,dmz.se" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-6"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.12.4)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.
at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

What's the problem? I appreciate all the assistance; I'm currently stuck with inaccessible servers. Thanks in advance!

Hi @tomasenskede, and welcome to the LE community forum

Four things:

• NPM is not a fan favorite in this forum
• Why did you have to redeploy?
• What was found "empty"?
• Have you otherwise tested your CF creds?

In addition to the problem with your Cloudflare credentials, your server is not accessible at all.

There are recent and viable wildcard certs issued by both Let's Encrypt and Google. But, your server is not using them. You have unexpired certs from other providers too.

That said, you should be able to use the Cloudflare plug-in to get yet another cert. But, that won't help until you resolve your server connectivity problem.

https://www.ssllabs.com/ssltest/analyze.html?d=dmz.se&hideResults=on

List of unexpired certs:

@rg305

• sorry
• I hastily updated to acquire the most recent version, acting without careful consideration— a regrettable blunder.
• no users, no hosts, no certs etc
• I can login på my admin site for the domin without problem. I can access my API etc...

@MikeMcQ
Can't my Docker container access anything? I have a port forward to this host... it used to work before the redeployment.

Please help us help you by answering as much of the questions that are normally presented to all help topics:

---

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

My domain is: dmz.se

I ran this command: only the GUI of Nginx Proxy Manager

It produced this output: see above

My web server is (include version): Installed with this docker compose:
version: '3.8'
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
#image: 'NginxProxyManager/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
# These ports are in format :
- '80:80' # Public HTTP Port
- '443:443' # Public HTTPS Port
- '81:81' # Admin Web Port
# Add any other Stream port you want to expose
# - '21:21' # FTP

# Uncomment the next line if you uncomment anything in the section
# environment:
  # Uncomment this if you want to change the location of
  # the SQLite DB file within the container
  # DB_SQLITE_FILE: "/data/database.sqlite"

  # Uncomment this if IPv6 is not enabled on your host
  # DISABLE_IPV6: 'true'

volumes:
  - ./data:/data
  - ./letsencrypt:/etc/letsencrypt

The operating system my web server runs on is (include version):
Docker, Debian
My hosting provider, if applicable, is:Debian 5.10.191-1, Docker 24.0.6

I can login to a root shell on my machine (yes or no, or I don't know): yes, no problem

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Is that the FQDN of the problem system?

It's my domain, indeed. It's hosted at Cloudflare, and I typically use a wildcard domain certificate for this domain, which is *.dmz.se.

I can reach that domain on HTTP but not with HTTPS. Not exactly sure why you would get this error but have you changed your port forwarding or HTTPS config at all?

Is openresty your server? are you sure the public IP is still correct? Because on port 80 all I see is a default NPM page saying site not yet setup.

curl -I http://dmz.se
HTTP/1.1 200 OK
Server: openresty

curl -I https://dmz.se
curl: (35) error:0A000458:SSL routines::tlsv1 unrecognized name

my nginx proxy manager dosnt have the SSL-certs, thats why you cant reach it over 443...

Have you checked that the credentials file has the correct items for the kind of Cloudflare token/key you have?

You can get that 600 error when using the wrong format like using token when you actually used a global key (not recommended)

https://certbot-dns-cloudflare.readthedocs.io/en/stable/

I use the "Origin CA Key"

You may need to visit NPM forum to learn how to check that then.

It might create that file dynamically.

I found this issue:

cant understand why... I will try an NPM-forum. thanks for your support!

Have you always used this?

Because Cloudflare suggests avoiding that and I don't see that as a supported type in the Certbot Cloudflare plug-in. Only the two other types are described

when I created the credentials-6 file manually I got this error

Unsafe permissions on credentials configuration file: /etc/letsencrypt/credentials/credentials-6
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.12.4)

Why are you using NPM?
[has that ever worked for you?]

Have you tested those credentials?

@rg305
To enable hosting various services through a single IP address.

Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.12.4)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

NPM is not the only solution for that - and NPM usually brings a lot of headaches

can you recommend an good solution that ahve a good support for letsencrypt and cloudflare ssl's

I redeployed NPM to "stable" version and then I got this:

Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.12.4)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)