Acme.sh cloudflare, timeouts and Error getting validation data

gossamer · September 6, 2022, 12:22am

I've been using "certbot --manual --preferred-challenges dns certonly" for many years, updating my domains every 90 days manually into cloudflare. Only two hosts in the domain have webservers associated with them - the rest are mail and other types of servers that need certs. I've recently learned it's possible to use acme.sh to automate the process using the cloudflare API.

I've managed to properly authenticate to the cloudflare API in my account, but now receiving timeouts when trying to communicate with the CA. I was using the default zerossl CA, but it was always timing out when "The CA is processing your order":

Mon Sep  5 07:51:15 PM EDT 2022] Verifying: arcade.example.com
[Mon Sep  5 07:51:19 PM EDT 2022] Processing, The CA is processing your order, please just wait. (1/30)
...
Mon Sep  5 07:54:23 PM EDT 2022] arcade.example.com:Timeout
[Mon Sep  5 07:54:23 PM EDT 2022] Please check log file for more details: /home/alex/.acme.sh/acme.sh.log

I saw a related thread from some time ago, and it reports constant problems with zerossl, so I changed the SA to letsencrypt:

$ ./acme.sh --set-default-ca --server letsencrypt
[Mon Sep  5 07:57:36 PM EDT 2022] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory

Except now it reports a different error, like it's checking the website for properly authorization instead of just using DNS:

Mon Sep  5 07:38:34 PM EDT 2022] arcade.example.com:Verify error:107.155.22.2: Fetching http://arcade.example.com/.well-known/acme-challenge/nMn0BPYdI2jtsl1HWA-6wLWs2NAPnshrzNMYfVB3zpc: Error getting validation data
[Mon Sep  5 07:38:35 PM EDT 2022] Please check log file for more details: /home/alex/.acme.sh/acme.sh.log

I'm not sure what to do next. How do I specify I want to do DNS only?

rg305 · September 6, 2022, 12:32am

gossamer · September 6, 2022, 12:45am

Thanks so much for your help. I should have been more clear, and provided the commands I am currently using. I've already figured out how to authenticate to the cloudflare API and use it to try and create the certs, I believe.

This is the command I am running that results in the error messages I've provided above:

$ ./acme.sh -d arcade.example.com --log --issue --dns cf --dnssleep 1200

I'm running a similar command with my domains using cloudns.net and they worked fine.

I'm otherwise unclear on what I'm missing.

gossamer · September 6, 2022, 12:55am

I just realized there was a typo in my command line. I had written "cf" instead of "dns_cf". After correcting it, I have a different error

$ ./acme.sh -d arcade.example.com --log --issue --dns dns_cf --dnssleep 1200 --server letsencrypt
...
[Mon Sep  5 08:51:16 PM EDT 2022] Adding txt value: Yf5besLrPWu9Gzjor04QPPo5jKCf6VU0T1QMl_eeX9M for domain:  _acme-challenge.arcade.example.com
[Mon Sep  5 08:51:17 PM EDT 2022] invalid domain
[Mon Sep  5 08:51:17 PM EDT 2022] Error add txt for domain:_acme-challenge.arcade.example.com
[Mon Sep  5 08:51:17 PM EDT 2022] Please check log file for more details: /home/alex/.acme.sh/acme.sh.log

There are no other details in the log. I also tried creating the _acme-challenge.arcade.example.com TXT entry in cloudflare and the error continues.

danb35 · September 6, 2022, 1:09am

gossamer:

[Mon Sep  5 08:51:16 PM EDT 2022] Adding txt value: Yf5besLrPWu9Gzjor04QPPo5jKCf6VU0T1QMl_eeX9M for domain:  _acme-challenge.arcade.example.com
[Mon Sep  5 08:51:17 PM EDT 2022] invalid domain

This makes it sound like you haven't set the environment variables for your Cloudflare credentials correctly, or perhaps you have an incorrectly-scoped API token. And there's no reason to set --dnssleep that high; the default of 120 seconds is more than enough for Cloudflare.

gossamer · September 6, 2022, 2:08am

That was it, thanks. I had used one of the CF API scripts to gather the CF_Account_ID, and it must have been some sub-account ID or something else. I didn't realize the proper account ID was right on the main CF dashboard page.

curl -X GET "https://api.cloudflare.com/client/v4/user" \
        -H "X-Auth-Email: alex@example.com" \
        -H "X-Auth-Key: f958bdce9b7830xxx2aa30fb3c621ac01b705" \
        -H "Content-Type: application/json"

Is that not the proper way to get the account ID?

danb35 · September 6, 2022, 9:05am

I've not had occasion to try to get the account ID using their API, but if it doesn't match what's on the dashboard page, apparently not.

system · October 6, 2022, 9:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.