I've been using "certbot --manual --preferred-challenges dns certonly" for many years, updating my domains every 90 days manually into cloudflare. Only two hosts in the domain have webservers associated with them - the rest are mail and other types of servers that need certs. I've recently learned it's possible to use acme.sh to automate the process using the cloudflare API.
I've managed to properly authenticate to the cloudflare API in my account, but now receiving timeouts when trying to communicate with the CA. I was using the default zerossl CA, but it was always timing out when "The CA is processing your order":
Mon Sep 5 07:51:15 PM EDT 2022] Verifying: arcade.example.com
[Mon Sep 5 07:51:19 PM EDT 2022] Processing, The CA is processing your order, please just wait. (1/30)
...
Mon Sep 5 07:54:23 PM EDT 2022] arcade.example.com:Timeout
[Mon Sep 5 07:54:23 PM EDT 2022] Please check log file for more details: /home/alex/.acme.sh/acme.sh.log
I saw a related thread from some time ago, and it reports constant problems with zerossl, so I changed the SA to letsencrypt:
$ ./acme.sh --set-default-ca --server letsencrypt
[Mon Sep 5 07:57:36 PM EDT 2022] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
Except now it reports a different error, like it's checking the website for properly authorization instead of just using DNS:
Mon Sep 5 07:38:34 PM EDT 2022] arcade.example.com:Verify error:107.155.22.2: Fetching http://arcade.example.com/.well-known/acme-challenge/nMn0BPYdI2jtsl1HWA-6wLWs2NAPnshrzNMYfVB3zpc: Error getting validation data
[Mon Sep 5 07:38:35 PM EDT 2022] Please check log file for more details: /home/alex/.acme.sh/acme.sh.log
I'm not sure what to do next. How do I specify I want to do DNS only?
Thanks so much for your help. I should have been more clear, and provided the commands I am currently using. I've already figured out how to authenticate to the cloudflare API and use it to try and create the certs, I believe.
This is the command I am running that results in the error messages I've provided above:
This makes it sound like you haven't set the environment variables for your Cloudflare credentials correctly, or perhaps you have an incorrectly-scoped API token. And there's no reason to set --dnssleep that high; the default of 120 seconds is more than enough for Cloudflare.
That was it, thanks. I had used one of the CF API scripts to gather the CF_Account_ID, and it must have been some sub-account ID or something else. I didn't realize the proper account ID was right on the main CF dashboard page.