Adding more CF domains is not possible

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: multiple domains

I ran this command:

certbot -v certonly -d *.domain2.ext -d *.domain3.ext -d *.domain1.ext --server --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini --preferred-challenges dns-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/domain2.ext-0001.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for *.domain2.ext and 2 more domains

It produced this output:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/domain2.ext-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/domain2.ext-0001/privkey.pem
This certificate expires on 2022-05-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

If you like Certbot, please consider supporting our work by:

But I have an issue with adding more domains to the certificate. I created a new DNS-api key for 6 domains and updated this in /root/.secrets/certbot/cloudflare.ini

When trying to add more domains via

certbot -v certonly -d *.domain1.ext -d *.domain2.ext -d *domain3.ext -d *.domain4.ext -d *.domain5.ext -d *.domain6.ext --server --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini --preferred-challenges dns-01

Results in

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/domain2.ext-0001.conf)

It contains these names: *.domain1.ext, *.domain2.ext,

You requested these names for the new certificate: *.domain1.ext,
*.domain2.ext, *.domain3.ext, *.domain4.ext, *.domain5.ext,

Do you want to expand and replace this existing certificate with the new

(E)xpand/(C)ancel: e
Renewing an existing certificate for *.domain1.ext and 5 more domains
Performing the following challenges:
dns-01 challenge for domain4.ext
dns-01 challenge for domain5.ext
dns-01 challenge for domain6.ext
Cleaning up challenges
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials.

Letsencrypt.log (error part)

2022-01-31 19:56:18,812:DEBUG:acme.client:Storing nonce: 0002CDwPhlqWH4xhIUzWkacG9-8SgkHwT9MxjXrP6OAxPao
2022-01-31 19:56:18,813:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-01-31 19:56:18,813:INFO:certbot._internal.auth_handler:dns-01 challenge for domain4.ext
2022-01-31 19:56:18,814:INFO:certbot._internal.auth_handler:dns-01 challenge for domain5.ext
2022-01-31 19:56:18,815:INFO:certbot._internal.auth_handler:dns-01 challenge for domain6.ext
2022-01-31 19:56:18,826:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1):
2022-01-31 19:56:19,789:DEBUG:urllib3.connectionpool: "GET /client/v4/zones?name=domain4.ext&per_page=1 HTTP/1.1" 400 None
2022-01-31 19:56:19,794:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/certbot_dns_cloudflare/_internal/", line 183, in _find_zone_id
zones = # zones | pylint: disable=no-member
File "/usr/local/lib/python3.6/site-packages/CloudFlare/", line 674, in get
params, data)
File "/usr/local/lib/python3.6/site-packages/CloudFlare/", line 128, in call_with_auth
params, data, files)
File "/usr/local/lib/python3.6/site-packages/CloudFlare/", line 498, in _call
raise CloudFlareAPIError(code, message, error_chain)
CloudFlare.exceptions.CloudFlareAPIError: Invalid request headers

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/certbot/_internal/", line 85, in handle_authorizations
resps = self.auth.perform(achalls)
File "/usr/lib/python3.6/site-packages/certbot/plugins/", line 76, in perform
self._perform(domain, validation_domain_name, validation)
File "/usr/local/lib/python3.6/site-packages/certbot_dns_cloudflare/_internal/", line 74, in _perform
self._get_cloudflare_client().add_txt_record(domain, validation_name, validation, self.ttl)
File "/usr/local/lib/python3.6/site-packages/certbot_dns_cloudflare/_internal/", line 106, in add_txt_record
zone_id = self._find_zone_id(domain)
File "/usr/local/lib/python3.6/site-packages/certbot_dns_cloudflare/_internal/", line 202, in _find_zone_id
.format(code, msg, hint))
certbot.errors.PluginError: Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.8.15)

My problem: I can renew the 3 initial domains, but I run into a problem when adding 3 extra. No clue why, because I updated the DNS-API key (did throw away the initial key) so it includes the 6 domains.

I'm doing something wrong but I don't know what

My web server is (include version): Running Iredmail (latest)

The operating system my web server runs on is (include version): Centos 8

My hosting provider, if applicable, is: Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

Hi @myhobby2,

It's worth noting that the

for your first forced-renewal attempt doesn't show that the Cloudflare API is working—in particular, if you got the original certificate recently enough, you can have cached authorization for those names on your account, so that they aren't revalidated with a new DNS token. So, it's conceivable that you have entirely the wrong token in your dns-cloudflare (one that doesn't have any relevant permissions).

I would double-check that you have the right token there and that it has all of the permissions that you expect. (I don't know a good Cloudflare API token testing script—we should make one!)


When using the --dry-run option, Certbot will invalidate any existing authorizations (on the staging server!) and try to authorize the hostnames for real. Note that any authorizations on the production server are still intact (I believe). Also note that testing should be done on the staging environment. Please don't issue certificates unnecessary from the production environment.


Thanks for your help/feedback.

I can confirm that:

sudo certbot --server -d *.domain1 (and all other domains) --manual --preferred-challenges dns-01 certonly

Works flawless.

I will do as suggested and see if I can dig up more conclusions. Due to the fact that I'm new to this area, I've two parallel processes as evidence in my system:

  • Letsencrypt dns-01 multiple updates via _acme-challenge &
  • Cloudflare update script

Currently my iredmail certificates are linked to cloudflare script output.

1 Like

So you issued a bunch of production certificates more?

Please DO use the staging environment!


Sorry for that. Was not intentional because I was not aware of this environment

1 Like

I only mentioned it 16 hours earlier :roll_eyes:

Using the --dry-run option, which uses the staging environment as a rule, is especially useful as also stated before, so your client will always use "fresh" authorizations instead of reusing previously validated ones.


Thanks for your input also. Much appreciated. I will start using the --dry-run option.

Although it is not an excuse, It is not always easy to find the straight forward / shortest route with new IT topics because things are getting more complex/less transparant due to constant improvements, different OS-es, different user requirements....

I document every step (and source) in a word document during this phase so I can reproduce steps/findings but there is often simply to much to read and more often completely new to starters like me. Nevertheless every-bodies help/effort is very much appreciated !


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.