Cerbot hangs indefinitely when using Cloudflare DNS challenge

My domain is:
mrsn.tech

I ran this command:
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/.secrets/cloudflare.ini --dns-cloudflare-propagation-seconds 60 --preferred-challenge dns-01 --agree-tos -d mrsn.tech,*.mrsn.tech --cert-name mrsn.tech --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for mrsn.tech and *.mrsn.tech
…

My web server is (include version):
Apache/2.4.57 (Debian)

The operating system my web server runs on is (include version):
Ubuntu 22.04.3 LTS / Docker

My hosting provider, if applicable, is:
Self-hosted

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0


I am trying to issue a wildcard certificate using the DNS challenge with Cloudflare. I created an API token with Cloudflare and used their suggested curl script to confirm the token works.

curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \
     -H "Authorization: Bearer API_TOKEN_HERE" \
     -H "Content-Type:application/json"

However, when I run the certbot command above (dry-run), the process hangs indefinitely / gets stuck at "Simulating a certificate request for mrsn.tech and *.mrsn.tech". In one of my attempts, I started the process and walked away for about three hours, and in that time it never progressed.

The log file (/var/log/letsencrypt/letsencrypt.log) shows the process hanging on this last line before I kill it.

2024-01-04 20:21:39,633:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-01-04 20:21:39,633:INFO:certbot._internal.auth_handler:dns-01 challenge for mrsn.tech
2024-01-04 20:21:39,633:INFO:certbot._internal.auth_handler:dns-01 challenge for mrsn.tech
2024-01-04 20:21:39,637:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443

Just for sanity, I ran certbot manually without the Cloudflare DNS challenge and it went as fast as I would expect, about 1-2 minutes (including the time to manually update the DNS TXT records). The issue is certainly due to the Cloudflare DNS challenge.

I installed the Cloudflare DNS plugin with:
apt install python3-certbot-dns-cloudflare

I welcome any advice, because I'm banging my head against the wall at this point.

2 Likes

Hi @iTim314, and welcome to the LE community forum :slight_smile:

Has that ever worked for you before with CF DNS plugin?
If not, I'd say try updating that to a newer version.

2 Likes

I falsely assumed I was running the latest version, as apt install --only-upgrade certbot shows certbot is already the newest version (1.21.0-1build1).

I tried running add-apt-repository ppa:certbot/certbot, and curiously, it indefinitely hangs. I have to ctrl+c to kill it.

See: Certbot Instructions | Certbot (eff.org)

1 Like

Thanks. I now have certbot 2.8.0.

However, the problem seemingly persists. It is still not progressing past Simulating a certificate request for mrsn.tech and *.mrsn.tech.

1 Like

Did you uninstall the previous stuff?
[including the old plugin]

2 Likes

Well……. no. I did not.

But I just did:

apt remove certbot
apt auto remove -y
ln -s /snap/bin/certbot /usr/bin/certbot
snap set certbot trust-plugin-with-root=ok
snap install certbot-dns-cloudflare

Now certbot --version shows 2.8.0 and I'm (more) confident the right software is installed. But it still appears to be hung at "Simulating a certificate request…"

Well, the script has finally worked. It took about 5 minutes, but the dry-run and the actual issuance finally worked.

Thank you for all your help!

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.