Cloudfare blocking Certbot?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nebulonenergy.org

I ran this command:
sudo certbot certonly -v --dns-digitalocean --dns-digitalocean-credentials ~/.certbot/certbot-creds.ini -d nebulonenergy.org -d \*.nebulonenergy.org --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-digitalocean, Installer None
Cannot extract OCSP URI from /etc/letsencrypt/archive/nebulonenergy.org/cert7.pem
Certificate not due for renewal, but simulating renewal for dry run
Simulating renewal of an existing certificate for nebulonenergy.org and *.nebulonenergy.org
Performing the following challenges:
dns-01 challenge for nebulonenergy.org
dns-01 challenge for nebulonenergy.org
Cleaning up challenges
Error finding domain using the DigitalOcean API: Unable to authenticate you (Did you provide a valid API token?)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

/var/log/letsencrypt/letsencrypt.log contents:

2026-06-09 16:56:22,903:DEBUG:certbot._internal.main:certbot version: 2.9.0
...snipped....
2026-06-09 16:56:23,479:DEBUG:urllib3.connectionpool:https://api.digitalocean.com:443 "GET /v2/domains/?per_page=200 HTTP/1.1" 401 64
2026-06-09 16:56:23,480:DEBUG:certbot_dns_digitalocean._internal.dns_digitalocean:Error finding domain using the DigitalOcean API: Unable to authenticate you
...snipped...

Ran the following Curl command where $FOO is my newly created API token (full control)

curl -X GET -H "Authorization: Bearer $FOO" https://digitalocean.com
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare</center>
</body>
</html>

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version):
Ubuntu 24.04

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

Question: without resorting to proxies and proxychains, how can I keep cloudflare from blocking my attempt to renew the certificate. Thanks.

This doesn’t look like Cloudflare blocking Certbot. The relevant line is the DigitalOcean API response:

GET /v2/domains/?per_page=200 HTTP/1.1401

So Certbot is reaching api.digitalocean.com, but DigitalOcean rejects the token. I’d check two things first:

  1. In ~/.certbot/certbot-creds.ini, the line should be exactly dns_digitalocean_token = ... with no quotes or extra spaces from copying.
  2. Test the token against the API endpoint, not https://digitalocean.com:

curl -H "Authorization: Bearer $FOO" https://api.digitalocean.com/v2/domains

If that still gives 401, the token is wrong/expired/not copied fully. If it returns JSON but Certbot fails, then look at file permissions and whether Certbot is reading the credentials file you think it is.

Thanks for your help...

Recreated API key and put it in ~/.certbot/certbot-creds.ini.

The curl command you provided, works with the new key.

The problem was ~/.certbot was not resolving to correct place.

Thank you again for helping!