Cloudflare certbot renew from conf file inoperative


#1

We have been trying to renew certs via certbot and cloudflare DNS. Although command-line execution works fine, when we run certbot using a command file for the cert, we get the error:

Input the path to your Cloudflare credentials INI file

All config files are in place and contain the proper variables.

Any ideas???

/etc/letsencrypt/renewal/myserver.mydomain.com.conf

[renewalparams]
authenticator = dns-cloudflare
dns-cloudflare-credentials = /etc/letsencrypt/cloudflare.ini
dns-cloudflare-propagation-seconds = 60
preferred-challenges=dns
account = ****************************
server = https://acme-v02.api.letsencrypt.org/directory

/etc/letsencrypt/cloudflare.ini

dns_cloudflare_email = test@test.com
dns_cloudflare_api_key = ***************************************

conf file processing output

Processing /etc/letsencrypt/renewal/myserver.mydomain.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for myserver.mydomain.com
Cleaning up challenges
Attempting to renew cert (myserver.mydomain.com) from /etc/letsencrypt/renewal/myserver.mydomain.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the path to your Cloudflare credentials INI file. Skipping.

My operating system is (include version):

Centos 7

Certbot version:

0.31.0

I installed Certbot with (certbot-auto, OS package manager, pip, etc):

yum

I ran this command and it produced this output:

certbot renew --dry-run

Certbot’s behavior differed from what I expected because:

Configuration file provided but reported not found when configuration file is processed

Here is a Certbot log showing the issue (if available):

Logs are stored in /var/log/letsencrypt by default. Feel free to redact domains, e-mail and IP addresses as you see fit.

2019-03-05 18:11:14,084:WARNING:certbot.renewal:Attempting to renew cert (myserver.mydomain.com) from /etc/letsencrypt/renewal/myserver.mydomain.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the path to your Cloudflare credentials INI file. Skipping.
2019-03-05 18:11:14,085:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 452, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1193, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 310, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 139, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/lib/python2.7/site-packages/certbot/plugins/dns_common.py”, line 47, in perform
self._setup_credentials()
File “/usr/lib/python2.7/site-packages/certbot_dns_cloudflare/dns_cloudflare.py”, line 47, in _setup_credentials
‘api-key’: ‘API key for Cloudflare account, obtained from {0}’.format(ACCOUNT_URL)
File “/usr/lib/python2.7/site-packages/certbot/plugins/dns_common.py”, line 168, in _configure_credentials
self._configure_file(key, label, __validator)
File “/usr/lib/python2.7/site-packages/certbot/plugins/dns_common.py”, line 138, in _configure_file
new_value = self._prompt_for_file(label, validator)
File “/usr/lib/python2.7/site-packages/certbot/plugins/dns_common.py”, line 230, in _prompt_for_file
force_interactive=True)
File “/usr/lib/python2.7/site-packages/certbot/display/ops.py”, line 372, in validated_directory
validator, *args, **kwargs)
File “/usr/lib/python2.7/site-packages/certbot/display/ops.py”, line 329, in _get_validated
code, raw = method(message, default=default, **kwargs)
File “/usr/lib/python2.7/site-packages/certbot/display/util.py”, line 583, in directory_select
return self.input(message, default, cli_flag)
File “/usr/lib/python2.7/site-packages/certbot/display/util.py”, line 524, in input
self._interaction_fail(message, cli_flag)
File “/usr/lib/python2.7/site-packages/certbot/display/util.py”, line 469, in _interaction_fail
raise errors.MissingCommandlineFlag(msg)
MissingCommandlineFlag: Missing command line flag or config entry for this setting:
Input the path to your Cloudflare credentials INI file


#2

Did you write this file by hand? The parameter names are (unfortunately) not the same as the ones used for the CLI.

--preferred-challenges becomes pref_challs.

--dns-cloudflare-credentials becomes dns_cloudflare_credentials

etc

These parameters get written automatically every time you issue or renew a certificate successfully over the command line.

Modifying the file is not recommended except in limited situations.


#3

You’re right… I had modified the file by hand but I could not locate a way to regenerate it.

With your suggestions, everything worked out fine! Thank you!