Cloudflare dns plugin out of date, what to do?

I've been happily using the certbot snap for over a year, but at some point recently, it has started failing to renew, due to the cloudflare plugin becoming out of date. I've included the form info below, but it seems to be pretty obvious what the problem is. I opened an issue in the certbot-dns-cloudflare github, but it's been a week with no reply (and the repo itself sees very little activity). Is there some other way to contact the maintainers of the plugin? How hard would it be to update the plugin myself and replace the version running on my server? In the meantime, is there an easy way to manually update my cert with certbot without blowing away my existing auto-renew configuration?

My domain is:
counterpop.net

I ran this command:
certbot renew --dry-run

It produced this output:
The following plugins are using an outdated python version and must be updated to be compatible with Certbot 3.0. Please see Certbot 3.0 Could Have Potential Third Party Snap Breakages for more information:

  • certbot-dns-cloudflare
    Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/counterpop.net.conf


Failed to renew certificate counterpop.net with error: The requested dns-cloudflare plugin does not appear to be installed


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/counterpop.net/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Apache 2.4.41

The operating system my web server runs on is (include version):
Linux (Ubuntu 20.04.6 LTS)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 3.1.0

I think that is just Cloudflare doing a mirror of the official plugin, which is nested under the Cerbot repo here:

3 Likes

I am not a Certbot packaging expert but I thought the Cloudflare plugin was supported by the EFF Certbot team. Their github is here: GitHub - certbot/certbot: Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

You might have better luck posting there. We haven't seen any issues quite like this and that plugin is popular so I'm not sure what to suggest. There are other volunteers here who are more familiar with Certbot snap and plugins so there's hope from this forum too :slight_smile:

You could do a one-off --manual --preferred-challenges dns to get a cert. But, yes, care must be taken so you don't break the auto-renew once it resumes. Maybe use the --cert-name OneTimeCert option to get the cert alongside your existing and you manually update Apache config for the new path to the cert accordingly.

I see recently you used Cloudflare proxy although are not now. With proxy you could look at using their Origin CA cert for your Apache Origin server. This avoids needing Certbot at all.

Also, Apache has mod_md which is an acme-client built-in to it. You could consider using that to get a Let's Encrypt cert (or from other CA). mod_md - Apache HTTP Server Version 2.4

2 Likes

For general setup (certbot via snap) see

Check you have run sudo snap set certbot trust-plugin-with-root=ok and sudo snap install certbot-dns-cloudflare and check you have setup your credentials file.

1 Like

An update for anybody that ends up here due to searching: my problem ended up being an issue with snap where it can't refresh some snaps for some reason when /home is a symlink (on this particular machine, it was a subdirectory on a separate VM disk), so the version of certbot-dns-cloudflare was stuck at 2.1.0. I ended up fixing this issue by adding an "rbind" fstab entry for /home instead of using a symlink.

2 Likes