Error: access denied to install certbot-dns-cloudflare

My domain is: and I would like to install the dns-cloudflare plugin to automatically renew my wildcard certificate, however when I try to install the certbot-dns-cloudflare plugin running command: sudo snap install certbot-dns-cloudflare I get an error

error: access denied
Only connect this interface if you trust the plugin author to have root on the system.
Run snap set certbot trust-plugin-with-root=ok to acknowledge this and then run this command again to perform the connection.
If that doesn't work, you may need to remove all certbot-dns-* plugins from the system, then try installing the certbot snap again.

I already followed the steps of Certbot - Debianstretch Apache

My web server is :
Server version: Apache/2.4.25 (Debian)
Server built: 2021-07-09T08:12:34

The operating system my web server runs on is:
Debian GNU/Linux 9.13 (stretch)|
Codename: stretch

My hosting provider, is:

I can login to a root shell on my machine: Yes

I'm using a control panel to manage my site: No

The version of my client is: certbot 1.17.0

Thanks for you attention.

Hi @campari, and welcome to the LE community forum :slight_smile:

Did you completely follow Step #3 and Step #4?

Also: Without added LTS, Deb9 is past EOL.

This is unfortunately a bug that appeared recently on Debian Stretch.

We plan to have a workaround for it in time for Certbot 1.18, but until then you may need to use the pip instructions instead.

Yes, i completed step #3 and #4. The output to the command $sudo snap list is

Name Version Rev Tracking Publisher Notes
certbot 1.17.0 1280 latest/stable certbot-effâś“ classic
core 16-2.51.3 11420 latest/stable canonicalâś“ core
core20 20210702 1081 latest/stable canonicalâś“ base
hello-world 6.4 29 latest/stable canonicalâś“ -

1 Like

Would you can put the link with the "pip instructions"?

Thank you for your attention

1 Like

The pip instructions are here.

1 Like

Thank you.

1 Like

I did all steps the pip instructions but when i run command sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /home/campari/certs/.token/cf-api-token.ini -d * -d -i apache

appear this output:

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certbot: error: unrecognized arguments: --dns-cloudflare-credentials

Do you think the best thing to do is upgrade to Debian 10 or 11?

Did you remove the Certbot snap before installing the pip-based one? It sounds maybe like the certbot in your $PATH is from some other installation method.

If you ran:

/opt/certbot/bin/pip install certbot-dns-cloudflare

You should see Cloudflare listed if you run:

/opt/certbot/bin/certbot plugins

and you shouldn't get that error.

Upgrading to Debian Buster is up to you, but it isn't strictly necessary to get this working.

1 Like

I didn't uninstall certbot snap, but when i run command /opt/certbot/bin/certbot plugins, i see the plugin dns-cloudflare.

  • apache
    Description: Apache Web Server plugin
    Interfaces: IAuthenticator, IInstaller, IPlugin
    Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
  • dns-cloudflare
    Description: Obtain certificates using a DNS TXT record (if you are using
    Cloudflare for DNS).
    Interfaces: IAuthenticator, IPlugin
    Entry point: dns-cloudflare =
  • standalone
    Description: Spin up a temporary webserver
    Interfaces: IAuthenticator, IPlugin
    Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
  • webroot
    Description: Place files in webroot directory
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = certbot._internal.plugins.webroot:Authenticator

should I uninstall certbot snap?

Yeah. If you're using the pip-installed version of Certbot, it is a substitute for the Certbot snap.

Afterwards, don't forget the step in the instructions to then put the pip-installed Certbot into your PATH:

sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
1 Like

Ok. I will remove everything and redo the steps.

PS.: I didi this step sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot.

Okay. It worked.

Thank you very much folks.

Best wishes.

1 Like

@_az It seems step 4 of the pip instructions are just refering to certbot-auto and OS installed certbot packages. Probably should include snap too.


Thanks, created a change for that.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.