Hi all, I am trying to get a certificate, but something is going wrong.
I cannot understand why since it was working until a couple of days ago:
My domain is: lmenet.online
I ran this command:
ertbot -v certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d dietwyse.lmenet.online
It produced this output:
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.14.2)
My web server is (include version): No web
The operating system my web server runs on is (include version): Debian 10 64bit
My hosting provider, if applicable, is: Cloudflare
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.8.0
Hallo, thx for your answer.
I can confirm my token is valid:
root@wyse:~# curl "https://api.cloudflare.com/client/v4/user/tokens/verify" -H "Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
{"result":{"id":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","status":"active"},"success":true,"errors":,"messages":[{"code":10000,"message":"This API Token is valid and active","type":null}]}
This is the lg:
2023-12-12 19:58:18,225:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443
2023-12-12 19:58:19,068:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones? Name=nas.lmenet.online&per_page=1 HTTP/1.1" 400 None
2023-12-12 19:58:19,122:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot-dns-cloudflare/current/lib/python3.8/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 198, in _find_zone_id
zones = self.cf.zones.get(params=params) # zones | pylint: disable=no-member
File "/snap/certbot-dns-cloudflare/current/lib/python3.8/site-packages/CloudFlare/cloudflare.py", line 705, in get
return self._base.do_auth('GET', self._parts, [identifier1, identifier2, identifier3, identifier4], params, data)
File "/snap/certbot-dns-cloudflare/current/lib/python3.8/site-packages/CloudFlare/cloudflare.py", line 145, in do_auth
return self._call(method, headers, parts, identifiers, params, data, files)
File "/snap/certbot-dns-cloudflare/current/lib/python3.8/site-packages/CloudFlare/cloudflare.py", line 533, in _call
raise CloudFlareAPIError(code, message, error_chain)
CloudFlare.exceptions.CloudFlareAPIError: Invalid request headers
I already shared my idea, and you indicated that was not the case. Did you test creating a DNS record with that token to confirm its permissions?
I use DNS-01 challenge with Cloudflare, but I don't use certbot with that method, so I have no reference environment from which to offer any further suggestions.
Hello, and thank you first of all
Secondly, to be honest, I use Certbot because I've never found (or honestly, even looked for) other alternatives.
May I ask what you use?
Maybe the one you use won't give me any problems.
I use mod_md with web sites that are on Apache servers. They use ALPN-01 challenges unless they are proxied by Cloudflare, in which case they use HTTP-01.
I only use certbot with HTTP-01 currently.
My DNS-01 challenges are handled by acme.sh running on pfSense. Thinking about it, none use Cloudflare DNS for Let's Encrypt. Even though client domains use Cloudflare DNS, the pfSense all use some of my domains that are on another provider.
While I do have domains with Cloudflare DNS that I could use to run a test, I don't have the time available right now.
I suggest testing your API token using curl to ensure that you are able to successfully create a DNS record with it. You need that answer no matter what client you use.
Okay, I've solved it.
As unbelievable as it may seem, I read the documentation dozens of times, but I kept mixing up the names of the variables between:
"Example credentials file using restricted API Token (recommended)"
and
"Example credentials file using Global API Key (not recommended)"
So, I was creating an API TOKEN type key and saving it in the file as dns_cloudflare_api_key.
It's unbelievable, I kept re-reading everything and nothing was working.
I realized the mistake on the hundredth read, almost by accident... and now it works!!!
