Error determining zone_id: 6003 Invalid request headers (cloudflare)

Hi all, I am trying to get a certificate, but something is going wrong.
I cannot understand why since it was working until a couple of days ago:

My domain is:

I ran this command:
ertbot -v certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d

It produced this output:
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.14.2)

My web server is (include version): No web

The operating system my web server runs on is (include version): Debian 10 64bit

My hosting provider, if applicable, is: Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.8.0

Any help appreciated


1 Like

Welcome to the Let's Encrypt Community.

Have you done this yet?

Are you using a properly scoped token?


Hallo, thx for your answer.
I can confirm my token is valid:
root@wyse:~# curl "" -H "Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
{"result":{"id":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","status":"active"},"success":true,"errors":,"messages":[{"code":10000,"message":"This API Token is valid and active","type":null}]}

This is the lg:
2023-12-12 19:58:18,225:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1):
2023-12-12 19:58:19,068:DEBUG:urllib3.connectionpool: "GET /client/v4/zones? HTTP/1.1" 400 None
2023-12-12 19:58:19,122:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot-dns-cloudflare/current/lib/python3.8/site-packages/certbot_dns_cloudflare/_internal/", line 198, in _find_zone_id
zones = # zones | pylint: disable=no-member
File "/snap/certbot-dns-cloudflare/current/lib/python3.8/site-packages/CloudFlare/", line 705, in get
return self._base.do_auth('GET', self._parts, [identifier1, identifier2, identifier3, identifier4], params, data)
File "/snap/certbot-dns-cloudflare/current/lib/python3.8/site-packages/CloudFlare/", line 145, in do_auth
return self._call(method, headers, parts, identifiers, params, data, files)
File "/snap/certbot-dns-cloudflare/current/lib/python3.8/site-packages/CloudFlare/", line 533, in _call
raise CloudFlareAPIError(code, message, error_chain)
CloudFlare.exceptions.CloudFlareAPIError: Invalid request headers

Any other idea?

No ideas at all?
Am I the only one with this issue?

I already shared my idea, and you indicated that was not the case. Did you test creating a DNS record with that token to confirm its permissions?

I use DNS-01 challenge with Cloudflare, but I don't use certbot with that method, so I have no reference environment from which to offer any further suggestions.


Hello, and thank you first of all :slight_smile:
Secondly, to be honest, I use Certbot because I've never found (or honestly, even looked for) other alternatives.
May I ask what you use?
Maybe the one you use won't give me any problems.

Thanks again.

1 Like

I use different clients for different scenarios.

I use mod_md with web sites that are on Apache servers. They use ALPN-01 challenges unless they are proxied by Cloudflare, in which case they use HTTP-01.

I only use certbot with HTTP-01 currently.

My DNS-01 challenges are handled by running on pfSense. Thinking about it, none use Cloudflare DNS for Let's Encrypt. Even though client domains use Cloudflare DNS, the pfSense all use some of my domains that are on another provider.

While I do have domains with Cloudflare DNS that I could use to run a test, I don't have the time available right now.

I suggest testing your API token using curl to ensure that you are able to successfully create a DNS record with it. You need that answer no matter what client you use.


I see you successfully did the verify request but did you try this same zones request?


Okay, I've solved it.
As unbelievable as it may seem, I read the documentation dozens of times, but I kept mixing up the names of the variables between:
"Example credentials file using restricted API Token (recommended)"
"Example credentials file using Global API Key (not recommended)"
So, I was creating an API TOKEN type key and saving it in the file as dns_cloudflare_api_key.
It's unbelievable, I kept re-reading everything and nothing was working.
I realized the mistake on the hundredth read, almost by accident... and now it works!!!

Thx to everybody for the help!!! :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.