Error while certbot renew --dry-run

I only get this error if I’m dry-running.

My domain is:

I ran this command:
sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for
dns-01 challenge for
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: ‘code’. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

The operating system my web server runs on is (include version):
Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don’t know):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.4.0

Here is a pastebin of letsencrypt.log:

While the Python error is rather prominent and is probably a bug too (try updating the cloudflare python library), I don’t think that’s really your problem. If you look at the following log line:

2020-05-15 22:04:40,987:DEBUG:urllib3.connectionpool: “POST /client/v4/zones/6f63a88933aeb8b3ff1fffdd23666298/dns_records HTTP/1.1” 401 None

One thing stands out: the HTTP response code of CloudFlares API: 401. And the HTTP 401 response code means Unauthorized.

Could you double verify your CloudFlare credentials?

My e-mail and api key are right in the ini file…

And there has nothing been changed in the zone authorizations at CloudFlares side?

No I just checked them, they are right.

And if you upgrade the CloudFlare python library?

I’m finding it very strange "GET"s (“reads”) to the CloudFlare API are fine with the credentials, but "POST"s (“writes”) are forbidden…

I think they are updated already

certbot-dns-cloudflare 1.4.0
cloudflare 2.3.0

Can you show a similar trace that passes.
This failure seems pretty evident that the creds are not good:

2020-05-15 22:04:40,560:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1):
2020-05-15 22:04:40,795:DEBUG:urllib3.connectionpool: "GET /client/v4/zones? HTTP/1.1" 200 None
2020-05-15 22:04:40,796:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Found zone_id of 6f63a88933aeb8b3ff1fffdd23666298 for using name
2020-05-15 22:04:40,796:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Attempting to add record to zone 6f63a88933aeb8b3ff1fffdd23666298: {'type': 'TXT', 'name': '', 'content': '5vwEd9ycczb5xvOyIJkPQCa-AuIqOBDf-O-1xav9-ng', 'ttl': 120}
2020-05-15 22:04:40,987:DEBUG:urllib3.connectionpool: "POST /client/v4/zones/6f63a88933aeb8b3ff1fffdd23666298/dns_records HTTP/1.1" 401 None
2020-05-15 22:04:40,989:DEBUG:certbot._internal.error_handler:Encountered exception:

Can’t show one that passes since I only have 1 cert and domain nowadays, and it doesn’t need renewal yet.

Should I check my domain.conf too or only the credentials.ini?

I’ll try to create a API Token to edit my domain (this wasn’t here a few months ago).

There should be a way to test your creds independent of certbot.

Well the zoneid is right for sure so I don’t know why it’s failing with 401…

That might be the most recent release available on your OS, but it’s about six months old. The 'code' error handling bug was fixed in 2.7.0 or 2.7.1.

If you fix that bug, you should be able to see the real error message that’s coming from Cloudflare. It’s probably this one:


Ah yes it is, I updated cloudflare to 2.7.1 now and it’s showing exactly that error!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.