Installing SSL wildcard error in freeNAS with nginx

Hello I have the domain “r-proxy.summoning.ml”.
I have an error trying to install a lets encript wilcard certificate in freeNAS with nginx.

The error obtained is:

root@reverse-proxy:/ # certbot certonly \
?   --dns-cloudflare \
?   --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
?   -d r-proxy.summoning.ml
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for r-proxy.summoning.ml
Unsafe permissions on credentials configuration file: /root/ .secrets/certbot/cloudflare.ini
Cleaning up challenges
An unexpected error ocurred:
KeyError: 'code'
Please see the logfiles in /var/log/letsencrypt for more details.

Reviewing the log, I can observe the following:

20 15:44:01,229:INFO:certbot._internal.auth_handler:Cleaning up challenges
20 15:44:01,238:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443
20 15:44:01,562:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=r
20 15:44:01,838:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=s
20 15:44:01,839:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Found zone_id of 2bfc6592a339578d2
20 15:44:02,827:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones/2bfc65
20 15:44:02,829:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Unable to find TXT record.
20 15:44:02,829:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:TXT record not found; no cleanup needed.

What may be happening?
I have declared the TXT record for r-proxy.summoning.ml in cloudflare.

Regards

1 Like

Read here: https://community.cloudflare.com/t/unable-to-update-ddns-using-api-for-some-tlds/167228 (edited: wrong link)

Cloudflare removed the ability to use the DNS API if:

  • You are on the Cloudflare Free plan, and
  • You are using one of the Freenom TLDs (ml, gq, tk, cf, ga)

This affects Certbot’s ability to automatically issue wildcards for those domains. You can still enter the TXT records manually into the user interface (using --manual instead of --dns-cloudflare), but it won’t be automatically renewing.

1 Like

Hello,

following your recommendation and reading this documentation:

I have modified my instruction:

certbot certonly \
--manual _acme-challenge.rolejobs.org. 300 IN TXT "v=spf1 a mx a:rolejobs.org ip4:181.116.19.184 ?all" \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
--server https://acme-v02.api.letsencrypt.org/directory \
-d '*.rolejobs.org' \
-d rolejobs.org

The error I get is:

usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: _acme-challenge.rolejobs.org. 300 IN TXT v=spf1 a mx a:rolejobs.org ip4:181.116.19.184 ?all

What instruction should I modify? ’

Cheers

1 Like

I have no idea what gave you the idea to do this. Simply --manual --preferred-challenges dns-01 -d <whatever>. If you aren’t using the cloudflare plugin, you don’t need to specify its credentials, and if you’re using Let’s Encrypt, you don’t need to specify the server. It will tell you what TXT records need to be created–there will be two of them, and you need to create both of them.

1 Like

Hello danb35, I am using the cloudflare plugin.

No, you aren’t. As @_az explained, you can’t use its API for your domain if you’re using it on the free plan. You’re instead using manual mode, which doesn’t use the plugin.

1 Like

I have tried to request the wilcard certificate using the manual form with the following instruction:

certbot certonly --manual --preferred-challenge dns -d “summoning.ml” -d “*.summoning.ml”

But I get the following error:

root@reverse-proxy:~ # certbot certonly \ --manual --preferred-challenge dns -d“summoning.ml” -d “*.summoning.ml”

certbot: No match.

can you help me?

1 Like

Try it again without the quotation marks.

1 Like

Well, you need the quotes (or some other way to escape the character) for the wildcard. But you need proper quotes, not the curly quotes that are showing here.

@protoss666, the correct command would be certbot certonly --manual --preferred-challenges dns -d summoning.ml -d "*.summoning.ml"

Note:

  • The second flag is --preferred-challenges, not --preferred-challenge
  • The quotes around the second domain name (required to keep the shell from evaluating the *) are straight quotes, not the curly quotes in the command you copied and pasted
  • Certbot will you give you two TXT record values. You must create both of them (they’ll both have the same name, and yes, this is perfectly valid) before proceeding with validation.
2 Likes

:man_facepalming: I forgot about wildcard he was looking for. :roll_eyes:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.