Issues moving from google-domains to porkbun

My domain is:

I ran this command: certbot -v

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-porkbun, Installer cpanel
Requesting a certificate for *
Performing the following challenges:
dns-01 challenge for
Unsafe permissions on credentials configuration file: /config/dns-conf/porkbun.ini
Unsafe permissions on credentials configuration file: /config/dns-conf/porkbun.ini
Make sure your CNAME record is propagated to all DNS servers, because the default CNAME TTL propagation time is 600 seconds and your certbot propagation time is only 60.
Cleaning up challenges
Encountered exception during recovery: KeyError: '[redacted]'
ERROR: DNS create api call was not successfully
Status code: 400
Message: Invalid domain.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): swag docker (2.9.0-ls279)

The operating system my web server runs on is (include version): docker alpine

My hosting provider, if applicable, is: porkbun

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

On porkbun, I have API access enabled, and I disabled DNSSEC.

Hi @practical, and welcome to the LE community forum :slight_smile:

Which DNS plugin are you using [with certbot 2.9.0]?

I don't see "Porkbun" on that list.
But I did notice that the your "Porkbun" nameservers look very much like CloudFlare nameservers:      nameserver =      nameserver =      nameserver =      nameserver =

And their IPs are within CloudFlare networks: internet address =
ARIN Whois/RDAP - American Registry for Internet Numbers - IP

So, I wouldn't be surprised if the CloudFlare plugin worked with thier nameservers.
[ but I don't use either of those services [PorkBun/CloudFlare] - so take my information with a grain of salt ]


When I turn on dnssec, it says it's using cloud flare, so it's possible. The porkbun plugin is listed under 3rd party plugins. No harm in trying the cloudflare one. I am seeming to note some TXT DNS entries on the domain names that I'm not trying to verify, so that's interesting. Those ones have dnssec enabled, and API access turned off.

I changed the CNAME record to an A record pointing to my network IP and I was able to pass the challenge. So at this point I think I'm either misconfiguring the CNAME record, or the porkbun plugin doesn't like CNAME records.


Cloudflare runs the DNS service provided by Porkbun, but AFAIK you can't use the cloudflare API.


That sounds inconsistent...
But anything is possible.

@practical, which plugin did you use to get this to work?


Think of it this way: Porkbun is the Cloudflare customer. They're the ones with the Cloudflare account, and they're not handing out credentials for the Cloudflare API in their account. Presumably the porkbun API will call Cloudflare's for you, but you have to go through them.


I'm just thinking... Why reinvent the (CF DNS API) wheel?
They could both use that same single solution.
But I do get your point.

So, I would like a more definite confirmation.


I used the porkbun plugin. I took a look at the cloudflare one, but didn't try it because I don't have a cloudflare account to point to.

And I wouldn't say I have it fully working. I have it working with an A record, but that's pointing to a static IP address. On my previous provider, I had it working with a CNAME record pointing to my DDNS, so that it still worked if my public IP address ever changed.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.