It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-porkbun, Installer cpanel
Requesting a certificate for *.papier.ski
Performing the following challenges:
dns-01 challenge for papier.ski
Unsafe permissions on credentials configuration file: /config/dns-conf/porkbun.ini
Unsafe permissions on credentials configuration file: /config/dns-conf/porkbun.ini
Make sure your CNAME record is propagated to all DNS servers, because the default CNAME TTL propagation time is 600 seconds and your certbot propagation time is only 60.
Cleaning up challenges
Encountered exception during recovery: KeyError: '[redacted]'
ERROR: DNS create api call was not successfully
Status code: 400
Message: Invalid domain.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): linuxserver.io swag docker (2.9.0-ls279)
The operating system my web server runs on is (include version): docker alpine
My hosting provider, if applicable, is: porkbun
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0
On porkbun, I have API access enabled, and I disabled DNSSEC.
So, I wouldn't be surprised if the CloudFlare plugin worked with thier nameservers.
[ but I don't use either of those services [PorkBun/CloudFlare] - so take my information with a grain of salt ]
When I turn on dnssec, it says it's using cloud flare, so it's possible. The porkbun plugin is listed under 3rd party plugins. No harm in trying the cloudflare one. I am seeming to note some TXT DNS entries on the domain names that I'm not trying to verify, so that's interesting. Those ones have dnssec enabled, and API access turned off.
I changed the CNAME record to an A record pointing to my network IP and I was able to pass the challenge. So at this point I think I'm either misconfiguring the CNAME record, or the porkbun plugin doesn't like CNAME records.
Think of it this way: Porkbun is the Cloudflare customer. They're the ones with the Cloudflare account, and they're not handing out credentials for the Cloudflare API in their account. Presumably the porkbun API will call Cloudflare's for you, but you have to go through them.
I used the porkbun plugin. I took a look at the cloudflare one, but didn't try it because I don't have a cloudflare account to point to.
And I wouldn't say I have it fully working. I have it working with an A record, but that's pointing to a static IP address. On my previous provider, I had it working with a CNAME record pointing to my DDNS, so that it still worked if my public IP address ever changed.
