Let's Encrypt certificate renewals using cloudflare

kyndrylinforma · October 28, 2022, 5:49am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Situation: Our environment migrated to AWS. Letsencrypt certs are using for LDAP and used to renew with the help of native Linux DNS servers. As part of the migration have decommissioned DNS servers also. We are using Cloudflare for the DNS alternative, but we are failed to get the certificates using cloudflare. Requesting your help on the same.

Our certs are going to be expired in 2 days.

My domain is: ubmits.com

I ran this command:
/usr/bin/dehydrated --cron --ipv4 --config ${DEDIR}/config --hook ${DEDIR}/nsupdate-script.sh --out ${CERTDIR} --challenge dns-01 --domain ${CERT}

It produced this output: /home/certman/dehydrated/nsupdate-script.sh: line 33: NSUPDATE: unbound variable

My web server is (include version): its our LDAP server

The operating system my web server runs on is (include version): my LDAP server runs on AMZ-Linux v2.

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): with sudo

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): we are using dehydrated package.

orangepizza · October 28, 2022, 7:18am

that error is the bash script you are running is uninitalized variable in that line, named NSUPDATE: not much we can tell about what kind of vaule it expect without seeing the script file itself.

although if you are using cloudflare proxy, you may want to look at cloudflare origin CA

Osiris · October 28, 2022, 7:55am

The question was what the version of the client used is.

I also suspect your nsupdate-script.sh was meant for your previously used Linux DNS servers, but it's not meant to be used with Cloudflare.

kyndrylinforma · October 28, 2022, 12:34pm

Found an alternative, we are getting the certs. Need to automate the certs renewals.
Can anyone help me.

Osiris · October 28, 2022, 1:28pm

What issue exactly are you running into?

Note that the kappataumu/letsencrypt-cloudflare-hook repository hasn't been updated for 5 years and doesn't seem to support Cloudflare tokens, just email/key combo's, which is discouraged.

There's a fork which has upgraded the above hook (walcony/letsencrypt-cloudflare-hook), with token support, but that one had its last update 3 years ago.. So YMMV.

Also note that the fork I mentioned above also has a README entry about using a Python virtual environment (venv). That's something I recommend highly when installing Python packages using pip. However, that would also mean you'd need to run dehydrated from within that venv.

You might want to consider other hooks, such as socram8888/dehydrated-hook-cloudflare, a "pure Bash" hook with just a few dependencies.

system · November 27, 2022, 1:29pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.