New SSL certificate request "internal error"

Hi, I have just installed wordpress, nginx and cloudflare on docker containers using portainer and can't connect wordpress due to "internal error" given on nginx interface when trying to create a new SSL certificate.

Apparently, the API token from cloudflare is ok, I used it for nginx set up. The log says it is not though.

The domain was pointed from Google to cloudflare and is active.

Can anyone show some light?
Thanks.

My domain is: wordpress.theapothecary.app

I ran this command: Portainer interface

It produced this output: Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.9.10),

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Canonical Ubuntu 22 - Docker composer

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Portainer

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): This certbot is running cloudflare 2.9.10

another attempt on nginx using another way returned:

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-18" --agree-tos --email "deborahsbeghen@gmail.com" --domains "wordpress.theapothecary.app" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-18"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.9.10)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:399:12)
at ChildProcess.emit (node:events:526:28)
at maybeClose (node:internal/child_process:1092:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)

Your apex name theapothecary.app is there but the wordpress subdomain is not

nslookup wordpress.theapothecary.app 8.8.8.8
** server 8.8.8.8 can't find wordpress.theapothecary.app: NXDOMAIN
2 Likes

@MikeMcQ One would think the certbot-dns-cloudflare plugin wouldn't care about that: it would just add _acme-challenge.wordpress IN TXT ${TOKEN}, right?

2 Likes

Not sure. Would it? I don't have a system to test that.

2 Likes

I'm not entirely sure either :stuck_out_tongue:

It might.

The one domain I have with Cloudflare is unfortunately down at the upstream nameserver (wrong NS record which seems to be "stuck"...)

3 Likes

I have just followed a coder doing this and he created the subdomain while installing Nginx so to place wordpress into the sub not the domain per se. It worked for him...
After reading you, I tryed to configure SSL for theapothecary.app and it failed again,
thanks for replying.

1 Like

If you created scoped API credentials in Cloudflare, then you need to use dns_cloudflare_api_token rather than dns_cloudflare_email+dns_cloudflare_api_key.

The error message you see is usually caused by mixing these configuration parameters up.

I'm not sure how Portainer exposes these credentials to you, but documentation for the plugin is here.

3 Likes

thanks I will check the doc!!

1 Like

Created and run the json provided by cloudflare. It works, the token was created for wordpress.
But...
the SSL retunred Internal Error:

dns_cloudflare_api_token = 'sss' > '/etc/letsencrypt/credentials/credentials-19' && chmod 600 '/etc/letsencrypt/credentials/credentials-19' && pip install certbot-dns-cloudflare==$(certbot --version | grep -Eo '0-9+') cloudflare && certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-19" --agree-tos --email "ss@gmail.com" --domains "wordpress.theapothecary.app" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-19"

[6/20/2022] [8:08:18 PM] [Nginx ] › :information_source: info Reloading Nginx

[6/20/2022] [8:08:18 PM] [Express ] › :warning: warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-19" --agree-tos --email "ss@gmail.com" --domains "wordpress.theapothecary.app" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-19"

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Encountered CloudFlareAPIError adding TXT record: 10000 Authentication error

Error communicating with the Cloudflare API: Authentication error

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

This is the problem:

.app does not have a supported TLD. Here are some similar domains.

Not supported by whom?

2 Likes

cloudflare

That doesn't seem very plausible.

2 Likes
nslookup -q=ns theapothecary.app
theapothecary.app       nameserver = adel.ns.cloudflare.com
theapothecary.app       nameserver = jeremy.ns.cloudflare.com
nslookup -q=soa theapothecary.app adel.ns.cloudflare.com
theapothecary.app
        primary name server = adel.ns.cloudflare.com
        responsible mail addr = dns.cloudflare.com
        serial  = 2281224509
        refresh = 10000 (2 hours 46 mins 40 secs)
        retry   = 2400 (40 mins)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)
2 Likes