Problem with DNS challenge with Cloudflare

I hope it's ok to continue in this thread.

I got domain from namecheap and configurated DNS records on Cloudflare site with working Cloudflare nameservers records.
My DNS records are:


I'm trying to get the certificate to my ReadyNAS102 server. I couldn't install certbot but somehow I got acme.sh working. Unfortunately, the process cannot be finalized.
root@ReadyNAS:/home/mirssh# acme.sh --issue --dns dns_cf -d _acme-challenge.mirnas.xyz
[Wed Apr 3 14:40:55 CEST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Wed Apr 3 14:40:55 CEST 2024] Single domain='_acme-challenge.mirnas.xyz'
[Wed Apr 3 14:41:01 CEST 2024] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:rejectedIdentifier","status":400,"detail":"DNS identifier is invalid [_acme-challenge.mirnas.xyz]"}
[Wed Apr 3 14:41:01 CEST 2024] Please check log file for more details: /root/.acme.sh/acme.sh.log
Log file shows quite a lengthy output which I don't want to present here now, bur if anybody willing to help me would like to have a look I would put it online.

What I suspect is that I might not identified my server sufficiently with a key. I don't know how to get it and how to use it.

Your help will be much appreciated.

P.S.
I suddenly realized that my acme-challenge goes to zerossl.com

It's not, actually. Even if some problems look the same at a glance, they often are not. So we prefer separate threads for separate problems. Thus, I've moved your post to a new thread.

You should not include the _acme-challenge label for requesting a certificate for a certain hostname.

Yes, acme.sh defaults to ZeroSSL. See The acme.sh will change default CA to ZeroSSL on August-1st 2021 for more information and how to change this to Let's Encrypt.

Why is there a TXT RR for mirnas.xyz with the value _acme-challenge.mirnas.xyz? That doesn't make any sense.

3 Likes

I'm now trying to get the certificate from ZeroSSL.
I got the error "We were unable to verify your CNAME entry. Please check for errors on your side and try again after 5-10 minutes."
CNAME has been changed and I will delete TXT as well.

Tnx

1 Like

Still error with ZeroSSL.
mirnas.xyz domain is working as I can get to my insecure server, so I don't understand why ZeroSSL cannot identify my domain. Done everything as they suggested.

I'm considering going over to Letsencrypt
acme.sh --issue -d example.com --dns dns_cf --server letsencrypt
Would it be easier?

While I prefer Let's Encrypt over ZeroSSL (and this is the Let's Encrypt support forum, not the ZeroSSL support forum) I don't think switching CAs would actually differ, as all ACME CAs adhere to RFC 8555 and would, in essence, do the same.

I also have no clue why ZeroSSL would complain about the CNAME: is there still a CNAME in place? Because CNAMEs are not allowed next to most other DNS records, such as TXT (only exceptions that I know of would be RRs for DNSSEC). So my advice would be to remove the CNAME and change it for a A RR. Then, the challenge, which uses a TXT RR, should work.

If not, please post the exact command used, the exact output and also the current DNS zone settings.

3 Likes

I got this "Congratulations, your SSL certificate is en route! However, you need to verify ownership
of your domain before installing your certificate. Please follow the steps below."
which means I have to choose a verification method for mirnas.xyz I need to upload a AuthFile to my server.
Be back.. Thank you.

1 Like

I'm not familiar with acme.sh myself, but you specified the Cloudflare DNS plugin with --dns dns_cf, right? Maybe you need to instruct acme.sh to actually use that plugin somehow for the dns-01 challenge?

Uploading a file won't work if you domain name points to a private IP address space..

3 Likes

I tried another option with ZeroSSL Upload the Auth File to my HTTP server under: /.well-known/pki-validation/
Not working. "The requested URL /.well-known/pki-validation/0AD057D02D059xxxxxxxxxxxxx.txt was not found on this server. Otherwise mirnas/xyz/subdirs are working.
AI says that some systems don't allow /. files
I don't understand the reason, but this option is seemingly close to me.
I need a break and I will consider your thought. Thank you very much.

you are supposed to add a txt record on the _acme-challenge.mirnas.xyz subdomain, your acme client will tell you about the string you have to put there.

you should automate that with cloudflare apis, tho.

this does not make any sense. you should use -d mirnas.xyz, and you have no actual reason to use dns validation. Please use http-01.

1 Like

The Cloudflare DNS is pointing to a private IP address. So DNS Challenge would be needed. I think Cloudflare also offer tunneling which might allow HTTP Challenge but DNS Challenge probably easier.

4 Likes

That's what --dns dns_cf is for, although I don't have enough knowledge of acme.sh (the things I do know about it, makes me not like it at all) to say how that actually works. Perhaps it's as simple as specifying the challenge type to dns-01? I dunno :man_shrugging:t2:

2 Likes

I have no idea, but there should be docs.

2 Likes

Yeah, if you can find the answer somewhere, sure. :stuck_out_tongue:

2 Likes

@tumiro Maybe review these docs?

5 Likes

Thank you all for your help. I succeded with the verification of my domain. ZeroSSL has an email verification procedure which after proper configuration on Claudflare, worked. I received my cert-files by email and now I'm going to install them on my Apache2 server.
Good forum, Congrats.

1 Like

Please note that ZeroSSL only offers a maximum of 3 free certificates per account if those certificates aren't issued through their ACME API. And I don't think email verification works with ACME.

4 Likes