Taubin
January 20, 2021, 8:28pm
1
My domain is: not needed here
I ran this command:
I followed the installation instructions for installing certbot via snap here: https://certbot.eff.org/lets-encrypt/snap-nginx
It produced this output:
server taubin ~ sudo apt-get remove certbot
[sudo] password for taubin:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'certbot' is not installed, so not removed
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
server taubin ~ sudo snap install --classic certbot
certbot 1.11.0 from Certbot Project (certbot-eff✓) installed
server taubin ~ sudo ln -s /snap/bin/certbot /usr/bin/certbot
ln: failed to create symbolic link '/usr/bin/certbot': File exists
server taubin ~ 1 sudo rm -rf /usr/bin/certbot
server taubin ~ sudo ln -s /snap/bin/certbot /usr/bin/certbot
server taubin ~ sudo snap set certbot trust-plugin-with-root=ok
server taubin ~ sudo snap install --beta certbot-dns-cloudflare
certbot-dns-cloudflare (beta) 1.11.0 from Certbot Project (certbot-eff✓) installed
server taubin ~ sudo snap connect certbot:plugin certbot-dns-cloudflare
server taubin ~ sudo certbot --dry-run certonly \
--dns-cloudflare \
e-creden --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
-d *.hostname.tld
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Simulating a certificate request for *.hostname.tld
Performing the following challenges:
dns-01 challenge for hostname.tld
Cleaning up challenges
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.3.1)
I verified the credentials are correct:
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = MySuperAwesomeAPIThatIHaveVerifiedAndRolledToBeSure
My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 20.04
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
certbot 1.11.0
Any help with getting the correct python package installed would be greatly appreciated.
2 Likes
Welcome Back to the Let's Encrypt Community, Dustin
I'm not sure to which old version of certbot you're referring, but I can confirm that this:
Taubin:
certbot 1.11.0
is indeed the latest and greatest version of certbot itself.
This:
means that the version of the cloudflare package you have installed should be fine.
This:
is what I believe to be the crux of the issue. I know you've probably done this umpteen times, but do one more credential check for me. If you're still running into problems, I'll call in reinforcements.
2 Likes
Taubin
January 21, 2021, 12:56am
4
I rolled the creds again just to make sure they are correct, and checked them again:
curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \
-H "Authorization: Bearer 7[REDACTED]" \
Content-Type: -H "Content-Type:application/json"
{"result":{"id":"[REDACTED]","status":"active"},"success":true,"errors":[],"messages":[{"code":10000,"message":"This API Token is valid and active","type":null}]}
Same error:
sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.tld.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer nginx
Simulating renewal of an existing certificate for *.domain.tld
Performing the following challenges:
dns-01 challenge for domain.tld
Cleaning up challenges
Failed to renew certificate domain.tld with error: Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.3.1)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/domain.tld/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
The cloudflare.ini file:
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = MySuperAwesomeTokenIsHere
2 Likes
rg305
January 21, 2021, 1:04am
5
hmm...
How critical is this now?
[how many days left on your certs]
3 Likes
Try this:
sudo certbot renew --dns-cloudflare-credentials {path to credentials file} --dry-run
1 Like
Taubin
January 21, 2021, 1:22am
7
Not crucial at all, I switched to the global API in the ini
# Cloudflare API credentials used by Certbot
dns_cloudflare_email = cloudflare@example.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234
That worked so I switched it back to the restricted version to continue testing
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
Using the global version worked to renew them just fine, so it doesn't appear to be an issue with it using the wrong ini file.
I only noticed all of this because the previous certs had expired. So there's no hurry on this at all. If I should have opened a ticket on github or similar let me know.
2 Likes
Taubin
January 21, 2021, 1:24am
8
Unfortunately that does the same with the restricted API. That was one of the things I tried (and tried again after cycling the key) in the original post.
2 Likes
It's time for those reinforcements. Please be patient.
@certbot-devs
This is a dns-cloudflare plugin issue. Works with global, but not with restricted.
3 Likes
griffin
January 21, 2021, 1:37am
10
@Taubin
I know this is a long shot, but could you please try this:
sudo certbot renew --dns-cloudflare-propagation-seconds 60 --dry-run
2 Likes
Taubin
January 21, 2021, 1:39am
11
sudo certbot renew --dns-cloudflare-propagation-seconds 60 --dry-run
[sudo] password for taubin:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.tld.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer nginx
Simulating renewal of an existing certificate for *.domain.tld
Performing the following challenges:
dns-01 challenge for domain.tld
Cleaning up challenges
Failed to renew certificate domain.tld with error: Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.3.1)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/domain.tld/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
It immediately failed with the same. It didn't even try to wait the 60 seconds requested.
3 Likes
griffin
January 21, 2021, 1:40am
12
Thanks so much for that. I wanted it on record for the certbot developers to see when they look over this.
Speaking of, hi Erica!
2 Likes
erica
January 21, 2021, 1:41am
13
Certbot dev here.
I see you used sudo snap install --beta certbot-dns-cloudflare
My first guess is something about having installed the beta version of the cloudflare plugin and the non-beta version of the main certbot snap. Can you try reinstalling the cloudflare plugin without the --beta
flag?
3 Likes
Taubin
January 21, 2021, 1:42am
14
Hi Erica,
I tried it with the non-beta first, then with the beta hoping that would help. Both have done the same, however I'll do a reinstall without the flag just to double check. I'll get back once I've done that. Cheers
3 Likes
Taubin
January 21, 2021, 1:45am
15
sudo snap remove certbot-dns-cloudflare
certbot-dns-cloudflare removed
server taubin ~ sudo snap install certbot-dns-cloudflare
certbot-dns-cloudflare 1.11.0 from Certbot Project (certbot-eff✓) installed
server taubin ~ sudo certbot renew --dns-cloudflare-propagation-seconds 60 --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.tld.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer nginx
Simulating renewal of an existing certificate for *.domain.tld
Performing the following challenges:
dns-01 challenge for domain.tld
Cleaning up challenges
Failed to renew certificate domain.tld with error: Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.3.1)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/domain.tld/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
2 Likes
erica
January 21, 2021, 1:47am
16
Oh wait -- can you check the permissions on that token? It requires Zone:DNS:Edit
permissions for the zones you need certificates for.
2 Likes
Taubin
January 21, 2021, 1:50am
17
Sure I believe this is correct. Sorry for blanking out the domain and my email, this is for a home server. I did make sure the domain listed in the screenshot is correct though.
2 Likes
griffin
January 21, 2021, 1:52am
18
Does the wildcard make a difference in the zone?
1 Like
Taubin
January 21, 2021, 1:53am
19
It shouldn't the zone is a drop down, not manually entered.
2 Likes
erica
January 21, 2021, 1:54am
20
That all looks good, thanks for checking that. I'll read back and think over this more...
4 Likes