Snap installing old version of Certbot

Help
1

My domain is: not needed here

I ran this command:

I followed the installation instructions for installing certbot via snap here: https://certbot.eff.org/lets-encrypt/snap-nginx

It produced this output:

  server  taubin  ~  sudo apt-get remove certbot
[sudo] password for taubin:
Reading package lists... Done
Building dependency tree
Reading state information... Done

Package 'certbot' is not installed, so not removed
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

  server  taubin  ~  sudo snap install --classic certbot
certbot 1.11.0 from Certbot Project (certbot-eff✓) installed

  server  taubin  ~  sudo ln -s /snap/bin/certbot /usr/bin/certbot
ln: failed to create symbolic link '/usr/bin/certbot': File exists

  server  taubin  ~  1  sudo rm -rf /usr/bin/certbot

  server  taubin  ~  sudo ln -s /snap/bin/certbot /usr/bin/certbot

  server  taubin  ~  sudo snap set certbot trust-plugin-with-root=ok

  server  taubin  ~  sudo snap install --beta certbot-dns-cloudflare
certbot-dns-cloudflare (beta) 1.11.0 from Certbot Project (certbot-eff✓) installed

  server  taubin  ~  sudo snap connect certbot:plugin certbot-dns-cloudflare

  server  taubin  ~  sudo certbot --dry-run certonly \
     --dns-cloudflare \
e-creden     --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
     -d *.hostname.tld
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Simulating a certificate request for *.hostname.tld
Performing the following challenges:
dns-01 challenge for hostname.tld
Cleaning up challenges

Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.3.1)

I verified the credentials are correct:

# Cloudflare API token used by Certbot
dns_cloudflare_api_token = MySuperAwesomeAPIThatIHaveVerifiedAndRolledToBeSure

My web server is (include version):

nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 20.04

My hosting provider, if applicable, is:

N/A

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.11.0

Any help with getting the correct python package installed would be greatly appreciated.

2

Welcome Back to the Let's Encrypt Community, Dustin :slightly_smiling_face:

I'm not sure to which old version of certbot you're referring, but I can confirm that this:

is indeed the latest and greatest version of certbot itself.

This:

means that the version of the cloudflare package you have installed should be fine.

This:

is what I believe to be the crux of the issue. I know you've probably done this umpteen times, but do one more credential check for me. If you're still running into problems, I'll call in reinforcements.

3

How did you verify them?

4

I rolled the creds again just to make sure they are correct, and checked them again:

curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \
        -H "Authorization: Bearer 7[REDACTED]" \
Content-Type:        -H "Content-Type:application/json"
{"result":{"id":"[REDACTED]","status":"active"},"success":true,"errors":[],"messages":[{"code":10000,"message":"This API Token is valid and active","type":null}]}

Same error:

sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.tld.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer nginx
Simulating renewal of an existing certificate for *.domain.tld
Performing the following challenges:
dns-01 challenge for domain.tld
Cleaning up challenges
Failed to renew certificate domain.tld with error: Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.3.1)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/domain.tld/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

The cloudflare.ini file:

# Cloudflare API token used by Certbot
dns_cloudflare_api_token = MySuperAwesomeTokenIsHere
5

hmm...
How critical is this now?
[how many days left on your certs]

6

Try this:

sudo certbot renew --dns-cloudflare-credentials {path to credentials file} --dry-run

7

Not crucial at all, I switched to the global API in the ini

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = cloudflare@example.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234

That worked so I switched it back to the restricted version to continue testing

# Cloudflare API token used by Certbot
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

Using the global version worked to renew them just fine, so it doesn't appear to be an issue with it using the wrong ini file.

I only noticed all of this because the previous certs had expired. So there's no hurry on this at all. If I should have opened a ticket on github or similar let me know.

8

Unfortunately that does the same with the restricted API. That was one of the things I tried (and tried again after cycling the key) in the original post.

9

It's time for those reinforcements. Please be patient. :wink:

@certbot-devs

This is a dns-cloudflare plugin issue. Works with global, but not with restricted.

10

@Taubin

I know this is a long shot, but could you please try this:

sudo certbot renew --dns-cloudflare-propagation-seconds 60 --dry-run

11 
sudo certbot renew --dns-cloudflare-propagation-seconds 60 --dry-run
[sudo] password for taubin:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.tld.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer nginx
Simulating renewal of an existing certificate for *.domain.tld
Performing the following challenges:
dns-01 challenge for domain.tld
Cleaning up challenges
Failed to renew certificate domain.tld with error: Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.3.1)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/domain.tld/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

It immediately failed with the same. It didn't even try to wait the 60 seconds requested.

12

Thanks so much for that. :slightly_smiling_face: I wanted it on record for the certbot developers to see when they look over this.

Speaking of, hi Erica! :smiley:

13

Certbot dev here.

I see you used sudo snap install --beta certbot-dns-cloudflare

My first guess is something about having installed the beta version of the cloudflare plugin and the non-beta version of the main certbot snap. Can you try reinstalling the cloudflare plugin without the --beta flag?

14

Hi Erica,

I tried it with the non-beta first, then with the beta hoping that would help. Both have done the same, however I'll do a reinstall without the flag just to double check. I'll get back once I've done that. Cheers

15 
sudo snap remove certbot-dns-cloudflare
certbot-dns-cloudflare removed
  server  taubin  ~  sudo snap install certbot-dns-cloudflare
certbot-dns-cloudflare 1.11.0 from Certbot Project (certbot-eff✓) installed
  server  taubin  ~  sudo certbot renew --dns-cloudflare-propagation-seconds 60 --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.tld.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer nginx
Simulating renewal of an existing certificate for *.domain.tld
Performing the following challenges:
dns-01 challenge for domain.tld
Cleaning up challenges
Failed to renew certificate domain.tld with error: Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.3.1)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/domain.tld/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
16

Oh wait -- can you check the permissions on that token? It requires Zone:DNS:Edit permissions for the zones you need certificates for.

17

Sure I believe this is correct. Sorry for blanking out the domain and my email, this is for a home server. I did make sure the domain listed in the screenshot is correct though.

token
token1127×346 20.3 KB

token_2
token_2939×764 53.1 KB

18

Does the wildcard make a difference in the zone?

19

It shouldn't the zone is a drop down, not manually entered.

20

That all looks good, thanks for checking that. I'll read back and think over this more...