Unable to determine zone_id for mysite.com using zone names: ['mysite.com', 'com']

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: srandd.com

I ran this command: sudo certbot certonly -v --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/cloudflare.ini -d '*.srandd.com'

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Requesting a certificate for *.srandd.com
Performing the following challenges:
dns-01 challenge for srandd.com
Cleaning up challenges
Unable to determine zone_id for srandd.com using zone names: ['srandd.com', 'com']. Please confirm that the domain name has been entered correctly and is already associated with the supplied Cloudflare account.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx 1.22.1

The operating system my web server runs on is (include version): debian 12

My hosting provider, if applicable, is: self hosting

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0

I don't think its supposed to be trying to use plain 'com' for one of my zone names! looked everywhere i dont see what i did wrong.

Hello @movingelectrons, welcome to the Let's Encrypt community. :slightly_smiling_face:

This seems more like the Cloudflare DNS plugin or even more likely the Cloudflare credentials not being correct or possibly not in the location indicated ~/.secrets/cloudflare.ini.
Try sudo cat ~/.secrets/cloudflare.ini to see if you get what is expected.

3 Likes

i have 2 other domains setup and running fine on the same machine. all in the same account. all using the same credentals. the credentals are set to to be able to alter DNS on anything in my account. its not supposed to even try to claim 'com' thats the really weird thing happening that i can see. iv played with it for hours now and i dont see whats wrong!

The 'com' part is probably just slightly faulty logic (finding the shortest matching label for a zone) and likely nothing to worry about. As @Bruce5051 suggests the most likely problem is that the credentials you are using just don't have permission to query that zone so it never matches.

Try the following with the API token you are trying to use, if it returns no results or your zone is not listed then it's a credentials problem:

curl "https://api.cloudflare.com/client/v4/zones" --header "Authorization: Bearer <your api token>"

[Edit: also make sure you are using the latest version of everything]

4 Likes

That's a pretty common error message. Usually the DNS Zone permissions are wrong

Need: Zone:DNS:Edit

Is that set properly?

See: Welcome to certbot-dns-cloudflare’s documentation! — certbot-dns-cloudflare 0 documentation

Note it is common to see each level of the domain name in the message. Don't worry about seeing ".com" by itself.

EDIT:

Also, you probably should specify the apex name along with the wildcard. It looks like you have both configured the same. A wildcard domain in a cert only covers names in the "*" position not the apex itself.

So:

4 Likes

it is set properly, as far as i can tell

2025-03-18 20:15:38,749:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/2220083125/491774152856 HTTP/1.1" 200 392
2025-03-18 20:15:38,749:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 19 Mar 2025 01:15:38 GMT
Content-Type: application/json
Content-Length: 392
Connection: keep-alive
Boulder-Requester: 2220083125
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: bKoJVKtBbsC1iJcOnl0NZ9VDZEA0X3jdUeeS-Az_s1GRrBxeB5E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "srandd.com"
},
"status": "pending",
"expires": "2025-03-25T17:58:13Z",
"challenges": [
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2220083125/491774152856/DHZzCA",
"status": "pending",
"token": "WaovW2yw48rPBjsRSMcphB6yuyS1-Cn26qW2g3if-iw"
}
],
"wildcard": true
}
2025-03-18 20:15:38,749:DEBUG:acme.client:Storing nonce: bKoJVKtBbsC1iJcOnl0NZ9VDZEA0X3jdUeeS-Az_s1GRrBxeB5E
2025-03-18 20:15:38,750:INFO:certbot._internal.auth_handler:Performing the following challenges:
2025-03-18 20:15:38,750:INFO:certbot._internal.auth_handler:dns-01 challenge for srandd.com
2025-03-18 20:15:38,754:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443
2025-03-18 20:15:39,188:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=srandd.com&per_page=1 HTTP/1.1" 200 None
2025-03-18 20:15:39,392:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=com&per_page=1 HTTP/1.1" 200 None
2025-03-18 20:15:39,394:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 86, in handle_authorizations
resps = self.auth.perform(achalls)

OK I am a dumbass, I was using the same token from awhile ago, its rolled sense then. so it WAS valid, and its the same one, but it gets changed every so often, I just found out. rolled it and used the new one and it worked first try. ty for your assistance!

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.