Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: sudo certbot certonly -v --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/cloudflare.ini -d '*.srandd.com'
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Requesting a certificate for *.srandd.com
Performing the following challenges:
dns-01 challenge for srandd.com
Cleaning up challenges
Unable to determine zone_id for srandd.com using zone names: ['srandd.com', 'com']. Please confirm that the domain name has been entered correctly and is already associated with the supplied Cloudflare account.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginx 1.22.1
The operating system my web server runs on is (include version): debian 12
My hosting provider, if applicable, is: self hosting
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0
I don't think its supposed to be trying to use plain 'com' for one of my zone names! looked everywhere i dont see what i did wrong.
This seems more like the Cloudflare DNS plugin or even more likely the Cloudflare credentials not being correct or possibly not in the location indicated ~/.secrets/cloudflare.ini.
Try sudo cat ~/.secrets/cloudflare.ini to see if you get what is expected.
i have 2 other domains setup and running fine on the same machine. all in the same account. all using the same credentals. the credentals are set to to be able to alter DNS on anything in my account. its not supposed to even try to claim 'com' thats the really weird thing happening that i can see. iv played with it for hours now and i dont see whats wrong!
The 'com' part is probably just slightly faulty logic (finding the shortest matching label for a zone) and likely nothing to worry about. As @Bruce5051 suggests the most likely problem is that the credentials you are using just don't have permission to query that zone so it never matches.
Try the following with the API token you are trying to use, if it returns no results or your zone is not listed then it's a credentials problem:
curl "https://api.cloudflare.com/client/v4/zones" --header "Authorization: Bearer <your api token>"
[Edit: also make sure you are using the latest version of everything]
Note it is common to see each level of the domain name in the message. Don't worry about seeing ".com" by itself.
EDIT:
Also, you probably should specify the apex name along with the wildcard. It looks like you have both configured the same. A wildcard domain in a cert only covers names in the "*" position not the apex itself.
OK I am a dumbass, I was using the same token from awhile ago, its rolled sense then. so it WAS valid, and its the same one, but it gets changed every so often, I just found out. rolled it and used the new one and it worked first try. ty for your assistance!