Unable to generate a wildcard certificate using cloudflare DNS Challenge

I ran this command: sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /opt/secrets/cloudflare.ini -d xd003.site -d *.xd003.site -d *.adguard.xd003.site --preferred-challenges dns-01
and got the follwing output

Certbot failed to authenticate some domains (authenticator: dns-cloudflare). The Certificate Authority reported these problems:
  Domain: xd003.site
  Type:   unauthorized
  Detail: Incorrect TXT record "3yQTcOuFTEMVBnH2nXu_DQp10M_merMuiAxd-3_5oYQ" found at _acme-challenge.xd003.site

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-cloudflare. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-cloudflare-propagation-seconds (currently 10 seconds).
Some challenges have failed.

I have also confirmed that there's not really any issue on my host machine. Port 80 and 443 both are accessible from it and no other process is utilising it. The telnet command proves that both ports are accessible while empty response from ss tupln shows its not being utilised by other process

ubuntu@xd003:~$ telnet google.com 80
Trying 142.250.192.110...
Connected to google.com.
Escape character is '^]'.
^C
Connection closed by foreign host.
ubuntu@xd003:~$ telnet google.com 443
Trying 142.250.199.174...
Connected to google.com.
Escape character is '^]'.
^C
Connection closed by foreign host.
ubuntu@xd003:~$ sudo ss -tulpn | grep LISTEN | grep :80
ubuntu@xd003:~$ sudo ss -tulpn | grep LISTEN | grep :443

domain - xd003.site
root shell access available
Hosting Provider - Hostinger
certbot v2.6.0
Ubuntu 22.04.3
Logs - https://pastebin.com/raw/8WxBgFQq

Have you tried "increasing --dns-cloudflare-propagation-seconds" as mentioned in the error message?

2 Likes

I didn't really thought that could have been the issue as i have been always hearing that its instant in cloudflare. Using --dns-cloudflare-propagation-seconds 60 has generated the certificates successfully. Maybe there was some temporary issue at that time who knows but 60 seconds sounds like a safe value to me

1 Like

My experience with Cloudflare is, is that while they're fast, they're sometimes not THAT fast. Especially when adding/removing a bunch of records after each other, it seems the first goes fine, but the others require some more time. Usually 30 seconds works fine for me, but for automatic runs 60 is fine too of course, no harm in that, unless you're perhaps renewing thousands of certs. :stuck_out_tongue:

3 Likes