Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for *.abeja.colmena.biz
Performing the following challenges:
dns-01 challenge for abeja.colmena.biz
Starting new HTTPS connection (1): api.cloudflare.com
Cleaning up challenges
Starting new HTTPS connection (1): api.cloudflare.com
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.3.0)
[root@rojo ~]#
My web server is (include version): nginx.x86_64 1:1.20.1-10.el7 @epel
The operating system my web server runs on is (include version): CentOS 7.9
My hosting provider, if applicable, is: vpsserver
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
After following the pip instructions you posted and installing python3.6 stuff in /opt/ ...
So now this certificate will supposedly be good for e.g. https://justina.abeja.colmena.biz/ but NOT https://abeja.colmena.biz/ because I did not specifically request it for the base domain name without the wildcard.
What I obtained from Cloudflare is an Edit zone DNS API token with DNS:Edit permission on the domain "colmena.biz" -- not the Global API key which was unnecessary in this case.
[root@rojo ~]# certbot certonly -d *.abeja.colmena.biz --dns-cloudflare
/opt/certbot/lib64/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography.hazmat.bindings.openssl.binding import Binding
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Python 3.6 support will be dropped in the next release of Certbot - please upgrade your Python version.
Requesting a certificate for *.abeja.colmena.biz
Input the path to your Cloudflare credentials INI file (Enter 'c' to cancel): /root/certbot-creds.ini
Waiting 10 seconds for DNS changes to propagate
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/abeja.colmena.biz/fullchain.pem
Key is saved at: /etc/letsencrypt/live/abeja.colmena.biz/privkey.pem
This certificate expires on 2023-02-20.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@rojo ~]#
I am using NGinx, which does not have a "nice" capability for "userpages" like Apache does, and php-fpm does not have a capability for "su-php" to lock down user permissions for scripts as far as I know, but something like this "works" for static html content on user pages with an appropriate regular expression to capture the username for a domain.
/etc/nginx/nginx.conf
server {
server_name ~^(?<abeja>[A-Za-z0-9-]+)\.abeja\.colmena\.biz$;
root /home/$abeja/public_html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
listen [::]:443 ssl http2;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/abeja.colmena.biz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/abeja.colmena.biz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Also I am not finding (that does not mean it does not exist, I likely have missed something)
the Authoritative Name Servers for the subdomain abeja.colmena.biz; I do find them for colmena.biz.