Wildcard certs with certbot + cloudflare on MacOS

rohiteshd · March 28, 2024, 6:57pm

Hello,
I am trying to get certs for my subdomains, using certbot + cloudflare with dns-01 challenge, while passing the required details (API token and email id for cloudflare account)

My domain is:
*.pugme.in

I ran this command:
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials <file_with_cloudflare_details> -d '*.pugme.in' --preferred-challenges dns-01

It produced this output:
certbot: error: unrecognized arguments: --dns-cloudflare-credentials <file_with_cloudflare_details>

My web server is (include version):
Running from another machine (not my webserver)

The operating system my web server runs on is (include version):
MacOS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

Bruce5051 · March 28, 2024, 7:01pm

Hello @rohiteshd, welcome to the Let's Encrypt community.

https://certbot-dns-cloudflare.readthedocs.io/en/stable/
"The plugin is not installed by default."

Have you installed the plugin?

rohiteshd · March 28, 2024, 7:09pm

Hey @Bruce5051. Thank you for the quick reply.

Following https://certbot.eff.org/instructions?ws=nginx&os=osx&tab=wildcard : Running brew install -cloudflare gave me an error : Error: ambiguous option: -cloudflare

In tried installing the plugin using : pip3 install certbot-dns-cloudflare but on running certbot plugins it is not showing cloudflare.

Bruce5051 · March 28, 2024, 7:14pm

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

jvanasco · March 28, 2024, 8:11pm

First, I'll note this older thread:

In which I link to this github issue: DNS plugin instructions are wrong for macOS · Issue #767 · certbot/website · GitHub

which features the advice of a regular contributor here – and certbot engineer – az, in which it is officially recommend by their team to not use homebrew and instead use pip.

That being, said, lets dive into the issue a bit:

I don't think there is a homebrew recipe for the cloudflare plugin. If anything it might be bew isntall certbot-dns-cloudflare but i don't see that as an option in their repository - and some github issues suggest the homebrew team was not interested in supporting the plugins for a while. I don't know what you expected to install by the above command, but cloudflare is presented as a commandline option flag (due to the leading dash) and without it, one would reasonably expect to install a general cloudflare library -- not a certbot plugin.

Potentially, pip3 is the native pip3 and Python on your mac, while certbot is the one installed by homebrew... and is using a homebrew installed version of Python.

Homebrew has changed their installation strategy a few times. Sometimes they use virtual envs, i think sometimes they use their own python, it is hard to keep up - which is why there are no support channels for it, and it is highly recommended against.

What might work is the following:

$(brew --prefix)/bin/pip3 install certbot-dns-cloudflare

What also might work, depending on your version of homebrew, are the various workarounds shared in this thread that try to leverage a prefix or virtual environment. Please note there are multiple versions because of changes to homebrew over the years, at best one will work, most likely none will work: Make all plugins available via Homebrew · Issue #5680 · certbot/certbot · GitHub

Again, I stress, don't use homebrew for this. Instead use pip with a virtual environment, either leveraging the system python on a custom installation.

linkp · March 28, 2024, 8:41pm

As much as I <3 using Homebrew on MacOS and apt on Debian, it's hard to argue with a suggestion to create your own phython venv for certbot. I set mine up to auto-update and it has been working well with no manual intervention required after I got the auto-update part worked out.

jvanasco · March 29, 2024, 6:02pm

it's hard to argue with a suggestion to create your own phython venv for certbot.

The python core team also publishes frequent updates to their macos installer - Python Releases for macOS | Python.org

Their one-click installers will "sideload" the new version onto the computer in a highly compatible way. The native system and apps will use the version distributed with the os, while users able to "switch" into using the new/specific python version via a shell preference. This can be very important for Certbot, as they are aggressively raising the minimum version of Python required to run.

The "best" way to handle this, IMHO:

Install the most modern, stable, Python from python.org [e.g. 3.12]
Update your shell to prefer that version
Invoke virtualenv (which should be the new 3.12 version, not the os version) to make a dedicated one for certbot
Install and manage certbot in that virtualenv