Wildcard certs with certbot + cloudflare on MacOS

rohiteshd · March 28, 2024, 6:57pm

Hello,
I am trying to get certs for my subdomains, using certbot + cloudflare with dns-01 challenge, while passing the required details (API token and email id for cloudflare account)

My domain is:
*.pugme.in

I ran this command:
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials <file_with_cloudflare_details> -d '*.pugme.in' --preferred-challenges dns-01

It produced this output:
certbot: error: unrecognized arguments: --dns-cloudflare-credentials <file_with_cloudflare_details>

My web server is (include version):
Running from another machine (not my webserver)

The operating system my web server runs on is (include version):
MacOS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

Bruce5051 · March 28, 2024, 7:01pm

Hello @rohiteshd, welcome to the Let's Encrypt community.

https://certbot-dns-cloudflare.readthedocs.io/en/stable/
"The plugin is not installed by default."

Have you installed the plugin?

rohiteshd · March 28, 2024, 7:09pm

Hey @Bruce5051. Thank you for the quick reply.

Following https://certbot.eff.org/instructions?ws=nginx&os=osx&tab=wildcard : Running brew install -cloudflare gave me an error : Error: ambiguous option: -cloudflare

In tried installing the plugin using : pip3 install certbot-dns-cloudflare but on running certbot plugins it is not showing cloudflare.

Bruce5051 · March 28, 2024, 7:14pm

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

jvanasco · March 28, 2024, 8:11pm

First, I'll note this older thread:

In which I link to this github issue: DNS plugin instructions are wrong for macOS · Issue #767 · certbot/website · GitHub

which features the advice of a regular contributor here – and certbot engineer – az, in which it is officially recommend by their team to not use homebrew and instead use pip.

That being, said, lets dive into the issue a bit:

I don't think there is a homebrew recipe for the cloudflare plugin. If anything it might be bew isntall certbot-dns-cloudflare but i don't see that as an option in their repository - and some github issues suggest the homebrew team was not interested in supporting the plugins for a while. I don't know what you expected to install by the above command, but cloudflare is presented as a commandline option flag (due to the leading dash) and without it, one would reasonably expect to install a general cloudflare library -- not a certbot plugin.

Potentially, pip3 is the native pip3 and Python on your mac, while certbot is the one installed by homebrew... and is using a homebrew installed version of Python.

Homebrew has changed their installation strategy a few times. Sometimes they use virtual envs, i think sometimes they use their own python, it is hard to keep up - which is why there are no support channels for it, and it is highly recommended against.

What might work is the following:

$(brew --prefix)/bin/pip3 install certbot-dns-cloudflare

What also might work, depending on your version of homebrew, are the various workarounds shared in this thread that try to leverage a prefix or virtual environment. Please note there are multiple versions because of changes to homebrew over the years, at best one will work, most likely none will work: Make all plugins available via Homebrew · Issue #5680 · certbot/certbot · GitHub

Again, I stress, don't use homebrew for this. Instead use pip with a virtual environment, either leveraging the system python on a custom installation.

linkp · March 28, 2024, 8:41pm

As much as I <3 using Homebrew on MacOS and apt on Debian, it's hard to argue with a suggestion to create your own phython venv for certbot. I set mine up to auto-update and it has been working well with no manual intervention required after I got the auto-update part worked out.

jvanasco · March 29, 2024, 6:02pm

it's hard to argue with a suggestion to create your own phython venv for certbot.

The python core team also publishes frequent updates to their macos installer - Python Releases for macOS | Python.org

Their one-click installers will "sideload" the new version onto the computer in a highly compatible way. The native system and apps will use the version distributed with the os, while users able to "switch" into using the new/specific python version via a shell preference. This can be very important for Certbot, as they are aggressively raising the minimum version of Python required to run.

The "best" way to handle this, IMHO:

Install the most modern, stable, Python from python.org [e.g. 3.12]
Update your shell to prefer that version
Invoke virtualenv (which should be the new 3.12 version, not the os version) to make a dedicated one for certbot
Install and manage certbot in that virtualenv

system · April 28, 2024, 6:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Command arguments issue with certbot-cloudflare-dns Help	3	333	February 13, 2024
Unable to generate a wildcard certificate using cloudflare DNS Challenge Help	4	2979	October 18, 2023
Let's make Let's Encrypt work with Cloudflare Help	36	6620	February 10, 2021
CerTbot Cloudflare “Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.” Help	5	939	May 27, 2020
Certbot with Nginx and cloudflare DNS plugin (also doc issue) Server	3	4967	January 26, 2019

Wildcard certs with certbot + cloudflare on MacOS

Related topics