OPNsense Forum

English Forums => 24.1 Production Series => Topic started by: DenverTech on March 11, 2024, 06:45:16 pm

Title: ACME client issues w/Cloudflare
Post by: DenverTech on March 11, 2024, 06:45:16 pm

I've seen and read many posts about issues with Cloudflare, but have been using it without issue for about 1-2 years, using the generated API keys from CF. I use a wildcard domain and all renewals worked from 2022 until about 70 days ago. Then, mysteriously, they stopped working with the errors below. Hoping someone has some ideas on this as I've been beating my head against it for days.

Issue:

• Starting about 70 days ago, the renewals began failing with "invalid domain" and "Error add txt for domain"
• In the past, others have fixed this with updates (I'm current on both OPNsense and plugins) or new API keys (tried that)
• Rebuilt all stages of the cert and issue persists
• Tried with a single subdomain and issue persists

Tested:

• Recreated the verification challenge, as that's where it's failing. Same errors.
• Verified/recreated the API key permissions in case something changed on CF's end. Same errors.
• Switched to a single subdomain, rather than wildcard. Same errors.
• Recreated all stages of the request. Same errors.
• Created a new API key with correct permissions. Same errors.
• Contacted CloudFlare. They blame OPNsense, because of course they do.
• NOTE: The API key does have zone read and dns edit permissions

Code: [Select]

See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Please add '--debug' or '--log' to check more details.
Error add txt for domain:_acme-challenge.somedomain.com
invalid domain
Adding txt value: <somestring> for domain: _acme-challenge.somedomain.com
Getting webroot for domain='*.somedomain.com'
Getting domain auth token for each domain
Single domain='*.somedomain.com'
Using CA: https://acme-v02.api.letsencrypt.org/directory

Title: Re: ACME client issues w/Cloudflare
Post by: Monviech on March 11, 2024, 09:39:51 pm

As sanity check you could try getting the wildcard cert from cloudflare from the plugin in my signature. It has the cloudflare DNS Provider and DNS-01 challenge build in. It uses libdns and this provider https://github.com/caddy-dns/cloudflare

Title: Re: ACME client issues w/Cloudflare
Post by: DenverTech on March 12, 2024, 02:46:54 am

I really don't want to learn Caddy to fix an issue that just cropped up with the built-in system. I'll consider that a last resort.

Side-note...tested again using the global API key. Also says the domain is invalid.

Title: Re: ACME client issues w/Cloudflare
Post by: DenverTech on March 12, 2024, 03:38:55 am

Lacking other options, I did try the Caddy plugin. No luck...but different results.

Example, it's setup with some.sitename.com points to handler 192.168.0.1, port 1111. I go to some.sitename.com:443 and it gives me a secure blank page. It does not forward to 192.168.0.1:1111 at all.

Progress, maybe? Still would love to know why the built-in plugin isn't working, but no one seems to want to talk about it, judging by the other threads about this. :)

Title: Re: ACME client issues w/Cloudflare
Post by: Monviech on March 12, 2024, 05:54:13 am

Well I guess that means it is possible for you to get Let's Encrypt Certificates with TXT Records of Cloudflare. Right? So that means your API Token and the API of Cloudflare works as expected, and the issue has to be somewhere with the ACME Plugin implementation of it?

Title: Re: ACME client issues w/Cloudflare
Post by: DenverTech on March 12, 2024, 06:07:00 am

Does seem to be the case! I definitely didn't mean to break the acme plugin. :D

Title: Re: ACME client issues w/Cloudflare
Post by: Monviech on March 12, 2024, 06:13:09 am

If you have logs of the ACME plugin, you could open an issue on github, maybe theres a fix for it upstream that can be implemented? https://github.com/opnsense/plugins

Sadly I dont know much about how the ACME Plugin works.

Title: Re: ACME client issues w/Cloudflare
Post by: rdunkle84 on March 12, 2024, 05:06:46 pm

I noticed that when creating the cloudflare api token, Acme required:
Zone Resources set: Include | All zones.   This appears to be the problem.
To sum it up:
Zone | DNS | Edit
Zone Resources | Include | All Zones
Client IP (not using this field)
TTL | set a valid date range
This appears to work OK.

Title: Re: ACME client issues w/Cloudflare
Post by: DenverTech on March 12, 2024, 09:16:41 pm

Quote from: rdunkle84 on March 12, 2024, 05:06:46 pm

I noticed that when creating the cloudflare api token, Acme required:
Zone Resources set: Include | All zones.   This appears to be the problem.
To sum it up:
Zone | DNS | Edit
Zone Resources | Include | All Zones
Client IP (not using this field)
TTL | set a valid date range
This appears to work OK.

Tried this. Still says the domain is invalid. I've got all zones allowed and a TTL, as well as the edit permissions.

Title: Re: ACME client issues w/Cloudflare
Post by: opnsenseuser on March 25, 2024, 07:28:52 am

I´m using cloudflare too.
After the latest update OPNsense 24.1.4 i get a validation failed error.