I had this problem a while ago where updating certs gave an error but it was fixable by restarting the acme plugin, now i get errors again for some reason and this time it wasn't as easy to fix.
This is what i noticed in the logs:
2021-06-06T00:06:34 acme.sh[64775] ] Please check log file for more details: /var/log/acme.sh.log
2021-06-06T00:06:34 acme.sh[25970] ] Error add txt for domain:_acme-challenge.test.kieeps.com
2021-06-06T00:06:34 acme.sh[25810] ] invalid domain
2021-06-06T00:06:30 acme.sh[92861] ] Adding txt value: iHKzdf4agek_fsKB1Eadhw85eE6-0RiWUY8lwdn1yss for domain: _acme-challenge.test.kieeps.com
2021-06-06T00:06:30 acme.sh[60519] ] Getting webroot for domain='test.kieeps.com'
2021-06-06T00:06:27 acme.sh[86742] ] Getting domain auth token for each domain
2021-06-06T00:06:27 acme.sh[35025] ] Single domain='test.kieeps.com'
2021-06-06T00:06:27 acme.sh[82914] ] Using CA: https://acme-v02.api.letsencrypt.org/directory
and if i force the update i get this:
2021-06-06T09:25:15 acme.sh[28153] ] Please check log file for more details: /var/log/acme.sh.log
2021-06-06T09:25:15 acme.sh[77405] ] Error, can not get domain token entry test.kieeps.com for dns-01
2021-06-06T09:25:15 acme.sh[26529] ] The new-authz request is ok.
2021-06-06T09:25:14 acme.sh[5930] ] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
2021-06-06T09:25:11 acme.sh[70692] ] Getting new-authz for domain='test.kieeps.com'
2021-06-06T09:25:11 acme.sh[24216] ] Getting webroot for domain='test.kieeps.com'
2021-06-06T09:25:11 acme.sh[18035] ] Getting domain auth token for each domain
2021-06-06T09:25:11 acme.sh[74817] ] Single domain='test.kieeps.com'
2021-06-06T09:25:11 acme.sh[14721] ] Using CA: https://acme-v02.api.letsencrypt.org/directory
2021-06-06T09:25:11 acme.sh[93510] ] Can not init api.
2021-06-06T09:25:11 acme.sh[72878] ] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 7
and this is the content of /var/log/acme.sh.log:
[Sun Jun 6 09:23:55 CEST 2021] Using config home:/var/etc/acme-client/home
[Sun Jun 6 09:23:55 CEST 2021] Running cmd: issue
[Sun Jun 6 09:23:55 CEST 2021] _main_domain='test.kieeps.com'
[Sun Jun 6 09:23:55 CEST 2021] _alt_domains='no'
[Sun Jun 6 09:23:55 CEST 2021] Using config home:/var/etc/acme-client/home
[Sun Jun 6 09:23:55 CEST 2021] default_acme_server
[Sun Jun 6 09:23:55 CEST 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sun Jun 6 09:23:55 CEST 2021] DOMAIN_PATH='/var/etc/acme-client/home/test.kieeps.com'
[Sun Jun 6 09:23:55 CEST 2021] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Sun Jun 6 09:23:55 CEST 2021] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Sun Jun 6 09:23:55 CEST 2021] GET
[Sun Jun 6 09:23:55 CEST 2021] url='https://acme-v02.api.letsencrypt.org/directory'
[Sun Jun 6 09:23:55 CEST 2021] timeout=
[Sun Jun 6 09:23:55 CEST 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L '
[Sun Jun 6 09:25:11 CEST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 7
[Sun Jun 6 09:25:11 CEST 2021] ret='7'
[Sun Jun 6 09:25:11 CEST 2021] Can not init api.
[Sun Jun 6 09:25:11 CEST 2021] Le_NextRenewTime
[Sun Jun 6 09:25:11 CEST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Jun 6 09:25:11 CEST 2021] _on_before_issue
[Sun Jun 6 09:25:11 CEST 2021] _chk_main_domain='test.kieeps.com'
[Sun Jun 6 09:25:11 CEST 2021] _chk_alt_domains
[Sun Jun 6 09:25:11 CEST 2021] Le_LocalAddress
[Sun Jun 6 09:25:11 CEST 2021] d='test.kieeps.com'
[Sun Jun 6 09:25:11 CEST 2021] Check for domain='test.kieeps.com'
[Sun Jun 6 09:25:11 CEST 2021] _currentRoot='dns_cf'
[Sun Jun 6 09:25:11 CEST 2021] d
[Sun Jun 6 09:25:11 CEST 2021] _saved_account_key_hash is not changed, skip register account.
[Sun Jun 6 09:25:11 CEST 2021] Read key length:4096
[Sun Jun 6 09:25:11 CEST 2021] _createcsr
[Sun Jun 6 09:25:11 CEST 2021] Single domain='test.kieeps.com'
[Sun Jun 6 09:25:11 CEST 2021] Getting domain auth token for each domain
[Sun Jun 6 09:25:11 CEST 2021] d='test.kieeps.com'
[Sun Jun 6 09:25:11 CEST 2021] Getting webroot for domain='test.kieeps.com'
[Sun Jun 6 09:25:11 CEST 2021] _w='dns_cf'
[Sun Jun 6 09:25:11 CEST 2021] _currentRoot='dns_cf'
[Sun Jun 6 09:25:11 CEST 2021] Getting new-authz for domain='test.kieeps.com'
[Sun Jun 6 09:25:11 CEST 2021] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Sun Jun 6 09:25:11 CEST 2021] GET
[Sun Jun 6 09:25:11 CEST 2021] url='https://acme-v02.api.letsencrypt.org/directory'
[Sun Jun 6 09:25:11 CEST 2021] timeout=
[Sun Jun 6 09:25:11 CEST 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L '
[Sun Jun 6 09:25:12 CEST 2021] ret='0'
[Sun Jun 6 09:25:12 CEST 2021] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Sun Jun 6 09:25:12 CEST 2021] ACME_NEW_AUTHZ
[Sun Jun 6 09:25:12 CEST 2021] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sun Jun 6 09:25:12 CEST 2021] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Sun Jun 6 09:25:12 CEST 2021] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Sun Jun 6 09:25:12 CEST 2021] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Sun Jun 6 09:25:12 CEST 2021] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sun Jun 6 09:25:12 CEST 2021] ACME_VERSION='2'
[Sun Jun 6 09:25:12 CEST 2021] Try new-authz for the 0 time.
[Sun Jun 6 09:25:12 CEST 2021] url
[Sun Jun 6 09:25:12 CEST 2021] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "test.kieeps.com"}}'
[Sun Jun 6 09:25:12 CEST 2021] RSA key
[Sun Jun 6 09:25:13 CEST 2021] HEAD
[Sun Jun 6 09:25:13 CEST 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sun Jun 6 09:25:13 CEST 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L -I '
[Sun Jun 6 09:25:14 CEST 2021] _ret='0'
[Sun Jun 6 09:25:14 CEST 2021] POST
[Sun Jun 6 09:25:14 CEST 2021] _post_url
[Sun Jun 6 09:25:14 CEST 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L '
[Sun Jun 6 09:25:14 CEST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
[Sun Jun 6 09:25:14 CEST 2021] _ret='3'
[Sun Jun 6 09:25:14 CEST 2021] code
[Sun Jun 6 09:25:14 CEST 2021] The new-authz request is ok.
[Sun Jun 6 09:25:15 CEST 2021] entry
[Sun Jun 6 09:25:15 CEST 2021] Not a wildcard domain, lets check whether the validation is already valid.
[Sun Jun 6 09:25:15 CEST 2021] Error, can not get domain token entry test.kieeps.com for dns-01
[Sun Jun 6 09:25:15 CEST 2021] pid
[Sun Jun 6 09:25:15 CEST 2021] No need to restore nginx, skip.
[Sun Jun 6 09:25:15 CEST 2021] _clearupdns
[Sun Jun 6 09:25:15 CEST 2021] dns_entries
[Sun Jun 6 09:25:15 CEST 2021] skip dns.
[Sun Jun 6 09:25:15 CEST 2021] _on_issue_err
[Sun Jun 6 09:25:15 CEST 2021] Please check log file for more details: /var/log/acme.sh.log
Im using cloudflare DNS verification and as of now i use the Global API just to make sure it's not a API permission error.
Did cloudflare change something or did acme.sh break?
UPDATE: i have a remote site with the same letsencrypt setup to the same cloudflare account so it's not an cloudflare issue, must be something in the system.
Just wanted to throw in an update, i noticed that everytime i disabled wireguard the cert updated as normal, i'w gone through all the rules that routes through wireguard but cant find why any of them would route the firewall through any of the wireguard gateways.... but a floating rule that lets "this firewall" pass to "any" solved the issue...
guess i got some rule-table cleaning to do :D