1
24.1 Production Series / ACME client issues w/Cloudflare
« on: March 11, 2024, 06:45:16 pm »
I've seen and read many posts about issues with Cloudflare, but have been using it without issue for about 1-2 years, using the generated API keys from CF. I use a wildcard domain and all renewals worked from 2022 until about 70 days ago. Then, mysteriously, they stopped working with the errors below. Hoping someone has some ideas on this as I've been beating my head against it for days.
Issue:
Tested:
Issue:
- Starting about 70 days ago, the renewals began failing with "invalid domain" and "Error add txt for domain"
- In the past, others have fixed this with updates (I'm current on both OPNsense and plugins) or new API keys (tried that)
- Rebuilt all stages of the cert and issue persists
- Tried with a single subdomain and issue persists
Tested:
- Recreated the verification challenge, as that's where it's failing. Same errors.
- Verified/recreated the API key permissions in case something changed on CF's end. Same errors.
- Switched to a single subdomain, rather than wildcard. Same errors.
- Recreated all stages of the request. Same errors.
- Created a new API key with correct permissions. Same errors.
- Contacted CloudFlare. They blame OPNsense, because of course they do.
- NOTE: The API key does have zone read and dns edit permissions
Code: [Select]
See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Please add '--debug' or '--log' to check more details.
Error add txt for domain:_acme-challenge.somedomain.com
invalid domain
Adding txt value: <somestring> for domain: _acme-challenge.somedomain.com
Getting webroot for domain='*.somedomain.com'
Getting domain auth token for each domain
Single domain='*.somedomain.com'
Using CA: https://acme-v02.api.letsencrypt.org/directory