Wildcard Let's Encrypt on Cloudflare suddenly failing

[tre4bax]

This morning my router did not want to let me in because the certificate has expired and I had to use the emergency override to get access to the menus.

I assumed the script had failed ran it manually and the challenge that keeps coming up is

Error add txt for domain:_acme-challenge.mydomain.com

Problem I have is finding anything about this in the documentation.  If you create this with CertBot the content for the TXT field is given to you, however I cannot find any note of it in in the ACME plugging.  My suspicion is that this is because the script should do this for you, and mine somehow does not get correct access to cloudflare any more.  I re-setup the access to cloudflare to just make sure, however I am still getting the same issue.

Has something changed in recent versions, or has anybody had similar with cloudflare?  Any clues that might help me get this working again would be really helpful.

[cmdr.adama]

I'm getting the exact same thing and inconveniently today is the day that my cert expired....
I have gone to renew it and it failed every time... Recreated it completely, seemed like it worked for a bit then broke again...

Let's Encrypt shows the renewal as pending however I am also seeing the exact same with the logs.

Have tried the global API as well as the restricted API same result.

Further scouring through the logs and the API calls suggest it's all good and well up to the API post to https://acme-v02.api.letsencrypt.org/acme/chall-v3/**********

Interestingly at that point I have a line with "payload='{}'"

[tre4bax]

Has that feel that something has changed somewhere doesn't it :-(

Might be that ACME needs updating, I did try doing updates in case there was one there, alas there was not.

[cmdr.adama]

There's no real changes to the plugin on github since 1.31 came out> Doesn't mean something hasn't changed with LE or Cloudflare

[cmdr.adama]

did a manual acme.sh update... That seemed to work fine however it's going to be messy to try and link the cert up to the GUI and HAProxy... not to mention being saved in the wrong place.
I think we'll need the plugin to be updated as well... Going to do a reboot to see if that'll have any effect.

[tre4bax]

Interesting to know.  I might move to an internal certificate for now until an update happens.  Not leaving the home network (or this chair) for some reason right now anyway ;-)

[cmdr.adama]

Was getting hard for me to troubleshoot too as I keep running into the LE rate limit... So it's likely that with the acme.sh update the plugin could be working again.

[cmdr.adama]

Ok so... That was easier than I had expected but still a screw around.

I have managed to get it working...

Firstly run the below as root

acme.sh --renew -d domain.com -d *.domain.com --dns dns_cf --home /var/etc/acme-client --force

Add the txt records as required and run the command again.

Then navigate to your domain root /var/etc/acme-client/home/domain.com

copy the .cer and .key.

Go to System > Trust > Certificates and click add.

Choose Import, set a name and past the cert data and the key data then save.

the Web GUI now has that cert...

Fingers crossed the plugin doesn't try and renew it and break it...

[Szeraax]

I ran into issues with LE certs not getting auto renewed and making me revert to emergency admin UI a time or two. Decided to run a single cert just for admin UI and then other certs for the other stuff. While the 2nd one has broken a few times (typically due to me making address changes on my DNS records), my admin UI always gets its cert.