ACME LetsEncrypt + Cloudflare

Started by skydiver, August 11, 2023, 01:58:09 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 11, 2023, 01:58:09 AM Last Edit: August 11, 2023, 02:00:15 AM by skydiver
I cannot seem to be able to be able to get the ACME script Lets Encrypt DNS-01 method to work. 
Code Select
2023-08-10T00:00:02-05:00 acme.sh [Thu Aug 10 00:00:02 CDT 2023] Error add txt for domain:_acme-challenge.mydomain.com
2023-08-10T00:00:02-05:00 acme.sh [Thu Aug 10 00:00:02 CDT 2023] invalid domain
2023-08-10T00:00:01-05:00 acme.sh [Thu Aug 10 00:00:01 CDT 2023] Adding txt value: 5Kp3S8Hg-------------------------h8cVZ_3CU0 for domain: _acme-challenge.mydomain.com
2023-08-10T00:00:01-05:00 acme.sh [Thu Aug 10 00:00:01 CDT 2023] Getting webroot for domain='*.mydomain.com'
2023-08-10T00:00:00-05:00 acme.sh [Thu Aug 10 00:00:00 CDT 2023] Getting domain auth token for each domain
2023-08-10T00:00:00-05:00 acme.sh [Thu Aug 10 00:00:00 CDT 2023] Single domain='*.mydomain.com'
2023-08-10T00:00:00-05:00 acme.sh [Thu Aug 10 00:00:00 CDT 2023] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory

I don't know if I have entered my cloudflare credentials in the correct slots in the OPNSENSE config

I have mapped the credentials in my Cloudflaraccount as outlined in the attached image

I would like to know if I am mapping the credentials correctly.  Also there is a line in the ACME logs
Code Select
2023-08-10T00:00:02-05:00 acme.sh [Thu Aug 10 00:00:02 CDT 2023] Please add '--debug' or '--log' to check more details.

How do I add this to get more detailed logs?
August 11, 2023, 08:39:39 PM #1
Bumping this thread...
August 15, 2023, 05:32:23 PM #2
Looking for ANYONE with experience setting up ACME with CloudFlare, c'mon y'all... share you experience and knowledge with a follow opnsenser
August 18, 2023, 03:32:23 AM #3
Bumping once again....
August 18, 2023, 02:04:24 PM #4
Hi Skydiver,

It's been a long time since I set this up myself, but I'll try and offer what help I can.

What I can tell you based on your picture is that my config looks a little different in that under the Global API key section, it's empty and I've only got config under the "Restricted API Token Section" I've attached a picture to show this.

I looked in my Cloudlfare setup page and it looks as if the "CF Account ID" field is populated with the number that appears on the specific DNS domain dashboard page on Cloudflare down the right hand side.

I've also created a single restriced API token under the API section which is in "Profile" on Cloudlfare, which looks like the attached pictures.

Essentially my token has zone read and zone DNS Edit rights.

This has worked pretty flawlessly for me other than the one problem I had which turned out to be because the IP address I was accessing from changed from using IPv4 to using IPv6, so was refusing access to the API because I'd used a client IP address filter to secure it, but I wouldn't recommend configuring this unless you are accessing from a fixed IP as I am, so just leave it open.

Hope this is of some help to you.

Thanks

Gareth



August 19, 2023, 11:13:32 PM #5 Last Edit: August 19, 2023, 11:32:38 PM by zandrr
Mine is set up similarly to the above, however under the 'DNS Sleep Time' under Challenge Types I leave it at 0 seconds, which should be the default.

In your settings (picture)

  • Revert DNS Sleep Time to 0
  • Remove in Global API Key: E-Mail and Key
  • Remove in Restricted API Token: CF Zone ID

I remember it also took a bit of fiddling to get it just right. Some fields were very particular; particularly the ALT names under the Certificates.
For additional domains, I just added certificates.

So from the top, only the fields mentioned have inputs; the rest left to detaults:

ACME Client > Accounts
Code Select
Name: 'le-prod' (arbitrary) - I also have 'le-test' from testing against "Let's Encrypt Test CA"
E-Mail Address: Obvious
ACME CA: "Let's Encrypt (default)"

ACME Client > Challenge Types
Code Select
Name: 'dns-challenge' (arbitrary)
Challenge Type: DNS-01
DNS Service: CloudFlare.com
CF Account ID: From CF portal in URL string
CF API Token: Generated from CF portal, needs DNS:Edit capability.

(optional) ACME Client > Automations
Code Select
Name: 'restart-webui' (arbitrary)
Run command: Restart OPNsense Web UI

ACME Client > Certificates
Code Select
Common Name: '*.example.com' (I use a wildcard)
ACME Account: Above
Challenge Type: Above
(optional) Automations: Above

To get more verbose logs
Code Select
ACME Client > Settings > Settings tab > Log Level: change to 'debug'
view under ACME Client > Log Files > ACME Log tab
Print
Go Up Pages1
User actions