ACME client issues w/Cloudflare

Started by DenverTech, March 11, 2024, 06:45:16 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 11, 2024, 06:45:16 PM Last Edit: March 11, 2024, 06:56:00 PM by DenverTech
I've seen and read many posts about issues with Cloudflare, but have been using it without issue for about 1-2 years, using the generated API keys from CF. I use a wildcard domain and all renewals worked from 2022 until about 70 days ago. Then, mysteriously, they stopped working with the errors below. Hoping someone has some ideas on this as I've been beating my head against it for days.

Issue:

  • Starting about 70 days ago, the renewals began failing with "invalid domain" and "Error add txt for domain"
  • In the past, others have fixed this with updates (I'm current on both OPNsense and plugins) or new API keys (tried that)
  • Rebuilt all stages of the cert and issue persists
  • Tried with a single subdomain and issue persists

Tested:

  • Recreated the verification challenge, as that's where it's failing. Same errors.
  • Verified/recreated the API key permissions in case something changed on CF's end. Same errors.
  • Switched to a single subdomain, rather than wildcard. Same errors.
  • Recreated all stages of the request. Same errors.
  • Created a new API key with correct permissions. Same errors.
  • Contacted CloudFlare. They blame OPNsense, because of course they do.
  • NOTE: The API key does have zone read and dns edit permissions

Code Select
See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Please add '--debug' or '--log' to check more details.
Error add txt for domain:_acme-challenge.somedomain.com
invalid domain
Adding txt value: <somestring> for domain: _acme-challenge.somedomain.com
Getting webroot for domain='*.somedomain.com'
Getting domain auth token for each domain
Single domain='*.somedomain.com'
Using CA: https://acme-v02.api.letsencrypt.org/directory
March 11, 2024, 09:39:51 PM #1
As sanity check you could try getting the wildcard cert from cloudflare from the plugin in my signature. It has the cloudflare DNS Provider and DNS-01 challenge build in. It uses libdns and this provider https://github.com/caddy-dns/cloudflare
Hardware:
DEC740
March 12, 2024, 02:46:54 AM #2
I really don't want to learn Caddy to fix an issue that just cropped up with the built-in system. I'll consider that a last resort.

Side-note...tested again using the global API key. Also says the domain is invalid.
March 12, 2024, 03:38:55 AM #3 Last Edit: March 12, 2024, 04:19:32 AM by DenverTech
Lacking other options, I did try the Caddy plugin. No luck...but different results.

Example, it's setup with some.sitename.com points to handler 192.168.0.1, port 1111. I go to some.sitename.com:443 and it gives me a secure blank page. It does not forward to 192.168.0.1:1111 at all.

Progress, maybe? Still would love to know why the built-in plugin isn't working, but no one seems to want to talk about it, judging by the other threads about this. :)
March 12, 2024, 05:54:13 AM #4
Well I guess that means it is possible for you to get Let's Encrypt Certificates with TXT Records of Cloudflare. Right? So that means your API Token and the API of Cloudflare works as expected, and the issue has to be somewhere with the ACME Plugin implementation of it?
Hardware:
DEC740
March 12, 2024, 06:07:00 AM #5
Does seem to be the case! I definitely didn't mean to break the acme plugin. :D
March 12, 2024, 06:13:09 AM #6
If you have logs of the ACME plugin, you could open an issue on github, maybe theres a fix for it upstream that can be implemented? https://github.com/opnsense/plugins

Sadly I dont know much about how the ACME Plugin works.
Hardware:
DEC740
March 12, 2024, 05:06:46 PM #7
I noticed that when creating the cloudflare api token, Acme required:
Zone Resources set: Include | All zones.   This appears to be the problem.
To sum it up:
Zone | DNS | Edit
Zone Resources | Include | All Zones
Client IP (not using this field)
TTL | set a valid date range
This appears to work OK.
March 12, 2024, 09:16:41 PM #8
Quote from: rdunkle84 on March 12, 2024, 05:06:46 PM
I noticed that when creating the cloudflare api token, Acme required:
Zone Resources set: Include | All zones.   This appears to be the problem.
To sum it up:
Zone | DNS | Edit
Zone Resources | Include | All Zones
Client IP (not using this field)
TTL | set a valid date range
This appears to work OK.

Tried this. Still says the domain is invalid. I've got all zones allowed and a TTL, as well as the edit permissions.
March 25, 2024, 07:28:52 AM #9 Last Edit: March 26, 2024, 04:49:05 PM by opnsenseuser
I´m using cloudflare too.
After the latest update OPNsense 24.1.4 i get a validation failed error.
Supermicro A2SDi-4C-HLN4F
Team Rebellion Member (sidebar / themes: tukan, cicada & vicuna)
May 18, 2024, 01:35:37 AM #10
did you find a way to solve problem?

Im still having this issue on latest release (24.1.7)
May 18, 2024, 04:25:39 PM #11
I am using 24.1.6, and the Acme plugin with CloudFlare DNS-01 challenge. My certificates are updating as expected and my last certificate updated on May 12. I am using Let's Encrypt as my Acme CA, a restricted API token (zone read, DNS edit) and named certs.
May 29, 2024, 01:41:10 PM #12
Same problem here, one of my website's cert has expired now!! No clue how to fix and customer already complaining. Running

Code Select
AcmeClient: domain validation failed (dns01)

acme.ch seems to have problems adding the txt, but i can't see why..

Code Select
[Wed May 29 12:54:39 CEST 2024] Add txt record error.

This is geeting urgent!
May 29, 2024, 03:17:36 PM #13
Some more logs...

Code Select

2024-05-29T14:56:40 opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 8 --debug 2 --server 'letsencrypt' --dns 'dns_cf' --dnssleep '300' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/62b86c7fd6ddb9.24403730' --certpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/cert.pem' --keypath '/var/etc/acme-client/keys/62b86c7fd6ddb9.24403730/private.key' --capath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/chain.pem' --fullchainpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/fullchain.pem' --domain 'mydomain.com' --domain 'mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5f806aef5d0241.03202364_prod/account.conf'
2024-05-29T14:56:40 opnsense AcmeClient: using challenge type: Cloudflare DNS Validation
2024-05-29T14:56:40 opnsense AcmeClient: account is registered: avbs-acme
2024-05-29T14:56:40 opnsense AcmeClient: using CA: letsencrypt
2024-05-29T14:56:40 opnsense AcmeClient: issue certificate: mydomain.com
2024-05-29T14:56:40 opnsense AcmeClient: certificate must be issued/renewed: mydomain.com
2024-05-29T12:54:44 opnsense AcmeClient: validation for certificate failed: mydomain.com
2024-05-29T12:54:44 opnsense AcmeClient: domain validation failed (dns01)
2024-05-29T12:54:44 opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt_test' --dns 'dns_cf' --dnssleep '300' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/62b86c7fd6ddb9.24403730' --certpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/cert.pem' --keypath '/var/etc/acme-client/keys/62b86c7fd6ddb9.24403730/private.key' --capath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/chain.pem' --fullchainpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/fullchain.pem' --domain 'mydomain.com' --domain 'mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5f806aef5d0241.03202364_stg/account.conf''
2024-05-29T12:54:29 opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt_test' --dns 'dns_cf' --dnssleep '300' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/62b86c7fd6ddb9.24403730' --certpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/cert.pem' --keypath '/var/etc/acme-client/keys/62b86c7fd6ddb9.24403730/private.key' --capath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/chain.pem' --fullchainpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/fullchain.pem' --domain 'mydomain.com' --domain 'mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5f806aef5d0241.03202364_stg/account.conf'
2024-05-29T12:54:29 opnsense AcmeClient: using challenge type: Cloudflare DNS Validation
2024-05-29T12:54:29 opnsense AcmeClient: account is registered: avbs-acme
2024-05-29T12:54:29 opnsense AcmeClient: using CA: letsencrypt_test
2024-05-29T12:54:29 opnsense AcmeClient: issue certificate: mydomain.com
2024-05-29T12:54:29 opnsense AcmeClient: certificate must be issued/renewed: mydomain.com
May 29, 2024, 04:08:39 PM #14
If its a customer who is complaining, why not just buy a certificate? Getting a wildcard certificate for the domain/s fixes the problem instantly and it doesn't cost much for a business.
Hardware:
DEC740
Print
Go Up Pages1 2
User actions