ACME Renewals with CloudFlare DNS Error

F

Funar

Member
Oct 8, 2021
20
9
8
51
Getting the following error while attempting to renew a Let's Encrypt cert using CloudFlare DNS verification:

Code: 
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/****/****

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/****'
The validation for **** is pending!
/usr/share/proxmox-acme/dnsapi/dns_cf.sh: line 35: _clearaccountconf_mutable: command not found
[Sat Feb 18 10:37:42 EST 2023] invalid domain
[Sat Feb 18 10:37:42 EST 2023] Error add txt for domain:_acme-challenge.****
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup cf ****' failed: exit code 1

I should add, I performed an update to PMG to see if the error would clear. Currently on 7.2-4.
 
Last edited:
  • Like
Reactions: keviiin
Hello, I'm getting the same error on a fresh 7.3-6 install

Update:

After quick check in my cf plugin config, I saw that my CF_Token had a typo and my CF_Zone_Id was empty...
Finally got it working with a correct CF_Token and CF_Zone_Id variables :+1:
 
Last edited:
A patch providing the missing _clearaccountconf_mutable was sent to the pve-devel list:
https://lists.proxmox.com/pipermail/pve-devel/2023-February/055851.html

once it (or an improved version) has been applied the dns_cf.sh plugin should work without problem

If you want you can apply the patch to /usr/share/proxmox-acme/proxmox-acme manually - this would also help us see
that it indeed fixes the issue! (as I don't have a cloud-flare domain for testing)

I hope this helps!
 
Hello,

I updated to version 7.4-3 yesterday and as luck would have it, I needed to renew my LE certificate (using cloud-flare). I have ran into a similar error as the OP.

Code: 
Loading ACME account details
Placing ACME order
Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/****/****

Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/****'
The validation for pve-01.****.net is pending!
[Thu May 25 11:15:04 CDT 2023] invalid domain
[Thu May 25 11:15:04 CDT 2023] Error add txt for domain:_acme-challenge.pve-01.****.net
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup cf pve-01.****.net' failed: exit code 1

I checked the /usr/share/proxmox-acme/proxmox-acme file and it seems to have the fixes that were applied in the patch. I'm not sure what to try next. Is there something else I can do or is there some other output that I should provide?
 
AJ Schroeder said:
[Thu May 25 11:15:04 CDT 2023] invalid domain
[Thu May 25 11:15:04 CDT 2023] Error add txt for domain:_acme-challenge.pve-01.****.net
Click to expand...
The invalid domain message comes from acme.sh implementation for cloudflare (dns_cf.sh) - so I guess something does not work with that domain or it's cloudflare registration

I hope this points you in the right direction (I don't have a domain registered with cloudflare so cannot test it here)
 
Stoiko Ivanov said:
The invalid domain message comes from acme.sh implementation for cloudflare (dns_cf.sh) - so I guess something does not work with that domain or it's cloudflare registration

I hope this points you in the right direction (I don't have a domain registered with cloudflare so cannot test it here)
Click to expand...
Got it - I'll try and figure out what might be going on with cloudflare and try registering a proxmox certificate again.

Thanks,

AJ
 
Last edited:
Every year or so I end up back on the forums debugging why my renewal is failing. I consistently forget that I put "Client IP Address Filtering" on my CloudFlare API tokens and have moved or received a new public IP. In my case, the "invalid domain" message is just my API token being rejected during the call to _get_root() in the dns_cf.sh plugin.
 
  • Like
Reactions: lucius_the
jmcker said:
Every year or so I end up back on the forums debugging why my renewal is failing. I consistently forget that I put "Client IP Address Filtering" on my CloudFlare API tokens and have moved or received a new public IP. In my case, the "invalid domain" message is just my API token being rejected during the call to _get_root() in the dns_cf.sh plugin.
Click to expand...
Got the same issue, tnx !
 
In my case it used ipv6 to do the check and I didn't add my ipv6 (subnet) address to Client IP Address Filtering. Thx
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back