ACME Renewals with CloudFlare DNS Error

[Funar]

Getting the following error while attempting to renew a Let's Encrypt cert using CloudFlare DNS verification:

Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/****/****

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/****'
The validation for **** is pending!
/usr/share/proxmox-acme/dnsapi/dns_cf.sh: line 35: _clearaccountconf_mutable: command not found
[Sat Feb 18 10:37:42 EST 2023] invalid domain
[Sat Feb 18 10:37:42 EST 2023] Error add txt for domain:_acme-challenge.****
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup cf ****' failed: exit code 1

I should add, I performed an update to PMG to see if the error would clear. Currently on 7.2-4.

 

[Sysxpp]

Mine is working OK at 7.2.-4.

 

[keviiin]

Hello, I'm getting the same error on a fresh 7.3-6 install

Update:

After quick check in my cf plugin config, I saw that my CF_Token had a typo and my CF_Zone_Id was empty...
Finally got it working with a correct CF_Token and CF_Zone_Id variables :+1:

 

[Stoiko Ivanov]

A patch providing the missing _clearaccountconf_mutable was sent to the pve-devel list:
https://lists.proxmox.com/pipermail/pve-devel/2023-February/055851.html

once it (or an improved version) has been applied the dns_cf.sh plugin should work without problem

If you want you can apply the patch to /usr/share/proxmox-acme/proxmox-acme manually - this would also help us see
that it indeed fixes the issue! (as I don't have a cloud-flare domain for testing)

I hope this helps!

 

[AJ Schroeder]

Hello,

I updated to version 7.4-3 yesterday and as luck would have it, I needed to renew my LE certificate (using cloud-flare). I have ran into a similar error as the OP.

Loading ACME account details
Placing ACME order
Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/****/****

Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/****'
The validation for pve-01.****.net is pending!
[Thu May 25 11:15:04 CDT 2023] invalid domain
[Thu May 25 11:15:04 CDT 2023] Error add txt for domain:_acme-challenge.pve-01.****.net
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup cf pve-01.****.net' failed: exit code 1

I checked the /usr/share/proxmox-acme/proxmox-acme file and it seems to have the fixes that were applied in the patch. I'm not sure what to try next. Is there something else I can do or is there some other output that I should provide?

 

[Stoiko Ivanov]

[Thu May 25 11:15:04 CDT 2023] invalid domain
[Thu May 25 11:15:04 CDT 2023] Error add txt for domain:_acme-challenge.pve-01.****.net

The invalid domain message comes from acme.sh implementation for cloudflare (dns_cf.sh) - so I guess something does not work with that domain or it's cloudflare registration

I hope this points you in the right direction (I don't have a domain registered with cloudflare so cannot test it here)

 

[AJ Schroeder]

The invalid domain message comes from acme.sh implementation for cloudflare (dns_cf.sh) - so I guess something does not work with that domain or it's cloudflare registration

I hope this points you in the right direction (I don't have a domain registered with cloudflare so cannot test it here)

Got it - I'll try and figure out what might be going on with cloudflare and try registering a proxmox certificate again.

Thanks,

AJ

 

[jmcker]

Every year or so I end up back on the forums debugging why my renewal is failing. I consistently forget that I put "Client IP Address Filtering" on my CloudFlare API tokens and have moved or received a new public IP. In my case, the "invalid domain" message is just my API token being rejected during the call to _get_root() in the dns_cf.sh plugin.

 

[lucius_the]

Every year or so I end up back on the forums debugging why my renewal is failing. I consistently forget that I put "Client IP Address Filtering" on my CloudFlare API tokens and have moved or received a new public IP. In my case, the "invalid domain" message is just my API token being rejected during the call to _get_root() in the dns_cf.sh plugin.

Got the same issue, tnx !

 

[gbgb1337]

In my case it used ipv6 to do the check and I didn't add my ipv6 (subnet) address to Client IP Address Filtering. Thx

 

[brsvde]

In my case it used ipv6 to do the check and I didn't add my ipv6 (subnet) address to Client IP Address Filtering. Thx

Thank you for noting this, this was exactly my problem as well!