ACME with Cloudflare DNS doesn't work anymore

H

Hunduster

New Member
May 13, 2023
25
5
3
Düsseldorf, Germany
Hello everyone,

I have just noticed by chance that my ACME Challenge no longer seems to be working.

I get the error message during renewal:

Error add txt for domain:_acme-challenge.mail.domain.com
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup cf mail.domain.com' failed: exit code 1

I use the DNS Challange from Cloudflare and have also renewed the token and entered it accordingly. Unfortunately, the challange always fails with the same error
 
Hunduster said:
...I was able to solve it myself. I don't know why, but Cloudflare apparently can no longer handle IP address ranges. If I enter the authorized IP addresses of a subnet individually, it works again.
Click to expand...
I really wish I understood this, as my cloudflare renewals are now suddenly failing as well. What do you mean by "enter authorized IP address"? Is that something you're providing in the proxmox UI?

When I configure ACME challange via cloudflare in proxmox, there's nothing prompting for IP addresses. The challenge plugin requires an account email and key (or account ID, key, token, and zoneid) The actual certificate page doesn't prompt for IP addresses either: It just asks for the domain name and plugin type.
 
garyd9 said:
I really wish I understood this, as my cloudflare renewals are now suddenly failing as well. What do you mean by "enter authorized IP address"? Is that something you're providing in the proxmox UI?

When I configure ACME challange via cloudflare in proxmox, there's nothing prompting for IP addresses. The challenge plugin requires an account email and key (or account ID, key, token, and zoneid) The actual certificate page doesn't prompt for IP addresses either: It just asks for the domain name and plugin type.
Click to expand...
Can you post a screenshot of your settings in the PMG?

What I meant is that I had stored an IP address range at Cloudflare (not at PMG), which were authorized to execute the ACME challenge at DNS level with the required API token. This no longer works. You now have to enter a dedicated IP address (/32) for the challenge to work.
 
Hunduster said:
Can you post a screenshot of your settings in the PMG?

What I meant is that I had stored an IP address range at Cloudflare (not at PMG), which were authorized to execute the ACME challenge at DNS level with the required API token. This no longer works. You now have to enter a dedicated IP address (/32) for the challenge to work.
Click to expand...
ah, okay. I understand what you had. In my case, the error just went away on its own. No explanation. It seems I just happened to notice the error right after it happened, and then it kept giving an error when I tried to order the certs manually...

I even recreated everything, and I still was getting an error.

I had dinner, came back, and it all worked fine. A glitch in the matrix, I guess.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back