ACME with Cloudflare DNS doesn't work anymore

Hunduster

Hunduster

Member
Proxmox Subscriber
May 13, 2023
57
13
8
Düsseldorf, Germany
Hello everyone,

I have just noticed by chance that my ACME Challenge no longer seems to be working.

I get the error message during renewal:

Error add txt for domain:_acme-challenge.mail.domain.com
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup cf mail.domain.com' failed: exit code 1

I use the DNS Challange from Cloudflare and have also renewed the token and entered it accordingly. Unfortunately, the challange always fails with the same error
 
Hunduster said:
...I was able to solve it myself. I don't know why, but Cloudflare apparently can no longer handle IP address ranges. If I enter the authorized IP addresses of a subnet individually, it works again.
Click to expand...
I really wish I understood this, as my cloudflare renewals are now suddenly failing as well. What do you mean by "enter authorized IP address"? Is that something you're providing in the proxmox UI?

When I configure ACME challange via cloudflare in proxmox, there's nothing prompting for IP addresses. The challenge plugin requires an account email and key (or account ID, key, token, and zoneid) The actual certificate page doesn't prompt for IP addresses either: It just asks for the domain name and plugin type.
 
garyd9 said:
I really wish I understood this, as my cloudflare renewals are now suddenly failing as well. What do you mean by "enter authorized IP address"? Is that something you're providing in the proxmox UI?

When I configure ACME challange via cloudflare in proxmox, there's nothing prompting for IP addresses. The challenge plugin requires an account email and key (or account ID, key, token, and zoneid) The actual certificate page doesn't prompt for IP addresses either: It just asks for the domain name and plugin type.
Click to expand...
Can you post a screenshot of your settings in the PMG?

What I meant is that I had stored an IP address range at Cloudflare (not at PMG), which were authorized to execute the ACME challenge at DNS level with the required API token. This no longer works. You now have to enter a dedicated IP address (/32) for the challenge to work.
 
Hunduster said:
Can you post a screenshot of your settings in the PMG?

What I meant is that I had stored an IP address range at Cloudflare (not at PMG), which were authorized to execute the ACME challenge at DNS level with the required API token. This no longer works. You now have to enter a dedicated IP address (/32) for the challenge to work.
Click to expand...
ah, okay. I understand what you had. In my case, the error just went away on its own. No explanation. It seems I just happened to notice the error right after it happened, and then it kept giving an error when I tried to order the certs manually...

I even recreated everything, and I still was getting an error.

I had dinner, came back, and it all worked fine. A glitch in the matrix, I guess.
 
You must log in or register to reply here.
Top Bottom