Can't add certificate with ACME DNS / Cloudflare

[ABM IT Monk]

Hi there,

The new ProxMox 6.2 looks nice and we were very interested to try out the new DNS verified ACME certificates. Unfortunately, we were not able to get it to work with the Cloudflare DNS plugin. This is on a host with a fresh new ProxMox 6.2 install.

We first added an account and a cloudflare DNS plugin via the Datacenter / ACME in the GUI admin. We used the "Cloudflare Managed DNS" for the DNS API field. We filled in our account ID and token in the respective fields.



That seemed to go okay. Note, we have used the same account ID and token to issue certificates with the acme.sh client scripts to verify that these work correctly.

Then, with the Proxmox GUI, we went to the host / System / Certificates / ACME and clicked on Add. For challenge type, we put in DNS, for plugin we put in cloudflare (the name we created before), and then put in the domain.



After clicking OK, we get an error:

setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup cf mox.<domain>' failed: exit code 1

Here is the result on the command line:

root@mox:/usr/share/proxmox-acme# pvenode acme cert order
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/86180232/3366524521

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/4586499260'
The validation for mox.<domain> is pending!
[Thu May 14 15:04:35 PDT 2020] Error
[Thu May 14 15:04:35 PDT 2020] Error add txt for domain:_acme-challenge.mox.<domain>
command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup cf mox.<domain>' failed: exit code 1
Task command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup cf mox.<domain>' failed: exit code 1

Please advise.

 

[altmind]

Funny that I struck the same issue today. Seems like an error in /usr/share/proxmox-acme/dnsapi/dns_cf.sh

the error check near line 62 is wrong, it fails to find "success": true, maybe some problem with whitepsace?
I commented out this if check, and dns_cf now works for me:

  _cf_rest GET "zones/${_domain_id}/dns_records?type=TXT&name=$fulldomain"

  #if ! printf "%s" "$response" | grep \"success\"\ :true >/dev/null; then
    #_err "Error"
    #return 1
  #fi

Is there any public bugtracker for proxmox?

 

[altmind]

Bug report is already submitted, and it seems to be fixed in upstream. https://bugzilla.proxmox.com/show_bug.cgi?id=2733

 

[ABM IT Monk]

This was fixed in libproxmox-acme-perl 1.0.4. Thank you!

 

[cellcore]

This was fixed in libproxmox-acme-perl 1.0.4. Thank you!

Not for me, only when I use the CF_{Global_API}_Key together with CF_Email.

With CF_Account_ID & CF_Token I receive: "Error - invalid domain".

Which version of the dns-cloudflare plugin is in use?
I'm sorry but I could not find it.

Looking at the docs:
... Using Cloudflare Tokens also requires at least version 2.3.1 of the cloudflare python module. If the version that automatically installed with this plugin is older than that, and you can’t upgrade it on your system, you’ll have to stick to the Global key. ...

Thanks in advance

 

[fabian]

see https://github.com/acmesh-official/acme.sh/wiki/dnsapi#1-cloudflare-option

acme.sh and thus proxmox-acme-perl don't use certbot plugins at all.

 

[ABM IT Monk]

Not for me, only when I use the CF_{Global_API}_Key together with CF_Email.

With CF_Account_ID & CF_Token I receive: "Error - invalid domain".

This is what we did:

tmp="$(mktemp)"

cat <<EOF > "$tmp"
CF_Account_ID=...
CF_Token=...
EOF

pvenode acme plugin add dns cloudflare --api cf --data "$tmp"

rm "$tmp"

# verify
pvenode acme plugin config cloudflare

pvenode acme account register default <email> \
  --directory "https://acme-v02.api.letsencrypt.org/directory"

pvenode config set --acme account=default
pvenode config set --acmedomain0 domain="<domain>,plugin=cloudflare"

# optional
pvenode config set --acmedomain1 domain="<alt-domain>,plugin=cloudflare"

# verify
pvenode config get

pvenode acme cert order

Hope that helps...

 

[toothhead]

I was also having the same problem as cellcore, where global API was working but not account ID / token getting the error: "Invalid domain".

I had missed the fact the page fabian linked to contained the solution but it was on the Cloudflare side following this:

"In order to use the new token, the token currently needs read access to Zone.Zone, and write access to Zone.DNS, across all Zones."

 

[wvanelten]

I was also having the same problem as cellcore, where global API was working but not account ID / token getting the error: "Invalid domain".

I had missed the fact the page fabian linked to contained the solution but it was on the Cloudflare side following this:

"In order to use the new token, the token currently needs read access to Zone.Zone, and write access to Zone.DNS, across all Zones."

Thank you!!!
This fixed it for me.

At the API settings, allow read to Zone.Zone and write to Zone.DNS on ALL Zones.

 

[majestic]

It seems you only need to add in CF_EMAIL and CF_TOKEN values for API key even if its restricted to a zone. If you add in extra boxes like CF_ACCOUNT_ID, you will recieve the error about invalid domain.

Also worth noting that the CF API settings as mentioned by @wvanelten above are what you need at min, which I have shown below.



Kind Regards

 

[tactix`]

Hello,

I try same and don`t work for me Proxmox 7.2-3

And i try with all option email token, acccount, token , account key, email key