cloudflare: Unable to read zone
Hello,
I’ve built Caddy with the dns cloudflare module, but when setup with the DNS challenge, I get the following issue:
caddy caddy[366]: {"level":"error","ts":1597289488.5149934,"logger":"tls.obtain","msg":"will retry","error":"[subdomain.example.com] Obtain: [subdomain.example.com] solving challenges: presenting for challenge: adding temporary record for zone co.: got error status: HTTP 403: [{Code:0 Message:Actor 'com.cloudflare.api.token.xxxxxxxxxxxxxxxxxxxxxx' requires permission 'com.cloudflare.api.account.zone.read' to list zones}] (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":2.603871005,"max_duration":2592000}
I’ve tried all sorts of api token config and finally just made a token with access to all resources, but still getting this error. When Googling I can’t find anything referencing the specific “com.cloudflare.api.account.zone.read”.
I checked Cloudflares API resources and they note there is a ‘Zone.Read’ under ‘Accounts’ but it doesn’t appear available in my Cloudflare API settings.
I’m not sure where to go from here?
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 16 (7 by maintainers)
@alexyao2015 You can customize the resolvers here:
JSON (“resolvers” field): https://caddyserver.com/docs/json/apps/tls/automation/policies/issuers/acme/#challenges/dns/resolvers
Or, with the Caddyfile: https://caddyserver.com/docs/caddyfile/directives/tls#acme
@mholt I’ve just simply decided to fix my dns configuration now that I understand what the problem is.
For future users, my issue was related to adding subdomain.example.com as a primary zone instead of using example.com as the primary zone in my dns configuration. It appears the plugin uses the primary zone when sending data to the api. Changing that configuration will allow split-brain dns to function properly with this plugin.