cert-manager: Cloudflare ACME DNS-01 challenge fails with API error requires permissions

Describe the bug: When performing an ACME DNS-01 challenge against Cloudflare, the API routine around Cloudflare zones fails with

Error: 0: Actor 'com.cloudflare.api.token.xxxxxxxxxxxx' requires permission 'com.cloudflare.api.account.zone.list' to list zones

Expected behaviour: DNS-01 challenge completes and certificate is issued

Steps to reproduce the bug: Create DNS-01 challenge based on Cloudflare documentation API Tokens section (not API Keys)

Create certificate request in the usual way.

It will fail with the above error when doing ‘kubectl get challenge -A’

Anything else we need to know?:

This is a cloudflare API specific error that’s thrown. This seems to occur when either an invalid, or empty zone is passed - I believe at line 154 of cloudflare.go

curl -X GET "https://api.cloudflare.com/client/v4/zones?name=mybadzone.com"      -H "Authorization: Bearer xxxxxxxxxxxx"      -H "Content-Type:application/json"
{"success":false,"errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.xxxxxxxxxxxx' requires permission 'com.cloudflare.api.account.zone.list' to list zones"}],"messages":[],"result":null}

curl -X GET "https://api.cloudflare.com/client/v4/zones?name="      -H "Authorization: Bearer xxxxxxxxxxxx"      -H "Content-Type:application/json"
{"success":false,"errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.xxxxxxxxxxxx' requires permission 'com.cloudflare.api.account.zone.list' to list zones"}],"messages":[],"result":null}

If the fqdn is blank, and you drop the ?name= it works fine.

What I’m not very clear on is how the fqdn in the Present section of the cloudflare.go is obtained / passed. I don’t see any way in the documentation to specify this.

This seems is also very much like issue #2986

Environment details::

Kubernetes version (e.g. v1.10.2): v1.18.4 (k3s)
Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): k3s
cert-manager version (e.g. v0.4.0): v0.15.1
Install method (e.g. helm or static manifests): static manifests (https://github.com/jetstack/cert-manager/releases/download/v0.15.1/cert-manager.yaml)

/kind bug

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 19 (9 by maintainers)

Commits related to this issue

k8s: switch cert-manager to API key instead of token I'm not sure if I hit this[0], but using a properly scoped API token would fail to list cloudflare DNS zones. Switching to the (global) API key wo... — committed to jyundt/ansible_playbooks by jyundt 4 years ago

Most upvoted comments

Setting recursive nameservers --dns01-recursive-nameservers=8.8.8.8:53\,1.1.1.1:53 solved the problem Thank you

blz-ea on Jul 16, 2020

I am unable to replicate this on my cluster, however I have a strong suspicion: could you set this option to point to Google or Cloudflare’s DNS? https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check Then delete the certificate(request) and let me know if you see the same behavior.

I also looked at the cloudflare API errors and they are quite confusing, I will make a PR to let cert-manager print out on which request it got the error.

meyskens on Jul 16, 2020