nginx-proxy-manager: Cannot get Let's Encrypt cert via cloudflare dns challange

I have set a brand new NPM container and I am trying to get SSL certs but keep failing,

Below is the error i get in the logs

[10/29/2020] [8:22:41 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[10/29/2020] [8:22:41 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates via Cloudflare for Cert #2: manage.habibtain.com
[10/29/2020] [8:22:52 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[10/29/2020] [8:22:52 PM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot certonly --non-interactive --cert-name "npm-2" --agree-tos --email "mohsinhassan88@gmail.com" --domains "manage.habibtain.com" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials-2"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None

Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for manage.habibtain.com
Cleaning up challenges

Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.8.13)

I don’t know which part I am missing

  • i am sure the API key I provided is correct.

Can you please guide me

image

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 22 (1 by maintainers)

Most upvoted comments

Update: went to test some more and found a temporary solution. the token doesn’t work, but the less secure email and key combination work. instead of the

# Cloudflare API token
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

we need to use

# Cloudflare API token
dns_cloudflare_email=something@hotmail.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

so there might be something wrong with either the token implementation or the cloudflare API (which was down last night).

I hope this helps further debugging.

+9
ikomhoog on Nov 3, 2020

Sorry guyz click on the wrong button…

I tried @ikomhoog suggestion and yes the issue was actually the global API key and the token confusion. If you use the token it works properly and on the :latest tag as well.

Thank you for helping out 👍

If anyone in future gets here looking for an answer; You need and API token, this is different from your global API key, https://developers.cloudflare.com/api/tokens/create <— follow this link to create a token

You can use “Edit Zone DNS” template.

image

+5
Chachu1 on Nov 5, 2020

I hate to bring a closed issue back to life and it may be something on Cloudflare’s end but can someone confirm for me that I don’t need the TXT records created ahead of time in my DNS Zones when using Cloudflare option? I’m looking at the log when it tries to go out and register letsencrypt - it creates the two TXT records and then deletes it but then fails the challenge. If I set up the TXT records, it wouldn’t match when I resubmit the registration through NPM. Single subdomain works, whole domain and wildcard via DNS Challenge fails via the Zone EDIT API method.

+2
koshia on Feb 26, 2021

Update: I can’t read, i was trying to use my global-api-KEY as the token, i assumed they would be interchangeable. While creating a token for @chaptergy it suddenly dawned on me that it might not be a global-api-token.

this confusion probably came from the spaceinvaderone tutorial where he uses the key and e-mail instead of a token.

Sorry for taking your time, the token works like it should. @Chachu1 and @potvinp can you also confirm this? https://support.cloudflare.com/hc/en-us/articles/200167836-Managing-API-Tokens-and-Keys

+2
ikomhoog on Nov 4, 2020

I have also tested it and it all works as expected, no directory error on a clean install, and the token works every time.

+1
ikomhoog on Nov 5, 2020

@potvinp have you already pointed the (sub)domain you are trying to get a cert for to your IP address?(since this is a requirement for DNS challenges) Does everything work without SSL certificates? Did you try the key with these lines(notice that it’s not “token” but “key” here):

# Cloudflare API token
dns_cloudflare_email=something@hotmail.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

since the key requires an e-mail

I’m trying to spot a difference in our setups.

I’m using google domains for my domain and only use Cloudflare for the DNS and certificates since I could get a wildcard certificate there.

I haven’t done anything special during that setup: Change the nameservers to the Cloudflare ones Add all the subdomains that I want in the DNS section(my domain is 1 A Record for the base and all CNAMEs for the subdomains) Setup ddclient so my domain points to my IP Request the certificate

and it all works like it should when I actually use the correct token.

What does your setup look like? That will make it easier to debug where the problem might come from. Can you post the error you get? There might be slight differences compared to my errors that will point us in the right direction.

+1
ikomhoog on Nov 4, 2020

Yes I tested on tag :github-pr-687 But just to be clear, the token also works on both release and pr (at least for me). I think we were all just using the global-API-key instead of a token.

The credentials folder part is on pr only, I have only tested it github-pr-687 and release and it is reproducible.

+1
ikomhoog on Nov 4, 2020

Just wanting to thank you @chaptergy for your continued support. I really haven’t had time to do anything but read emails lately and it’s great to see community members like yourself helping out 😃 great work!

+1
jc21 on Nov 3, 2020
Read more comments on GitHub
← nginx-proxy-manager: bind() to 0.0.0.0:80 failed (98: Address in use)
nginx-proxy-manager: Cannot Log into Admin After Upgrade to 2.9.15 →