starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 17:35:52 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #3063] Cloudflare DNS challenge request for SSL certificate failed #2082

New issue
Closed
opened 2026-02-26 07:33:57 +03:00 by kerem · 8 comments
kerem commented 2026-02-26 07:33:57 +03:00
Owner
Copy link

Originally created by @Aqr-K on GitHub (Jul 17, 2023).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3063

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
    • Yes
  • Are you sure you're not using someone else's docker image?
    • Yes
  • Have you searched for similar issues (both open and closed)?
    • Yes

Describe the bug

Using versions 2.9.19, 2.10.3, and 2.10.3: PR-2971 cannot apply for CloudFlare SSL certificates properly, and the applications for example.com and *. example.com have also failed

Internal Error

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --agree-tos --email "abc@mail" --domains "example.xyz" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-1"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.11.6)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.


at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

Nginx Proxy Manager Version

2.9.19
2.10.3
20.10.3;pr-2971

To Reproduce
Steps to reproduce the behavior:

  1. Go to 'SSL Certificates'
  2. Click on 'Let's Encrypt '
  3. Click on 'USE a DNS challenge '

Expected behavior

Can apply for cloud flare certificate normally

Operating System

x86 Debian11

Additional context

Docker started ipv6, but the host only has ipv4. The container shows that it has bridging ipv4 and ipv6, and ports 80 and 443 of the public IP are banned by the operator.

Docker version: 20.10.23

2.10.3:pr-2971 letsencrypt-log

2023-07-17 13:53:26,842:DEBUG:certbot._internal.main:certbot version: 2.5.0
2023-07-17 13:53:26,843:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-07-17 13:53:26,843:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-1', '--agree-tos', '--email', 'xxx@mail', '--domains', 'example.xyz', '--authenticator', 'dns-cloudflare', '--dns-cloudflare-credentials', '/etc/letsencrypt/credentials/credentials-1']
2023-07-17 13:53:26,844:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-07-17 13:53:26,855:DEBUG:certbot._internal.log:Root logging level set at 30
2023-07-17 13:53:26,856:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-cloudflare and installer None
2023-07-17 13:53:26,860:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using Cloudflare for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-cloudflare = certbot_dns_cloudflare._internal.dns_cloudflare:Authenticator
Initialized: <certbot_dns_cloudflare._internal.dns_cloudflare.Authenticator object at 0x7fc8747dfb00>
Prep: True
2023-07-17 13:53:26,860:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_cloudflare._internal.dns_cloudflare.Authenticator object at 0x7fc8747dfb00> and installer None
2023-07-17 13:53:26,860:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-cloudflare, Installer None
2023-07-17 13:53:27,077:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-07-17 13:53:27,080:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-07-17 13:53:30,012:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 752
2023-07-17 13:53:30,013:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 17 Jul 2023 13:53:29 GMT
Content-Type: application/json
Content-Length: 752
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "nUSMb66XUYI": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-07-17 13:53:30,014:DEBUG:acme.client:Requesting fresh nonce
2023-07-17 13:53:30,014:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2023-07-17 13:53:30,357:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-07-17 13:53:30,358:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 17 Jul 2023 13:53:30 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 4397_5wl3rxJRlu0Zh31dqVvWwcMBOQpzcdMWFYbxbXMEjA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2023-07-17 13:53:30,359:DEBUG:acme.client:Storing nonce: 4397_5wl3rxJRlu0Zh31dqVvWwcMBOQpzcdMWFYbxbXMEjA
2023-07-17 13:53:30,360:DEBUG:acme.client:JWS payload:
b'{\n  "contact": [\n    "mailto:xxx@mail"\n  ],\n  "termsOfServiceAgreed": true\n}'
2023-07-17 13:53:30,370:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-acct:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAiandrIjogeyJuIjogIjFIZTg4Ull6TEN0S2VkZ2cyamJaY0x6cXh4ckt0R0lablRGd0g2V1UxQUZiaFU5TFVwOHVNRi1HNWNaLXhSd3p0elU4Q0lDNDJYNmtIMjQyaVVWeEZEVWVjeEZZaW44TWdhcXVQNmpNYnRnalE1elkwdlNSZ0ZnMU1NMF9uZjdTLTQtMkNWcnBwVTJydVJER1EzTWREdUhFN2REQ1RwYmR6b1ZRLVVCTW45SUlQRnBBRUNiSGt5WnVTaWE4b2k3Q3Y3X2FkQ3VLR3Z0S3I1elJ3QnZ4elVVWjMzZm1fMVRBZW90M0k4WTlnbVNseEh1ZVFia0p0WU5xRXFPLW1US0RDMzVNeDBEV3lqOURrQTdhOGUxZDZIUGY4eDlDbnhORW9VT2Q2RWtDV09xeUhGUjRJclJOWEpTQUF3R1NDMUNoSkZ5a2JxaUl5d2haZ1d4TzVWZFV6USIsICJlIjogIkFRQUIiLCAia3R5IjogIlJTQSJ9LCAibm9uY2UiOiAiNDM5N181d2wzcnhKUmx1MFpoMzFkcVZ2V3djTUJPUXB6Y2RNV0ZZYnhiWE1FakEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0In0",
  "signature": "v8bZMTtpyd20dP7PKmZ1UhH2HLLrHRNiePwusALJJW8EdJvcBV0CAZx54Qtn3cUK9Gd1zJH4xPrcIHuuXkR_p0QDR5aWeIjKyr9ZamRID4mTYv91jABlGEgFOOGFMGIwYUQYS-xhAsGxV0WtBm5kdt2P1_TXw6rxMghEKVVdxrvPDZmD2qU_Sfy_slkwwWGWQfn3dabO52BzEIHv8iKiGl6363tdFBoewXsyTfXIsGJKzrtn116oDKmWo4RAXjuUd_C7VH-0eGozZx-hvRx8_nFyAZgwmVcvA4fZDec3__FC8OXLvEOWIkC9gEuOqW21A8ao1Op3b-arqvj8TNW0vg",
  "payload": "ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzoxMjEwNDk4MDc2QHFxLmNvbSIKICBdLAogICJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWUKfQ"
}
2023-07-17 13:53:30,724:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-acct HTTP/1.1" 201 561
2023-07-17 13:53:30,725:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 17 Jul 2023 13:53:30 GMT
Content-Type: application/json
Content-Length: 561
Connection: keep-alive
Boulder-Requester: 1211070137
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf>;rel="terms-of-service"
Location: https://acme-v02.api.letsencrypt.org/acme/acct/1211070137
Replay-Nonce: 853FdEF0_vr8-U9Ga2QHvXmhjmfMify8f8flAmPpyDfaZ1g
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "key": {
    "kty": "RSA",
    "n": "1He88RYzLCtKedgg2jbZcLzqxxrKtGIZnTFwH6WU1AFbhU9LUp8uMF-G5cZ-xRwztzU8CIC42X6kH242iUVxFDUecxFYin8MgaquP6jMbtgjQ5zY0vSRgFg1MM0_nf7S-4-2CVrppU2ruRDGQ3MdDuHE7dDCTpbdzoVQ-UBMn9IIPFpAECbHkyZuSia8oi7Cv7_adCuKGvtKr5zRwBvxzUUZ33fm_1TAeot3I8Y9gmSlxHueQbkJtYNqEqO-mTKDC35Mx0DWyj9DkA7a8e1d6HPf8x9CnxNEoUOd6EkCWOqyHFR4IrRNXJSAAwGSC1ChJFykbqiIywhZgWxO5VdUzQ",
    "e": "AQAB"
  },
  "contact": [
    "mailto:xxx@mail"
  ],
  "initialIp": "125.92.102.192",
  "createdAt": "2023-07-17T13:53:30.552903526Z",
  "status": "valid"
}
2023-07-17 13:53:30,726:DEBUG:acme.client:Storing nonce: 853FdEF0_vr8-U9Ga2QHvXmhjmfMify8f8flAmPpyDfaZ1g
2023-07-17 13:53:30,734:DEBUG:certbot._internal.display.obj:Notifying user: Account registered.
2023-07-17 13:53:30,735:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fc874684cf8>)>), contact=('mailto:xxx@mail',), agreement=None, status='valid', terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1211070137', new_authzr_uri=None, terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf'), 4a1c4c7e0ada85ab186f89973b4c68f3, Meta(creation_dt=datetime.datetime(2023, 7, 17, 13, 53, 30, tzinfo=<UTC>), creation_host='2938903deca4', register_to_eff=None))>
2023-07-17 13:53:30,736:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for example.xyz
2023-07-17 13:53:30,771:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "example.xyz"\n    }\n  ]\n}'
2023-07-17 13:53:30,775:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIxMTA3MDEzNyIsICJub25jZSI6ICI4NTNGZEVGMF92cjgtVTlHYTJRSHZYbWhqbWZNaWZ5OGY4ZmxBbVBweURmYVoxZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "ETRgeakN1uk48doAG5y3c23Vf2LoHu_zJBEv7uXaszhqe7RzipW1QU9ycAu-YezcmUsawZbl5R_hfUL_nG05IuKXTw6Tvl0Zgj2F8jVxnhpCQEjdLToF6qAwp5vg7dNrXjVmreJrKZklgSnmEO8jImwQWPG3F_nfO4HYBijFV_SDIQ-3QwMBKBLvQAYzLUFciBYw3rsUFEq1Jdl-XiLrOVxNBCMyPaD_otsCbbwjgPvhGlV2wGHEKtJ65tmTIaNvPcKY6i2tGi-9tH3h4NxJ4_TXG8Ks9EYWs9W8rn-tzXFlaPUCA0VOCPtZHw78EKDHb2KqAyNLwDXPKEMm7YGqcA",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIjIwMDMwMDQwMC54eXoiCiAgICB9CiAgXQp9"
}
2023-07-17 13:53:31,716:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 339
2023-07-17 13:53:31,717:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 17 Jul 2023 13:53:30 GMT
Content-Type: application/json
Content-Length: 339
Connection: keep-alive
Boulder-Requester: 1211070137
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1211070137/195515740757
Replay-Nonce: 853F3_usMabkx6WgajGWS-8xOQTnNt49Q-sd-ItrflqnMLo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2023-07-24T13:53:30Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "example.xyz"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/246423504417"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1211070137/195515740757"
}
2023-07-17 13:53:31,717:DEBUG:acme.client:Storing nonce: 853F3_usMabkx6WgajGWS-8xOQTnNt49Q-sd-ItrflqnMLo
2023-07-17 13:53:31,719:DEBUG:acme.client:JWS payload:
b''
2023-07-17 13:53:31,722:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/246423504417:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIxMTA3MDEzNyIsICJub25jZSI6ICI4NTNGM191c01hYmt4NldnYWpHV1MtOHhPUVRuTnQ0OVEtc2QtSXRyZmxxbk1MbyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMjQ2NDIzNTA0NDE3In0",
  "signature": "fEYMjwV2NNVgA8T-yEU6HbTPoeGCTHrUmetcT08GlNNJohmgVBXumhuD4sRv9e7B6PUetHIzA_1AY2QTyZi6LJVx_GzSzWXhvsXt_AP2_hqERrrgiO9NAcnc4ftTaSGUPP3KiikSKaM0ePIwb_zNJaDJD_RkmNhJK5xYt-B_ocrfXmlh0s-qTmS2uYMTSMYptKUX_iOyfN71TDwNvyvdBqh5A-EK8LaQY4bryT4FX0VAoPoerBP_IvkHFoelH49ydf9T3mb68AZ6lJuJz3i0fSxnHpC5s4a2aTH3xhFFXRFQkmXGQvbjVXtLCwC6fiUatAZxG-m-mvOeVEwYymg-Ng",
  "payload": ""
}
2023-07-17 13:53:32,066:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/246423504417 HTTP/1.1" 200 797
2023-07-17 13:53:32,067:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 17 Jul 2023 13:53:31 GMT
Content-Type: application/json
Content-Length: 797
Connection: keep-alive
Boulder-Requester: 1211070137
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 853FtH2T3QErakt4DO21qNxHjeaMGkw_VImO1V7bSxk1yoM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "example.xyz"
  },
  "status": "pending",
  "expires": "2023-07-24T13:53:30Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/246423504417/mi_img",
      "token": "G3uiSgWZJmoBld7guoKtU-7rtWVpIZDu-6AXu2nw_os"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/246423504417/Rtk3zg",
      "token": "G3uiSgWZJmoBld7guoKtU-7rtWVpIZDu-6AXu2nw_os"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/246423504417/ce9nNg",
      "token": "G3uiSgWZJmoBld7guoKtU-7rtWVpIZDu-6AXu2nw_os"
    }
  ]
}
2023-07-17 13:53:32,067:DEBUG:acme.client:Storing nonce: 853FtH2T3QErakt4DO21qNxHjeaMGkw_VImO1V7bSxk1yoM
2023-07-17 13:53:32,068:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-07-17 13:53:32,069:INFO:certbot._internal.auth_handler:dns-01 challenge for example.xyz
2023-07-17 13:53:32,102:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443
2023-07-17 13:53:39,877:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=example.xyz&per_page=1 HTTP/1.1" 400 None
2023-07-17 13:53:39,903:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 198, in _find_zone_id
    zones = self.cf.zones.get(params=params)  # zones | pylint: disable=no-member
  File "/opt/certbot/lib/python3.7/site-packages/CloudFlare/cloudflare.py", line 675, in get
    return self._base.do_auth('GET', self._parts, [identifier1, identifier2, identifier3, identifier4], params, data)
  File "/opt/certbot/lib/python3.7/site-packages/CloudFlare/cloudflare.py", line 129, in do_auth
    return self._call(method, headers, parts, identifiers, params, data, files)
  File "/opt/certbot/lib/python3.7/site-packages/CloudFlare/cloudflare.py", line 506, in _call
    raise CloudFlareAPIError(code, message, error_chain)
CloudFlare.exceptions.CloudFlareAPIError: Invalid request headers

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/plugins/dns_common.py", line 76, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 76, in _perform
    self._get_cloudflare_client().add_txt_record(domain, validation_name, validation, self.ttl)
  File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 121, in add_txt_record
    zone_id = self._find_zone_id(domain)
  File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 217, in _find_zone_id
    .format(code, msg, hint))
certbot.errors.PluginError: Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.11.6)

2023-07-17 13:53:39,904:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-07-17 13:53:39,904:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-07-17 13:53:39,921:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443
2023-07-17 13:53:46,664:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=example.xyz&per_page=1 HTTP/1.1" 400 None
2023-07-17 13:53:46,666:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Encountered error finding zone_id during deletion: Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.11.6)
2023-07-17 13:53:46,670:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 198, in _find_zone_id
    zones = self.cf.zones.get(params=params)  # zones | pylint: disable=no-member
  File "/opt/certbot/lib/python3.7/site-packages/CloudFlare/cloudflare.py", line 675, in get
    return self._base.do_auth('GET', self._parts, [identifier1, identifier2, identifier3, identifier4], params, data)
  File "/opt/certbot/lib/python3.7/site-packages/CloudFlare/cloudflare.py", line 129, in do_auth
    return self._call(method, headers, parts, identifiers, params, data, files)
  File "/opt/certbot/lib/python3.7/site-packages/CloudFlare/cloudflare.py", line 506, in _call
    raise CloudFlareAPIError(code, message, error_chain)
CloudFlare.exceptions.CloudFlareAPIError: Invalid request headers

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1597, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/plugins/dns_common.py", line 76, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 76, in _perform
    self._get_cloudflare_client().add_txt_record(domain, validation_name, validation, self.ttl)
  File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 121, in add_txt_record
    zone_id = self._find_zone_id(domain)
  File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 217, in _find_zone_id
    .format(code, msg, hint))
certbot.errors.PluginError: Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.11.6)
2023-07-17 13:53:46,692:ERROR:certbot._internal.log:Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.11.6)
Originally created by @Aqr-K on GitHub (Jul 17, 2023). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3063 <!-- Are you in the right place? - If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit. - If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask. - If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.* --> **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** <!-- A clear and concise description of what the bug is. --> Using versions `2.9.19`, `2.10.3`, and `2.10.3: PR-2971` cannot apply for CloudFlare SSL certificates properly, and the applications for `example.com` and `*. example.com` have also failed ``` Internal Error Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --agree-tos --email "abc@mail" --domains "example.xyz" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-1" Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.11.6) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details. ``` at ChildProcess.exithandler (node:child_process:402:12) at ChildProcess.emit (node:events:513:28) at maybeClose (node:internal/child_process:1100:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) **Nginx Proxy Manager Version** <!-- What version of Nginx Proxy Manager is reported on the login page? --> 2.9.19 2.10.3 20.10.3;pr-2971 **To Reproduce** Steps to reproduce the behavior: 1. Go to 'SSL Certificates' 2. Click on 'Let's Encrypt ' 3. Click on 'USE a DNS challenge ' **Expected behavior** <!-- A clear and concise description of what you expected to happen. --> Can apply for cloud flare certificate normally **Operating System** <!-- Please specify if using a Rpi, Mac, orchestration tool or any other setups that might affect the reproduction of this error. --> x86 Debian11 **Additional context** <!-- Add any other context about the problem here, docker version, browser version, logs if applicable to the problem. Too much info is better than too little. --> Docker started ipv6, but the host only has ipv4. The container shows that it has bridging ipv4 and ipv6, and ports 80 and 443 of the public IP are banned by the operator. Docker version: 20.10.23 2.10.3:pr-2971 letsencrypt-log ``` 2023-07-17 13:53:26,842:DEBUG:certbot._internal.main:certbot version: 2.5.0 2023-07-17 13:53:26,843:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot 2023-07-17 13:53:26,843:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-1', '--agree-tos', '--email', 'xxx@mail', '--domains', 'example.xyz', '--authenticator', 'dns-cloudflare', '--dns-cloudflare-credentials', '/etc/letsencrypt/credentials/credentials-1'] 2023-07-17 13:53:26,844:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2023-07-17 13:53:26,855:DEBUG:certbot._internal.log:Root logging level set at 30 2023-07-17 13:53:26,856:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-cloudflare and installer None 2023-07-17 13:53:26,860:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-cloudflare Description: Obtain certificates using a DNS TXT record (if you are using Cloudflare for DNS). Interfaces: Authenticator, Plugin Entry point: dns-cloudflare = certbot_dns_cloudflare._internal.dns_cloudflare:Authenticator Initialized: <certbot_dns_cloudflare._internal.dns_cloudflare.Authenticator object at 0x7fc8747dfb00> Prep: True 2023-07-17 13:53:26,860:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_cloudflare._internal.dns_cloudflare.Authenticator object at 0x7fc8747dfb00> and installer None 2023-07-17 13:53:26,860:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-cloudflare, Installer None 2023-07-17 13:53:27,077:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory. 2023-07-17 13:53:27,080:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443 2023-07-17 13:53:30,012:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 752 2023-07-17 13:53:30,013:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Mon, 17 Jul 2023 13:53:29 GMT Content-Type: application/json Content-Length: 752 Connection: keep-alive Cache-Control: public, max-age=0, no-cache X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf", "website": "https://letsencrypt.org" }, "nUSMb66XUYI": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order", "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/", "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert" } 2023-07-17 13:53:30,014:DEBUG:acme.client:Requesting fresh nonce 2023-07-17 13:53:30,014:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce. 2023-07-17 13:53:30,357:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0 2023-07-17 13:53:30,358:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Mon, 17 Jul 2023 13:53:30 GMT Connection: keep-alive Cache-Control: public, max-age=0, no-cache Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 4397_5wl3rxJRlu0Zh31dqVvWwcMBOQpzcdMWFYbxbXMEjA X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 2023-07-17 13:53:30,359:DEBUG:acme.client:Storing nonce: 4397_5wl3rxJRlu0Zh31dqVvWwcMBOQpzcdMWFYbxbXMEjA 2023-07-17 13:53:30,360:DEBUG:acme.client:JWS payload: b'{\n "contact": [\n "mailto:xxx@mail"\n ],\n "termsOfServiceAgreed": true\n}' 2023-07-17 13:53:30,370:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-acct: { "protected": "eyJhbGciOiAiUlMyNTYiLCAiandrIjogeyJuIjogIjFIZTg4Ull6TEN0S2VkZ2cyamJaY0x6cXh4ckt0R0lablRGd0g2V1UxQUZiaFU5TFVwOHVNRi1HNWNaLXhSd3p0elU4Q0lDNDJYNmtIMjQyaVVWeEZEVWVjeEZZaW44TWdhcXVQNmpNYnRnalE1elkwdlNSZ0ZnMU1NMF9uZjdTLTQtMkNWcnBwVTJydVJER1EzTWREdUhFN2REQ1RwYmR6b1ZRLVVCTW45SUlQRnBBRUNiSGt5WnVTaWE4b2k3Q3Y3X2FkQ3VLR3Z0S3I1elJ3QnZ4elVVWjMzZm1fMVRBZW90M0k4WTlnbVNseEh1ZVFia0p0WU5xRXFPLW1US0RDMzVNeDBEV3lqOURrQTdhOGUxZDZIUGY4eDlDbnhORW9VT2Q2RWtDV09xeUhGUjRJclJOWEpTQUF3R1NDMUNoSkZ5a2JxaUl5d2haZ1d4TzVWZFV6USIsICJlIjogIkFRQUIiLCAia3R5IjogIlJTQSJ9LCAibm9uY2UiOiAiNDM5N181d2wzcnhKUmx1MFpoMzFkcVZ2V3djTUJPUXB6Y2RNV0ZZYnhiWE1FakEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0In0", "signature": "v8bZMTtpyd20dP7PKmZ1UhH2HLLrHRNiePwusALJJW8EdJvcBV0CAZx54Qtn3cUK9Gd1zJH4xPrcIHuuXkR_p0QDR5aWeIjKyr9ZamRID4mTYv91jABlGEgFOOGFMGIwYUQYS-xhAsGxV0WtBm5kdt2P1_TXw6rxMghEKVVdxrvPDZmD2qU_Sfy_slkwwWGWQfn3dabO52BzEIHv8iKiGl6363tdFBoewXsyTfXIsGJKzrtn116oDKmWo4RAXjuUd_C7VH-0eGozZx-hvRx8_nFyAZgwmVcvA4fZDec3__FC8OXLvEOWIkC9gEuOqW21A8ao1Op3b-arqvj8TNW0vg", "payload": "ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzoxMjEwNDk4MDc2QHFxLmNvbSIKICBdLAogICJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWUKfQ" } 2023-07-17 13:53:30,724:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-acct HTTP/1.1" 201 561 2023-07-17 13:53:30,725:DEBUG:acme.client:Received response: HTTP 201 Server: nginx Date: Mon, 17 Jul 2023 13:53:30 GMT Content-Type: application/json Content-Length: 561 Connection: keep-alive Boulder-Requester: 1211070137 Cache-Control: public, max-age=0, no-cache Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf>;rel="terms-of-service" Location: https://acme-v02.api.letsencrypt.org/acme/acct/1211070137 Replay-Nonce: 853FdEF0_vr8-U9Ga2QHvXmhjmfMify8f8flAmPpyDfaZ1g X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "key": { "kty": "RSA", "n": "1He88RYzLCtKedgg2jbZcLzqxxrKtGIZnTFwH6WU1AFbhU9LUp8uMF-G5cZ-xRwztzU8CIC42X6kH242iUVxFDUecxFYin8MgaquP6jMbtgjQ5zY0vSRgFg1MM0_nf7S-4-2CVrppU2ruRDGQ3MdDuHE7dDCTpbdzoVQ-UBMn9IIPFpAECbHkyZuSia8oi7Cv7_adCuKGvtKr5zRwBvxzUUZ33fm_1TAeot3I8Y9gmSlxHueQbkJtYNqEqO-mTKDC35Mx0DWyj9DkA7a8e1d6HPf8x9CnxNEoUOd6EkCWOqyHFR4IrRNXJSAAwGSC1ChJFykbqiIywhZgWxO5VdUzQ", "e": "AQAB" }, "contact": [ "mailto:xxx@mail" ], "initialIp": "125.92.102.192", "createdAt": "2023-07-17T13:53:30.552903526Z", "status": "valid" } 2023-07-17 13:53:30,726:DEBUG:acme.client:Storing nonce: 853FdEF0_vr8-U9Ga2QHvXmhjmfMify8f8flAmPpyDfaZ1g 2023-07-17 13:53:30,734:DEBUG:certbot._internal.display.obj:Notifying user: Account registered. 2023-07-17 13:53:30,735:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fc874684cf8>)>), contact=('mailto:xxx@mail',), agreement=None, status='valid', terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1211070137', new_authzr_uri=None, terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf'), 4a1c4c7e0ada85ab186f89973b4c68f3, Meta(creation_dt=datetime.datetime(2023, 7, 17, 13, 53, 30, tzinfo=<UTC>), creation_host='2938903deca4', register_to_eff=None))> 2023-07-17 13:53:30,736:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for example.xyz 2023-07-17 13:53:30,771:DEBUG:acme.client:JWS payload: b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "example.xyz"\n }\n ]\n}' 2023-07-17 13:53:30,775:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIxMTA3MDEzNyIsICJub25jZSI6ICI4NTNGZEVGMF92cjgtVTlHYTJRSHZYbWhqbWZNaWZ5OGY4ZmxBbVBweURmYVoxZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0", "signature": "ETRgeakN1uk48doAG5y3c23Vf2LoHu_zJBEv7uXaszhqe7RzipW1QU9ycAu-YezcmUsawZbl5R_hfUL_nG05IuKXTw6Tvl0Zgj2F8jVxnhpCQEjdLToF6qAwp5vg7dNrXjVmreJrKZklgSnmEO8jImwQWPG3F_nfO4HYBijFV_SDIQ-3QwMBKBLvQAYzLUFciBYw3rsUFEq1Jdl-XiLrOVxNBCMyPaD_otsCbbwjgPvhGlV2wGHEKtJ65tmTIaNvPcKY6i2tGi-9tH3h4NxJ4_TXG8Ks9EYWs9W8rn-tzXFlaPUCA0VOCPtZHw78EKDHb2KqAyNLwDXPKEMm7YGqcA", "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIjIwMDMwMDQwMC54eXoiCiAgICB9CiAgXQp9" } 2023-07-17 13:53:31,716:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 339 2023-07-17 13:53:31,717:DEBUG:acme.client:Received response: HTTP 201 Server: nginx Date: Mon, 17 Jul 2023 13:53:30 GMT Content-Type: application/json Content-Length: 339 Connection: keep-alive Boulder-Requester: 1211070137 Cache-Control: public, max-age=0, no-cache Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Location: https://acme-v02.api.letsencrypt.org/acme/order/1211070137/195515740757 Replay-Nonce: 853F3_usMabkx6WgajGWS-8xOQTnNt49Q-sd-ItrflqnMLo X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "status": "pending", "expires": "2023-07-24T13:53:30Z", "identifiers": [ { "type": "dns", "value": "example.xyz" } ], "authorizations": [ "https://acme-v02.api.letsencrypt.org/acme/authz-v3/246423504417" ], "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1211070137/195515740757" } 2023-07-17 13:53:31,717:DEBUG:acme.client:Storing nonce: 853F3_usMabkx6WgajGWS-8xOQTnNt49Q-sd-ItrflqnMLo 2023-07-17 13:53:31,719:DEBUG:acme.client:JWS payload: b'' 2023-07-17 13:53:31,722:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/246423504417: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIxMTA3MDEzNyIsICJub25jZSI6ICI4NTNGM191c01hYmt4NldnYWpHV1MtOHhPUVRuTnQ0OVEtc2QtSXRyZmxxbk1MbyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMjQ2NDIzNTA0NDE3In0", "signature": "fEYMjwV2NNVgA8T-yEU6HbTPoeGCTHrUmetcT08GlNNJohmgVBXumhuD4sRv9e7B6PUetHIzA_1AY2QTyZi6LJVx_GzSzWXhvsXt_AP2_hqERrrgiO9NAcnc4ftTaSGUPP3KiikSKaM0ePIwb_zNJaDJD_RkmNhJK5xYt-B_ocrfXmlh0s-qTmS2uYMTSMYptKUX_iOyfN71TDwNvyvdBqh5A-EK8LaQY4bryT4FX0VAoPoerBP_IvkHFoelH49ydf9T3mb68AZ6lJuJz3i0fSxnHpC5s4a2aTH3xhFFXRFQkmXGQvbjVXtLCwC6fiUatAZxG-m-mvOeVEwYymg-Ng", "payload": "" } 2023-07-17 13:53:32,066:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/246423504417 HTTP/1.1" 200 797 2023-07-17 13:53:32,067:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Mon, 17 Jul 2023 13:53:31 GMT Content-Type: application/json Content-Length: 797 Connection: keep-alive Boulder-Requester: 1211070137 Cache-Control: public, max-age=0, no-cache Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 853FtH2T3QErakt4DO21qNxHjeaMGkw_VImO1V7bSxk1yoM X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "identifier": { "type": "dns", "value": "example.xyz" }, "status": "pending", "expires": "2023-07-24T13:53:30Z", "challenges": [ { "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/246423504417/mi_img", "token": "G3uiSgWZJmoBld7guoKtU-7rtWVpIZDu-6AXu2nw_os" }, { "type": "dns-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/246423504417/Rtk3zg", "token": "G3uiSgWZJmoBld7guoKtU-7rtWVpIZDu-6AXu2nw_os" }, { "type": "tls-alpn-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/246423504417/ce9nNg", "token": "G3uiSgWZJmoBld7guoKtU-7rtWVpIZDu-6AXu2nw_os" } ] } 2023-07-17 13:53:32,067:DEBUG:acme.client:Storing nonce: 853FtH2T3QErakt4DO21qNxHjeaMGkw_VImO1V7bSxk1yoM 2023-07-17 13:53:32,068:INFO:certbot._internal.auth_handler:Performing the following challenges: 2023-07-17 13:53:32,069:INFO:certbot._internal.auth_handler:dns-01 challenge for example.xyz 2023-07-17 13:53:32,102:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443 2023-07-17 13:53:39,877:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=example.xyz&per_page=1 HTTP/1.1" 400 None 2023-07-17 13:53:39,903:DEBUG:certbot._internal.error_handler:Encountered exception: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 198, in _find_zone_id zones = self.cf.zones.get(params=params) # zones | pylint: disable=no-member File "/opt/certbot/lib/python3.7/site-packages/CloudFlare/cloudflare.py", line 675, in get return self._base.do_auth('GET', self._parts, [identifier1, identifier2, identifier3, identifier4], params, data) File "/opt/certbot/lib/python3.7/site-packages/CloudFlare/cloudflare.py", line 129, in do_auth return self._call(method, headers, parts, identifiers, params, data, files) File "/opt/certbot/lib/python3.7/site-packages/CloudFlare/cloudflare.py", line 506, in _call raise CloudFlareAPIError(code, message, error_chain) CloudFlare.exceptions.CloudFlareAPIError: Invalid request headers During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations resps = self.auth.perform(achalls) File "/opt/certbot/lib/python3.7/site-packages/certbot/plugins/dns_common.py", line 76, in perform self._perform(domain, validation_domain_name, validation) File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 76, in _perform self._get_cloudflare_client().add_txt_record(domain, validation_name, validation, self.ttl) File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 121, in add_txt_record zone_id = self._find_zone_id(domain) File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 217, in _find_zone_id .format(code, msg, hint)) certbot.errors.PluginError: Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.11.6) 2023-07-17 13:53:39,904:DEBUG:certbot._internal.error_handler:Calling registered functions 2023-07-17 13:53:39,904:INFO:certbot._internal.auth_handler:Cleaning up challenges 2023-07-17 13:53:39,921:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443 2023-07-17 13:53:46,664:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=example.xyz&per_page=1 HTTP/1.1" 400 None 2023-07-17 13:53:46,666:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Encountered error finding zone_id during deletion: Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.11.6) 2023-07-17 13:53:46,670:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 198, in _find_zone_id zones = self.cf.zones.get(params=params) # zones | pylint: disable=no-member File "/opt/certbot/lib/python3.7/site-packages/CloudFlare/cloudflare.py", line 675, in get return self._base.do_auth('GET', self._parts, [identifier1, identifier2, identifier3, identifier4], params, data) File "/opt/certbot/lib/python3.7/site-packages/CloudFlare/cloudflare.py", line 129, in do_auth return self._call(method, headers, parts, identifiers, params, data, files) File "/opt/certbot/lib/python3.7/site-packages/CloudFlare/cloudflare.py", line 506, in _call raise CloudFlareAPIError(code, message, error_chain) CloudFlare.exceptions.CloudFlareAPIError: Invalid request headers During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/bin/certbot", line 8, in <module> sys.exit(main()) File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1864, in main return config.func(config, plugins) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1597, in certonly lineage = _get_and_save_cert(le_client, config, domains, certname, lineage) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate cert, chain, key, _ = self.obtain_certificate(domains) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations resps = self.auth.perform(achalls) File "/opt/certbot/lib/python3.7/site-packages/certbot/plugins/dns_common.py", line 76, in perform self._perform(domain, validation_domain_name, validation) File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 76, in _perform self._get_cloudflare_client().add_txt_record(domain, validation_name, validation, self.ttl) File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 121, in add_txt_record zone_id = self._find_zone_id(domain) File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 217, in _find_zone_id .format(code, msg, hint)) certbot.errors.PluginError: Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.11.6) 2023-07-17 13:53:46,692:ERROR:certbot._internal.log:Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.11.6) ```
kerem 2026-02-26 07:33:57 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-02-26 07:33:58 +03:00
Author
Owner
Copy link

@lug-gh commented on GitHub (Jul 19, 2023):

This looks like an error on your end, not a bug, it works fine for me.
Please check your API token, it must have at least the permission "Zone:DNS:Edit" for the zone "example.xyz".

<!-- gh-comment-id:1641894621 --> @lug-gh commented on GitHub (Jul 19, 2023): This looks like an error on your end, not a bug, it works fine for me. Please check your API token, it must have at least the permission "Zone:DNS:Edit" for the zone "example.xyz".
kerem commented 2026-02-26 07:33:58 +03:00
Author
Owner
Copy link

@Aqr-K commented on GitHub (Jul 19, 2023):

@lug-gh
This should be a bug.
Because I am using the Global API Key , which can manage all domain names on my cloudflare, and the ddns service on my router also uses this token without any issues.

<!-- gh-comment-id:1641905973 --> @Aqr-K commented on GitHub (Jul 19, 2023): @lug-gh This should be a bug. Because I am using the `Global API Key` , which can manage all domain names on my cloudflare, and the `ddns` service on my router also uses this token without any issues.
kerem commented 2026-02-26 07:33:58 +03:00
Author
Owner
Copy link

@lug-gh commented on GitHub (Jul 19, 2023):

It is still not a bug.
The plugin requires an API token, not an API key. The global API key only works together with your Cloudflare account email address.
Please create a token, using the global API key is a potential security risk.
https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials

Your router appears to also hold your Cloudflare email. This works, but is not good.

<!-- gh-comment-id:1641925485 --> @lug-gh commented on GitHub (Jul 19, 2023): It is still not a bug. The plugin requires an API token, not an API key. The global API key only works together with your Cloudflare account email address. Please create a token, using the global API key is a potential security risk. https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials Your router appears to also hold your Cloudflare email. This works, but is not good.
kerem commented 2026-02-26 07:33:58 +03:00
Author
Owner
Copy link

@Aqr-K commented on GitHub (Jul 19, 2023):

I tried it on version 2.9.19 and found that it is indeed not a bug.
I used the wrong method, after generating a token for the domain name, using the token can solve the problem.
I think there should be many people like me, using key instead of token, I have seen many similar cases in lssues, this is a good solution.

<!-- gh-comment-id:1641988740 --> @Aqr-K commented on GitHub (Jul 19, 2023): I tried it on version `2.9.19` and found that it is indeed not a bug. I used the wrong method, after generating a token for the domain name, using the token can solve the problem. I think there should be many people like me, using `key` instead of `token`, I have seen many similar cases in lssues, this is a good solution.
kerem commented 2026-02-26 07:33:58 +03:00
Author
Owner
Copy link

@lug-gh commented on GitHub (Jul 22, 2023):

I also think that detailed documentation for actual use is missing from NPM. It is an open source project, so everyone can do their part. I could write a manual, but I don't know where exactly to place it or how to structure it.
Are there any plans or guidelines for this @jc21?

Edit: I think this issue can be closed. I just installed NPM version 3, it uses acme.sh and the UI is much more user friendly.

image

But I wonder why acme.sh requires the account ID and email, or if it is just a "wrong" implementation in NPM.

<!-- gh-comment-id:1646533193 --> @lug-gh commented on GitHub (Jul 22, 2023): I also think that detailed documentation for actual use is missing from NPM. It is an open source project, so everyone can do their part. I could write a manual, but I don't know where exactly to place it or how to structure it. Are there any plans or guidelines for this @jc21? **Edit:** I think this issue can be closed. I just installed NPM version 3, it uses acme.sh and the UI is much more user friendly. ![image](https://github.com/NginxProxyManager/nginx-proxy-manager/assets/24546639/2e031b33-f79f-4ac4-8173-081d97fc8953) But I wonder why acme.sh requires the account ID and email, or if it is just a "wrong" implementation in NPM.
kerem commented 2026-02-26 07:33:58 +03:00
Author
Owner
Copy link

@z0sen commented on GitHub (Aug 2, 2023):

I also think that detailed documentation for actual use is missing from NPM. It is an open source project, so everyone can do their part. I could write a manual, but I don't know where exactly to place it or how to structure it. Are there any plans or guidelines for this @jc21?

Edit: I think this issue can be closed. I just installed NPM version 3, it uses acme.sh and the UI is much more user friendly.

image

But I wonder why acme.sh requires the account ID and email, or if it is just a "wrong" implementation in NPM.

how to upgrade to v3?

<!-- gh-comment-id:1662198049 --> @z0sen commented on GitHub (Aug 2, 2023): > > I also think that detailed documentation for actual use is missing from NPM. It is an open source project, so everyone can do their part. I could write a manual, but I don't know where exactly to place it or how to structure it. Are there any plans or guidelines for this @jc21? > > **Edit:** I think this issue can be closed. I just installed NPM version 3, it uses acme.sh and the UI is much more user friendly. > > ![image](https://user-images.githubusercontent.com/24546639/255322750-2e031b33-f79f-4ac4-8173-081d97fc8953.png) > > But I wonder why acme.sh requires the account ID and email, or if it is just a "wrong" implementation in NPM. how to upgrade to v3?
kerem commented 2026-02-26 07:33:58 +03:00
Author
Owner
Copy link

@lug-gh commented on GitHub (Aug 2, 2023):

@z0sen There's no way to upgrade (yet), and v3 is still under development - and is far from stable ;)
#1202

<!-- gh-comment-id:1662225993 --> @lug-gh commented on GitHub (Aug 2, 2023): @z0sen There's no way to upgrade (yet), and v3 is still under development - and is far from stable ;) #1202
kerem commented 2026-02-26 07:33:58 +03:00
Author
Owner
Copy link

@z0sen commented on GitHub (Aug 3, 2023):

Well, anyway, i have no problem with the latest version of v2 now

<!-- gh-comment-id:1664410478 --> @z0sen commented on GitHub (Aug 3, 2023): > Well, anyway, i have no problem with the latest version of v2 now
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#2082
No description provided.