[GH-ISSUE #680] Cannot get Let's Encrypt cert via cloudflare dns challange #575

New issue

Closed

opened 2026-02-26 06:33:28 +03:00 by kerem · 22 comments

kerem commented 2026-02-26 06:33:28 +03:00

Owner

Copy link

Originally created by @Chachu1 on GitHub (Oct 29, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/680

I have set a brand new NPM container and I am trying to get SSL certs but keep failing,

Below is the error i get in the logs

[10/29/2020] [8:22:41 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[10/29/2020] [8:22:41 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates via Cloudflare for Cert #2: manage.habibtain.com
[10/29/2020] [8:22:52 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[10/29/2020] [8:22:52 PM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot certonly --non-interactive --cert-name "npm-2" --agree-tos --email "mohsinhassan88@gmail.com" --domains "manage.habibtain.com" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials-2"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None

Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for manage.habibtain.com
Cleaning up challenges

Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.8.13)

I don't know which part I am missing

• i am sure the API key I provided is correct.

Can you please guide me

Originally created by @Chachu1 on GitHub (Oct 29, 2020). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/680 I have set a brand new NPM container and I am trying to get SSL certs but keep failing, Below is the error i get in the logs ``` [10/29/2020] [8:22:41 PM] [Nginx ] › ℹ info Reloading Nginx [10/29/2020] [8:22:41 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates via Cloudflare for Cert #2: manage.habibtain.com [10/29/2020] [8:22:52 PM] [Nginx ] › ℹ info Reloading Nginx [10/29/2020] [8:22:52 PM] [Express ] › ⚠ warning Command failed: /usr/bin/certbot certonly --non-interactive --cert-name "npm-2" --agree-tos --email "mohsinhassan88@gmail.com" --domains "manage.habibtain.com" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials-2" Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator dns-cloudflare, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for manage.habibtain.com Cleaning up challenges Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.8.13) ``` I don't know which part I am missing - i am sure the API key I provided is correct. Can you please guide me 

kerem 2026-02-26 06:33:28 +03:00

• closed this issue
• added the
  product-support
  label

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@ikomhoog commented on GitHub (Nov 3, 2020):

I'm having the same problem, only I'm trying to request a wildcard certificate.

Error: Command failed: /usr/bin/certbot certonly --non-interactive --cert-name "npm-7" --agree-tos --email "me@hotmail.com" --domains "*.mydomain.com" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials-7"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomain.com
Cleaning up challenges
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.8.13)
    at ChildProcess.exithandler (child_process.js:308:12)
    at ChildProcess.emit (events.js:314:20)
    at maybeClose (internal/child_process.js:1051:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)

In tutorials on how to do this there are ini files that need to be edited.
Is that also the case for Nginx-Proxy-Manager?
If so, where are these files located?

<!-- gh-comment-id:720971803 --> @ikomhoog commented on GitHub (Nov 3, 2020): I'm having the same problem, only I'm trying to request a wildcard certificate. ``` Error: Command failed: /usr/bin/certbot certonly --non-interactive --cert-name "npm-7" --agree-tos --email "me@hotmail.com" --domains "*.mydomain.com" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials-7" Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator dns-cloudflare, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for mydomain.com Cleaning up challenges Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.8.13) at ChildProcess.exithandler (child_process.js:308:12) at ChildProcess.emit (events.js:314:20) at maybeClose (internal/child_process.js:1051:16) at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5) ``` In tutorials on how to do this there are ini files that need to be edited. Is that also the case for Nginx-Proxy-Manager? If so, where are these files located?

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@ikomhoog commented on GitHub (Nov 3, 2020):

Update: went to test some more and found a temporary solution.
the token doesn't work, but the less secure email and key combination work.
instead of the

# Cloudflare API token
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

we need to use

# Cloudflare API token
dns_cloudflare_email=something@hotmail.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

so there might be something wrong with either the token implementation or the cloudflare API (which was down last night).

I hope this helps further debugging.

<!-- gh-comment-id:720975683 --> @ikomhoog commented on GitHub (Nov 3, 2020): Update: went to test some more and found a temporary solution. the token doesn't work, but the less secure email and key combination work. instead of the ``` # Cloudflare API token dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567 ``` we need to use ``` # Cloudflare API token dns_cloudflare_email=something@hotmail.com dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567 ``` so there might be something wrong with either the token implementation or the cloudflare API (which was down last night). I hope this helps further debugging.

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@ikomhoog commented on GitHub (Nov 3, 2020):

Update: While I have it working I do get an error:

Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf (cert: npm-1) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.

0 renew failure(s), 1 parse failure(s)

at ChildProcess.exithandler (child_process.js:308:12)
at ChildProcess.emit (events.js:314:20)
at maybeClose (internal/child_process.js:1051:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0

which is weird because this is my file:

# renew_before_expiry = 30 days
version = 1.4.0
archive_dir = /etc/letsencrypt/archive/npm-1
cert = /etc/letsencrypt/live/npm-1/cert.pem
privkey = /etc/letsencrypt/live/npm-1/privkey.pem
chain = /etc/letsencrypt/live/npm-1/chain.pem
fullchain = /etc/letsencrypt/live/npm-1/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = myaccountkey
authenticator = dns-cloudflare
dns_cloudflare_credentials = /etc/letsencrypt/credentials-1
server = https://acme-v02.api.letsencrypt.org/directory

<!-- gh-comment-id:720985153 --> @ikomhoog commented on GitHub (Nov 3, 2020): Update: While I have it working I do get an error: ``` Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf (cert: npm-1) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. 0 renew failure(s), 1 parse failure(s) at ChildProcess.exithandler (child_process.js:308:12) at ChildProcess.emit (events.js:314:20) at maybeClose (internal/child_process.js:1051:16) at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5) `QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0 `QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0 ``` which is weird because this is my file: ``` # renew_before_expiry = 30 days version = 1.4.0 archive_dir = /etc/letsencrypt/archive/npm-1 cert = /etc/letsencrypt/live/npm-1/cert.pem privkey = /etc/letsencrypt/live/npm-1/privkey.pem chain = /etc/letsencrypt/live/npm-1/chain.pem fullchain = /etc/letsencrypt/live/npm-1/fullchain.pem # Options used in the renewal process [renewalparams] account = myaccountkey authenticator = dns-cloudflare dns_cloudflare_credentials = /etc/letsencrypt/credentials-1 server = https://acme-v02.api.letsencrypt.org/directory ```

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@chaptergy commented on GitHub (Nov 3, 2020):

Update: While I have it working I do get an error:

Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf (cert: npm-1) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.

0 renew failure(s), 1 parse failure(s)

at ChildProcess.exithandler (child_process.js:308:12)
at ChildProcess.emit (events.js:314:20)
at maybeClose (internal/child_process.js:1051:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0

This is a separate problem described in https://github.com/jc21/nginx-proxy-manager/issues/662. The fix is merged however there was no release since then.

<!-- gh-comment-id:721373221 --> @chaptergy commented on GitHub (Nov 3, 2020): > Update: While I have it working I do get an error: > > ``` > Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf (cert: npm-1) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. > > 0 renew failure(s), 1 parse failure(s) > > at ChildProcess.exithandler (child_process.js:308:12) > at ChildProcess.emit (events.js:314:20) > at maybeClose (internal/child_process.js:1051:16) > at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5) > `QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0 > `QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0 > ``` This is a separate problem described in https://github.com/jc21/nginx-proxy-manager/issues/662. The fix is merged however there was no release since then.

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@chaptergy commented on GitHub (Nov 3, 2020):

Is someone able to verify, that this problem is fixed when using image jc21/nginx-proxy-manager:github-pr-687? Just change the tag :latest to github-pr-687 in your docker-compose file.

<!-- gh-comment-id:721415218 --> @chaptergy commented on GitHub (Nov 3, 2020): Is someone able to verify, that this problem is fixed when using image `jc21/nginx-proxy-manager:github-pr-687`? Just change the tag `:latest` to `github-pr-687` in your docker-compose file.

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@jc21 commented on GitHub (Nov 3, 2020):

Just wanting to thank you @chaptergy for your continued support. I really haven't had time to do anything but read emails lately and it's great to see community members like yourself helping out :) great work!

<!-- gh-comment-id:721418293 --> @jc21 commented on GitHub (Nov 3, 2020): Just wanting to thank you @chaptergy for your continued support. I really haven't had time to do anything but read emails lately and it's great to see community members like yourself helping out :) great work!

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@potvinp commented on GitHub (Nov 4, 2020):

Is someone able to verify, that this problem is fixed when using image jc21/nginx-proxy-manager:github-pr-687? Just change the tag :latest to github-pr-687 in your docker-compose file.

This seems to have no effect on the issue, at least on my end. Also doing this nuked my entire configuration, which was unfortunate but crap happens.

<!-- gh-comment-id:721483990 --> @potvinp commented on GitHub (Nov 4, 2020): > Is someone able to verify, that this problem is fixed when using image `jc21/nginx-proxy-manager:github-pr-687`? Just change the tag `:latest` to `github-pr-687` in your docker-compose file. This seems to have no effect on the issue, at least on my end. Also doing this nuked my entire configuration, which was unfortunate but crap happens.

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@chaptergy commented on GitHub (Nov 4, 2020):

Unfortunately I am unable to debug this, since I do not have any domains at Cloudflare or domains I could quickly transfer to cloudflare to test this. Is there someone willing to help me debug this, or someone willing to provide me with a Cloudflare token with Zone:DNS:Edit permission for some random (sub)domain so I can debug this myself?

<!-- gh-comment-id:721589939 --> @chaptergy commented on GitHub (Nov 4, 2020): Unfortunately I am unable to debug this, since I do not have any domains at Cloudflare or domains I could quickly transfer to cloudflare to test this. Is there someone willing to help me debug this, or someone willing to provide me with a Cloudflare token with `Zone:DNS:Edit` permission for some random (sub)domain so I can debug this myself?

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@ikomhoog commented on GitHub (Nov 4, 2020):

I set up a second npm container with the same parameters (except the paths) on my system.

I'm getting a new error about npm not being able to create a folder (or a file in a folder it didn't create)

Error: Command failed: echo '# Cloudflare API token
dns_cloudflare_api_token = [MyToken]' > '/etc/letsencrypt/credentials/credentials-2' && chmod 600 '/etc/letsencrypt/credentials/credentials-2'
/bin/sh: can't create /etc/letsencrypt/credentials/credentials-2: nonexistent directory

    at ChildProcess.exithandler (child_process.js:308:12)
    at ChildProcess.emit (events.js:314:20)
    at maybeClose (internal/child_process.js:1051:16)
    at Socket. (internal/child_process.js:442:11)
    at Socket.emit (events.js:314:20)
    at Pipe. (net.js:673:12)

The letsencrypt folder is rather empty compared to my main npm folder.
when I let UnRaid alter the rights for the /etc/letsencrypt folder it still gives this error, when I then create the credentials folder myself it accepts it and goes through with creating the other missing folders.

I tested this a few times, and it is reproducible on the pr version, the release version does not have this error.

the request still fails with the same error as before:

Error: Command failed: /usr/bin/certbot certonly --non-interactive --cert-name "npm-3" --agree-tos --email "me@hotmail.com" --domains "*.mydomain.com" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-3"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomain.com
Cleaning up challenges
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.8.13)

    at ChildProcess.exithandler (child_process.js:308:12)
    at ChildProcess.emit (events.js:314:20)
    at maybeClose (internal/child_process.js:1051:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)

<!-- gh-comment-id:721599418 --> @ikomhoog commented on GitHub (Nov 4, 2020): I set up a second npm container with the same parameters (except the paths) on my system. I'm getting a new error about npm not being able to create a folder (or a file in a folder it didn't create) ``` Error: Command failed: echo '# Cloudflare API token dns_cloudflare_api_token = [MyToken]' > '/etc/letsencrypt/credentials/credentials-2' && chmod 600 '/etc/letsencrypt/credentials/credentials-2' /bin/sh: can't create /etc/letsencrypt/credentials/credentials-2: nonexistent directory at ChildProcess.exithandler (child_process.js:308:12) at ChildProcess.emit (events.js:314:20) at maybeClose (internal/child_process.js:1051:16) at Socket. (internal/child_process.js:442:11) at Socket.emit (events.js:314:20) at Pipe. (net.js:673:12) ``` The letsencrypt folder is rather empty compared to my main npm folder. when I let UnRaid alter the rights for the /etc/letsencrypt folder it still gives this error, when I then create the credentials folder myself it accepts it and goes through with creating the other missing folders. I tested this a few times, and it is reproducible on the pr version, the release version does not have this error. the request still fails with the same error as before: ``` Error: Command failed: /usr/bin/certbot certonly --non-interactive --cert-name "npm-3" --agree-tos --email "me@hotmail.com" --domains "*.mydomain.com" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-3" Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator dns-cloudflare, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for mydomain.com Cleaning up challenges Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.8.13) at ChildProcess.exithandler (child_process.js:308:12) at ChildProcess.emit (events.js:314:20) at maybeClose (internal/child_process.js:1051:16) at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5) ```

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@ikomhoog commented on GitHub (Nov 4, 2020):

Update: I can't read, i was trying to use my global-api-KEY as the token, i assumed they would be interchangeable.
While creating a token for @chaptergy it suddenly dawned on me that it might not be a global-api-token.

this confusion probably came from the spaceinvaderone tutorial where he uses the key and e-mail instead of a token.

Sorry for taking your time, the token works like it should.
@Chachu1 and @potvinp can you also confirm this?
https://support.cloudflare.com/hc/en-us/articles/200167836-Managing-API-Tokens-and-Keys

<!-- gh-comment-id:721640738 --> @ikomhoog commented on GitHub (Nov 4, 2020): Update: I can't read, i was trying to use my global-api-**KEY** as the token, i assumed they would be interchangeable. While creating a token for @chaptergy it suddenly dawned on me that it might not be a global-api-token. this confusion probably came from the spaceinvaderone tutorial where he uses the key and e-mail instead of a token. Sorry for taking your time, the token works like it should. @Chachu1 and @potvinp can you also confirm this? https://support.cloudflare.com/hc/en-us/articles/200167836-Managing-API-Tokens-and-Keys

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@chaptergy commented on GitHub (Nov 4, 2020):

Thanks for testing! I assume you tested on tag :github-pr-687?

<!-- gh-comment-id:721904277 --> @chaptergy commented on GitHub (Nov 4, 2020): Thanks for testing! I assume you tested on tag `:github-pr-687`?

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@ikomhoog commented on GitHub (Nov 4, 2020):

Yes I tested on tag :github-pr-687
But just to be clear, the token also works on both release and pr (at least for me).
I think we were all just using the global-API-key instead of a token.

The credentials folder part is on pr only, I have only tested it github-pr-687 and release and it is reproducible.

<!-- gh-comment-id:721923183 --> @ikomhoog commented on GitHub (Nov 4, 2020): Yes I tested on tag `:github-pr-687` But just to be clear, the token also works on both release and pr (at least for me). I think we were all just using the global-API-key instead of a token. The credentials folder part is on pr only, I have only tested it github-pr-687 and release and it is reproducible.

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@potvinp commented on GitHub (Nov 4, 2020):

Update: I can't read, i was trying to use my global-api-KEY as the token, i assumed they would be interchangeable.
While creating a token for @chaptergy it suddenly dawned on me that it might not be a global-api-token.

this confusion probably came from the spaceinvaderone tutorial where he uses the key and e-mail instead of a token.

Sorry for taking your time, the token works like it should.
@Chachu1 and @potvinp can you also confirm this?
https://support.cloudflare.com/hc/en-us/articles/200167836-Managing-API-Tokens-and-Keys

I have been trying to use the API token that I generated with the Zone:DNS:Edit permission and I haven't had any luck. Just for giggles I tried the global key itself and that still didn't work, which I expected.

I'll test again later once I'm off work and then update.

<!-- gh-comment-id:721975119 --> @potvinp commented on GitHub (Nov 4, 2020): > Update: I can't read, i was trying to use my global-api-**KEY** as the token, i assumed they would be interchangeable. > While creating a token for @chaptergy it suddenly dawned on me that it might not be a global-api-token. > > this confusion probably came from the spaceinvaderone tutorial where he uses the key and e-mail instead of a token. > > Sorry for taking your time, the token works like it should. > @Chachu1 and @potvinp can you also confirm this? > https://support.cloudflare.com/hc/en-us/articles/200167836-Managing-API-Tokens-and-Keys I have been trying to use the API token that I generated with the `Zone:DNS:Edit` permission and I haven't had any luck. Just for giggles I tried the global key itself and that still didn't work, which I expected. I'll test again later once I'm off work and then update.

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@ikomhoog commented on GitHub (Nov 4, 2020):

@potvinp have you already pointed the (sub)domain you are trying to get a cert for to your IP address?(since this is a requirement for DNS challenges)
Does everything work without SSL certificates?
Did you try the key with these lines(notice that it's not "token" but "key" here):

# Cloudflare API token
dns_cloudflare_email=something@hotmail.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

since the key requires an e-mail

I'm trying to spot a difference in our setups.

I'm using google domains for my domain and only use Cloudflare for the DNS and certificates since I could get a wildcard certificate there.

I haven't done anything special during that setup:
Change the nameservers to the Cloudflare ones
Add all the subdomains that I want in the DNS section(my domain is 1 A Record for the base and all CNAMEs for the subdomains)
Setup ddclient so my domain points to my IP
Request the certificate

and it all works like it should when I actually use the correct token.

What does your setup look like?
That will make it easier to debug where the problem might come from.
Can you post the error you get?
There might be slight differences compared to my errors that will point us in the right direction.

<!-- gh-comment-id:722016183 --> @ikomhoog commented on GitHub (Nov 4, 2020): @potvinp have you already pointed the (sub)domain you are trying to get a cert for to your IP address?(since this is a requirement for DNS challenges) Does everything work without SSL certificates? Did you try the key with these lines(notice that it's not "token" but "key" here): ``` # Cloudflare API token dns_cloudflare_email=something@hotmail.com dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567 ``` since the key requires an e-mail I'm trying to spot a difference in our setups. I'm using google domains for my domain and only use Cloudflare for the DNS and certificates since I could get a wildcard certificate there. I haven't done anything special during that setup: Change the nameservers to the Cloudflare ones Add all the subdomains that I want in the DNS section(my domain is 1 A Record for the base and all CNAMEs for the subdomains) Setup ddclient so my domain points to my IP Request the certificate and it all works like it should when I actually use the correct token. What does your setup look like? That will make it easier to debug where the problem might come from. Can you post the error you get? There might be slight differences compared to my errors that will point us in the right direction.

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@chaptergy commented on GitHub (Nov 5, 2020):

I have updated the PR with some additions to make sure the nonexistent directory does not happen. I am now no longer able to produce this error on :github-pr-687. Furthermore I have been provided an API token for Cloudflare and I have been able to create a certificate successfully using this token every time on the current :github-pr-687 build.

<!-- gh-comment-id:722237971 --> @chaptergy commented on GitHub (Nov 5, 2020): I have updated the PR with some additions to make sure the `nonexistent directory` does not happen. I am now no longer able to produce this error on `:github-pr-687`. Furthermore I have been provided an API token for Cloudflare and I have been able to create a certificate successfully using this token every time on the current `:github-pr-687` build.

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@ikomhoog commented on GitHub (Nov 5, 2020):

I have also tested it and it all works as expected, no directory error on a clean install, and the token works every time.

<!-- gh-comment-id:722252763 --> @ikomhoog commented on GitHub (Nov 5, 2020): I have also tested it and it all works as expected, no directory error on a clean install, and the token works every time.

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@Chachu1 commented on GitHub (Nov 5, 2020):

I have also tested it and it all works as expected, no directory error on a clean install, and the token works every time.

<!-- gh-comment-id:722614566 --> @Chachu1 commented on GitHub (Nov 5, 2020): > > > I have also tested it and it all works as expected, no directory error on a clean install, and the token works every time.

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@Chachu1 commented on GitHub (Nov 5, 2020):

Sorry guyz click on the wrong button...

I tried @ikomhoog suggestion and yes the issue was actually the global API key and the token confusion.
If you use the token it works properly and on the :latest tag as well.

Thank you for helping out 👍

If anyone in future gets here looking for an answer;
You need and API token, this is different from your global API key,
https://developers.cloudflare.com/api/tokens/create <--- follow this link to create a token

You can use "Edit Zone DNS" template.

<!-- gh-comment-id:722615652 --> @Chachu1 commented on GitHub (Nov 5, 2020): Sorry guyz click on the wrong button... I tried @ikomhoog suggestion and yes the issue was actually the global API key and the token confusion. If you use the token it works properly and on the `:latest `tag as well. Thank you for helping out 👍 ----------------------------------------------------- If anyone in future gets here looking for an answer; You need and API token, this is different from your global API key, https://developers.cloudflare.com/api/tokens/create <--- follow this link to create a token You can use "Edit Zone DNS" template. 

kerem commented 2026-02-26 06:33:29 +03:00

Author

Owner

Copy link

@chaptergy commented on GitHub (Nov 6, 2020):

Great, I'm glad it's working! :)
If this issue is resolved, please go ahead and close it. Thanks!

<!-- gh-comment-id:723049780 --> @chaptergy commented on GitHub (Nov 6, 2020): Great, I'm glad it's working! :) If this issue is resolved, please go ahead and close it. Thanks!

kerem commented 2026-02-26 06:33:30 +03:00

Author

Owner

Copy link

@koshia commented on GitHub (Feb 26, 2021):

I hate to bring a closed issue back to life and it may be something on Cloudflare's end but can someone confirm for me that I don't need the TXT records created ahead of time in my DNS Zones when using Cloudflare option? I'm looking at the log when it tries to go out and register letsencrypt - it creates the two TXT records and then deletes it but then fails the challenge. If I set up the TXT records, it wouldn't match when I resubmit the registration through NPM. Single subdomain works, whole domain and wildcard via DNS Challenge fails via the Zone EDIT API method.

<!-- gh-comment-id:786893760 --> @koshia commented on GitHub (Feb 26, 2021): I hate to bring a closed issue back to life and it may be something on Cloudflare's end but can someone confirm for me that I don't need the TXT records created ahead of time in my DNS Zones when using Cloudflare option? I'm looking at the log when it tries to go out and register letsencrypt - it creates the two TXT records and then deletes it but then fails the challenge. If I set up the TXT records, it wouldn't match when I resubmit the registration through NPM. Single subdomain works, whole domain and wildcard via DNS Challenge fails via the Zone EDIT API method.

kerem commented 2026-02-26 06:33:30 +03:00

Author

Owner

Copy link

@JoahZhang commented on GitHub (Aug 7, 2023):

I figured out this problem,I am created an api_key in cloudflare, use the key you just generated , be careful is not the global key.

<!-- gh-comment-id:1667920666 --> @JoahZhang commented on GitHub (Aug 7, 2023): I figured out this problem,I am created an api_key in cloudflare, use the key you just generated , be careful is not the global key.

kerem commented 2026-02-26 06:33:30 +03:00

Author

Owner

Copy link

@Becase commented on GitHub (Oct 18, 2023):

@potvinp have you already pointed the (sub)domain you are trying to get a cert for to your IP address?(since this is a requirement for DNS challenges) Does everything work without SSL certificates? Did you try the key with these lines(notice that it's not "token" but "key" here):

# Cloudflare API token
dns_cloudflare_email=something@hotmail.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

since the key requires an e-mail

I'm trying to spot a difference in our setups.

I'm using google domains for my domain and only use Cloudflare for the DNS and certificates since I could get a wildcard certificate there.

I haven't done anything special during that setup: Change the nameservers to the Cloudflare ones Add all the subdomains that I want in the DNS section(my domain is 1 A Record for the base and all CNAMEs for the subdomains) Setup ddclient so my domain points to my IP Request the certificate

and it all works like it should when I actually use the correct token.

What does your setup look like? That will make it easier to debug where the problem might come from. Can you post the error you get? There might be slight differences compared to my errors that will point us in the right direction.

Thanks, it works~

<!-- gh-comment-id:1767438230 --> @Becase commented on GitHub (Oct 18, 2023): > @potvinp have you already pointed the (sub)domain you are trying to get a cert for to your IP address?(since this is a requirement for DNS challenges) Does everything work without SSL certificates? Did you try the key with these lines(notice that it's not "token" but "key" here): > > ``` > # Cloudflare API token > dns_cloudflare_email=something@hotmail.com > dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567 > ``` > > since the key requires an e-mail > > I'm trying to spot a difference in our setups. > > I'm using google domains for my domain and only use Cloudflare for the DNS and certificates since I could get a wildcard certificate there. > > I haven't done anything special during that setup: Change the nameservers to the Cloudflare ones Add all the subdomains that I want in the DNS section(my domain is 1 A Record for the base and all CNAMEs for the subdomains) Setup ddclient so my domain points to my IP Request the certificate > > and it all works like it should when I actually use the correct token. > > What does your setup look like? That will make it easier to debug where the problem might come from. Can you post the error you get? There might be slight differences compared to my errors that will point us in the right direction. Thanks, it works~

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#575

No description provided.