Learn about Centmin Mod LEMP Stack today
Register Now

SSL Letsencrypt Cloudflare Full (strict) not works Error 526 Invalid SSL certificate Authenticated Origin Pulls

Discussion in 'Domains, DNS, Email & SSL Certificates' started by adamus007p, Dec 27, 2021.

  1. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    11:25 PM
    @eva2000 I have check if API works too.

    in persistant I doulbe check eveyrhing and run:

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh check_cfapi
    
    ------------------------------------------------------------------------------
    Version Check:
    ------------------------------------------------------------------------------
    !!!  there maybe a newer version of /usr/local/src/centminmod/addons/acmetool.sh available  !!!
    https://community.centminmod.com/posts/34492/
    update using centmin.sh menu option 23 submenu option 2
    
    or via command: cmupdate
    
    Always ensure Current Version is higher or equal to Latest Version
    ------------------------------------------------------------------------------
    Current acmetool.sh Version: 1.0.82
    Latest acmetool.sh Version: 1.0.83
    ------------------------------------------------------------------------------
    
    Verifying working Cloudflare DNS API Credentials
    CF API Tokens detected
    Ok: CF API Token works
    



    I follow Letsencrypt Free SSL Certificates
    and
    https://community.centminmod.com/th...cloudflare-dns-api-domain-verification.22630/

    so I created new token but the same result like in post above.

    @eva2000 what is wrong?


    What I can see that in domains were are errors there is

    issue & install letsencrypt ssl certificate for domain99.com Invalid SSL certificate Error code 526





    during installation

    Code:
    issue & install letsencrypt ssl certificate for domain99.com
    -----------------------------------------------------------
    testcert value = wplived
    wp routine detected use reissue instead via --force
    /root/.acme.sh/acme.sh --force --issue -d domain99.com -d www.domain99.com --days 60 -w /home/nginx/domains/domain99.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-130719-183030.log --log-level 2
    [Sat Jul 13 18:30:41 UTC 2019] Creating domain key
    [Sat Jul 13 18:30:41 UTC 2019] The domain key is here: /root/.acme.sh/domain99.com/domain99.com.key
    [Sat Jul 13 18:30:41 UTC 2019] Multi domain='DNS:domain99.com,DNS:www.domain99.com'
    [Sat Jul 13 18:30:41 UTC 2019] Getting domain auth token for each domain
    [Sat Jul 13 18:30:43 UTC 2019] Getting webroot for domain='domain99.com'
    [Sat Jul 13 18:30:43 UTC 2019] Getting webroot for domain='www.domain99.com'
    [Sat Jul 13 18:30:43 UTC 2019] Verifying: domain99.com
    [Sat Jul 13 18:30:46 UTC 2019] Pending
    [Sat Jul 13 18:30:48 UTC 2019] domain99.com:Verify error:Fetching https://domain99.com/.well-known/acme-challenge/jYXU0t1Rb6OAvj1MEGFxxxxx: Too many redirects
    [Sat Jul 13 18:30:48 UTC 2019] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-130719-183030.log
    LECHECK = 1
    
    log files saved at /root/centminlogs
    -rw-r--r-- 1 root root  63K Jul 13 18:30 acmetool.sh-debug-log-130719-183030.log
    -rw-r--r-- 1 root root 5.6K Jul 13 18:30 acmesh-issue_130719-183030.log

    I belive other domains with problem have the same problem.

    @eva2000 How to fix this problem?
     
    Last edited: Dec 13, 2022
  2. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    That's not Cloudflare DNS API domain validation but the regular default Web root validation different to the invalid domain one I quoted previously in this thread.
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    The error says. Make sure Cloudflare always HTTPS is disabled or if you want it enabled, remove the 302 redirect in nginx domain domain.com.ssl.conf vhost config by commenting out the smaller 1st server{} context enclosing the 302 redirect for port 80
     
  4. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    11:25 PM
    Thank you for your respond. Yes Cloudflare always HTTPS is enabled.

    I do not see any port 80 in my configs.
    Anyway I turn off Cloudflare always HTTPS but it not helped.

    I see that all configs are some-domain-name.pl.ssl.conf

    I copy and paste a config of the domain where is the problem:

    Code (Text):
    #x# HTTPS-DEFAULT
     server {
     
       server_name domain99.com www.domain99.com;
       return 302 https://domain99.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2;
      server_name domain99.com www.domain99.com;
    
      include /usr/local/nginx/conf/ssl/domain99.com/domain99.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain99.com/origin.crt;
      ssl_verify_client on;
      #http2_max_field_size 16k;
      #http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;



    What can be a problem here?



    In one domain I have disabled Cloudflare always HTTPS.
    and run

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    


    Below there are errors. Is seems that make Cloudflare always HTTPS off did not helped.
    Code (Text):
    [Tue Dec 13 14:50:43 UTC 2022] Renew: 'domain2kr.com'
    [Tue Dec 13 14:50:44 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Tue Dec 13 14:50:44 UTC 2022] Multi domain='DNS:domain2kr.com,DNS:www.domain2kr.com'
    [Tue Dec 13 14:50:44 UTC 2022] Getting domain auth token for each domain
    [Tue Dec 13 14:50:48 UTC 2022] Getting webroot for domain='domain2kr.com'
    [Tue Dec 13 14:50:48 UTC 2022] Getting webroot for domain='www.domain2kr.com'
    [Tue Dec 13 14:50:48 UTC 2022] Adding txt value: PY7WZT61iaoHGtARblcmMMsdSxxxxxxxx8 for domain:  _acme-challenge.domain2kr.com
    [Tue Dec 13 14:50:51 UTC 2022] invalid domain
    [Tue Dec 13 14:50:51 UTC 2022] Error add txt for domain:_acme-challenge.domain2kr.com
    [Tue Dec 13 14:50:51 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-130719-183030.log
    [Tue Dec 13 14:50:53 UTC 2022] Error renew domain2kr.com.
    [Tue Dec 13 14:50:53 UTC 2022] Renew: 'domain2kr.com'
    [Tue Dec 13 14:50:54 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Tue Dec 13 14:50:54 UTC 2022] Multi domain='DNS:domain2kr.com,DNS:www.domain2kr.com'
    [Tue Dec 13 14:50:54 UTC 2022] Getting domain auth token for each domain
    [Tue Dec 13 14:50:58 UTC 2022] Getting webroot for domain='domain2kr.com'
    [Tue Dec 13 14:50:58 UTC 2022] Getting webroot for domain='www.domain2kr.com'
    [Tue Dec 13 14:50:58 UTC 2022] Adding txt value: W2iY49omYGMIgFEo_M-xxxxxxxx for domain:  _acme-challenge.domain2kr.com
    [Tue Dec 13 14:51:02 UTC 2022] invalid domain
    [Tue Dec 13 14:51:02 UTC 2022] Error add txt for domain:_acme-challenge.domain2kr.com
    [Tue Dec 13 14:51:02 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-130719-183030.log
    [Tue Dec 13 14:51:03 UTC 2022] Error renew domain2kr.com_ecc.
    


    and config of this domain:

    Code (Text):
    #x# HTTPS-DEFAULT
     server {
     
       server_name domain2kr.com www.domain2kr.com;
       return 302 https://domain2kr.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2;
      server_name domain2kr.com www.domain2kr.com;
    
      include /usr/local/nginx/conf/ssl/domain2kr.com/domain2kr.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain2kr.com/origin.crt;
      ssl_verify_client on;
      #http2_max_field_size 16k;
      #http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;



    Any idea how to correct it? Do you need any other info or logs. Thank you for your time and help.
     
    Last edited: Dec 14, 2022
  5. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    when listen directive is not set, it defaults to port 80 so this is the relevant server{} context I was talking about disabling/commenting out if you want to leave CF Always HTTPS enabled
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
    
       server_name domain99.com www.domain99.com;
       return 302 https://domain99.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    This is different error for CF DNS API validation due to invalid domain not with HTTPS Always enabled

    when you run centmin.sh menu option 22 it would actually have a warning message for this that reads something like
    Code (Text):
    If using Cloudflare in front of site, disable CF option for
    Always Use HTTPS in CF Dashboard Crypto Tab as Nginx will do
    the non-https to https redirect on this end and not require
    Cloudflare's Always Use HTTPS. If enabled it will cause the
    error message: too many redirects
    

    ensure your Cloudflare API Token has correct permissions set for all zones on your CF Account https://community.centminmod.com/th...cloudflare-dns-api-domain-verification.22630/

    You have 2 different errors, some are too many redirects due to CF Always HTTPS conflicting with Nginx's 302 redirect server{} context for web root /.well-known/* validations and other is invalid domain with CF DNS API domain validations, meaning CF API Token doesn't have permission for the domain
     
    Last edited: Dec 15, 2022
  7. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You have 2 different errors, some are too many redirects due to CF Always HTTPS conflicting with Nginx's 302 redirect server{} context for web root /.well-known/* validations and other is invalid domain with CF DNS API domain validations, meaning CF API Token doesn't have permission for the domain

    If using Cloudflare DNS API validation and you get errors for invalid domain when Letsencrypt is doing domain validation, ensure you created your Cloudflare API Token with permissions for all your domain zones and not just specific domain zones. You can manually verify if the created Cloudflare API Token has permissions to add TXT DNS records for your domain using below manual curl commands to add a test TXT DNS record and verify the test TXT DNS record. You can then delete the test TXT DNS record from Cloudflare DNS dashboard.

    Manual testing, 1st populate these 3 variables with your relevant values and type the commands in SSH as root user on the Centmin Mod server
    Code (Text):
    # same value as your CF_Token you set in persistent config file
    cftoken='your_cf_api_token'
    domain_hostname='your_domain_name'
    txtmsg='your_txt_msg'
    

    Then type these commands to create test TXT DNS record and verify it
    Code (Text):
    # get zoneid for domain_hostname
    cfzoneid=$(curl -4sX GET "https://api.cloudflare.com/client/v4/zones/?name=${domain_hostname}&status=active&page=1&per_page=100&order=status&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d ${domain_hostname} '.result[] | select(.name == $d) | .id')
    
    # create test TXT DNS record
    curl -4sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records -H Content-Type:application/json -H "Authorization: Bearer $cftoken" --data "{\"type\":\"TXT\",\"name\":\"$domain_hostname\",\"content\":\"$txtmsg\",\"ttl\":120,\"proxied\":false}" | jq 'del(.result.zone_id)'
    
    # verify test TXT DNS record
    curl -4sX GET "https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records?type=TXT&name=${domain_hostname}&page=1&per_page=100&order=type&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d $domain_hostname '.result[] | {id: .id, name: .name, type: .type, content: .content, proxiable: .proxiable, proxied: .proxied}'
    

    Post the output for both of the curl commands in CODE/CODEB bbcode tags.
     
  8. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    11:25 PM
    I have double check it and even I have created new API.


    I run
    Code (Text):
    cmupdate
    No local changes to save
    Already up-to-date.
    No local changes to save
    Already up-to-date.
    [00:35][root@host ~]# echo y | /usr/local/src/centminmod/addons/acmetool.sh check_cfapi
    
    ------------------------------------------------------------------------------
    Version Check:
    ------------------------------------------------------------------------------
    !!!  there maybe a newer version of /usr/local/src/centminmod/addons/acmetool.sh available  !!!
    https://community.centminmod.com/posts/34492/
    update using centmin.sh menu option 23 submenu option 2
    
    or via command: cmupdate
    
    Always ensure Current Version is higher or equal to Latest Version
    ------------------------------------------------------------------------------
    Current acmetool.sh Version: 1.0.82
    Latest acmetool.sh Version: 1.0.83
    ------------------------------------------------------------------------------
    
    Verifying working Cloudflare DNS API Credentials
    CF API Tokens detected
    Ok: CF API Token works
    


    Interesting that there is newer version but I can not update it.
    It is good, when I was adding domains I do not remember this message.


    1st I have add a TXT to my domain
    upload_2022-12-15_2-3-1.png

    then I run commands:


    Code (Text):
    [00:56][root@host.hostname.com ~]# cftoken='myapi'
    [00:56][root@host.hostname.com ~]# domain_hostname='domain2kr.com'
    [00:56][root@host.hostname.com ~]# txtmsg='centminmodisthebest'
    [00:56][root@host.hostname.com ~]# # get zoneid for domain_hostname
    [00:56][root@host.hostname.com ~]# cfzoneid=$(curl -4sX GET "https://api.cloudflare.com/client/v4/zones/?name=${domain_hostname}&status=active&page=1&per_page=100&order=status&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d ${domain_hostname} '.result[] | select(.name == $d) | .id')
    # create test TXT DNS record
    curl -4sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records -H Content-Type:application/json -H "Authorization: Bearer $cftoken" --data "{\"type\":\"TXT\",\"name\":\"$domain_hostname\",\"content\":\"$txtmsg\",\"ttl\":120,\"proxied\":false}" | jq 'del(.result.zone_id)'
    
    # verify test TXT DNS record
    curl -4sX GET "https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records?type=TXT&name=${domain_hostname}&page=1&per_page=100&order=type&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d $domain_hostname '.result[] | {id: .id, name: .name, type: .type, content: .content, proxiable: .proxiable, proxied: .proxied}'[00:56][root@host.hostname.com ~]#
    [00:56][root@host.hostname.com ~]# # create test TXT DNS record
    [00:56][root@host.hostname.com ~]# curl -4sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records -H Content-Type:application/json -H "Authorization: Bearer $cftoken" --data "{\"type\":\"TXT\",\"name\":\"$domain_hostname\",\"content\":\"$txtmsg\",\"ttl\":120,\"proxied\":false}" | jq 'del(.result.zone_id)'
    {
      "result": null,
      "success": false,
      "errors": [
        {
          "code": 81057,
          "message": "Record already exists."
        }
      ],
      "messages": []
    }
    [00:56][root@host.hostname.com ~]#
    [00:56][root@host.hostname.com ~]# # verify test TXT DNS record
    [00:56][root@host.hostname.com ~]# curl -4sX GET "https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records?type=TXT&name=${domain_hostname}&page=1&per_page=100&order=type&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d $domain_hostname '.result[] | {id: .id, name: .name, type: .type, content: .content, proxiable: .proxiable, proxied: .proxied}'
    {
      "id": "e3c5bee17d51fd7e80xxxxxxxxx",
      "name": "domain2kr.com",
      "type": "TXT",
      "content": "v=spf1 a mx ip4:xxxxxxxx ~all",
      "proxiable": false,
      "proxied": false
    }
    {
      "id": "49182ceba3f237dxxxxx",
      "name": "domain2kr.com",
      "type": "TXT",
      "content": "centminmodisthebest",
      "proxiable": false,
      "proxied": false
    }
    [00:56][root@host.hostname.com ~]#
    
    


    When I type
    Code (Text):
    # get zoneid for domain_hostname
    cfzoneid=$(curl -4sX GET "https://api.cloudflare.com/client/v4/zones/?name=${domain_hostname}&status=active&page=1&per_page=100&order=status&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d ${domain_hostname} '.result[] | select(.name == $d) | .id')
    

    Nothing happened


    I am waiting for next steps. Thank you for your time.
     
    Last edited: Dec 15, 2022
  9. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    11:25 PM
    I am sorry my misunderstanding. Below is correct one:
    Code (Text):
    [01:05][root@host.hostname.com ~]# cftoken='myapi'
    [01:05][root@host.hostname.com ~]# domain_hostname='domain2kr.com'
    [01:05][root@host.hostname.com ~]# txtmsg='test2'
    [01:05][root@host.hostname.com ~]# # get zoneid for domain_hostname
    [01:05][root@host.hostname.com ~]# cfzoneid=$(curl -4sX GET "https://api.cloudflare.com/client/v4/zones/?name=${domain_hostname}&status=active&page=1&per_page=100&order=status&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d ${domain_hostname} '.result[] | select(.name == $d) | .id')
    
    # create test TXT DNS record
    curl -4sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records -H Content-Type:application/json -H "Authorization: Bearer $cftoken" --data "{\"type\":\"TXT\",\"name\":\"$domain_hostname\",\"content\":\"$txtmsg\",\"ttl\":120,\"proxied\":false}" | jq 'del(.result.zone_id)'
    
    # verify test TXT DNS record
    curl -4sX GET "https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records?type=TXT&name=${domain_hostname}&page=1&per_page=100&order=type&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d $domain_hostname '.result[] | {id: .id, name: .name, type: .type, content: .content, proxiable: .proxiable, proxied: .proxied}'
    [01:05][root@host.hostname.com ~]#
    [01:05][root@host.hostname.com ~]# # create test TXT DNS record
    [01:05][root@host.hostname.com ~]# curl -4sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records -H Content-Type:application/json -H "Authorization: Bearer $cftoken" --data "{\"type\":\"TXT\",\"name\":\"$domain_hostname\",\"content\":\"$txtmsg\",\"ttl\":120,\"proxied\":false}" | jq 'del(.result.zone_id)'
    {
      "result": {
        "id": "36aaee9a741xxxxxxxx",
        "zone_name": "domain2kr.com",
        "name": "domain2kr.com",
        "type": "TXT",
        "content": "test2",
        "proxiable": false,
        "proxied": false,
        "ttl": 120,
        "locked": false,
        "meta": {
          "auto_added": false,
          "managed_by_apps": false,
          "managed_by_argo_tunnel": false,
          "source": "primary"
        },
        "created_on": "2022-12-15T01:06:00.898985Z",
        "modified_on": "2022-12-15T01:06:00.898985Z"
      },
      "success": true,
      "errors": [],
      "messages": []
    }
    [01:06][root@host.hostname.com ~]#
    [01:06][root@host.hostname.com ~]# # verify test TXT DNS record
    [01:06][root@host.hostname.com ~]# curl -4sX GET "https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records?type=TXT&name=${domain_hostname}&page=1&per_page=100&order=type&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d $domain_hostname '.result[] | {id: .id, name: .name, type: .type, content: .content, proxiable: .proxiable, proxied: .proxied}'
    {
      "id": "e3c5bee17d51fdxxxxxxxxx",
      "name": "domain2kr.com",
      "type": "TXT",
      "content": "v=spf1 a mx ip4:xxxxxx ~all",
      "proxiable": false,
      "proxied": false
    }
    {
      "id": "49182ceba3f237xxxxxxx",
      "name": "domain2kr.com",
      "type": "TXT",
      "content": "centminmodisthebest",
      "proxiable": false,
      "proxied": false
    }
    {
      "id": "36aaee9a741xxxxxxx",
      "name": "domain2kr.com",
      "type": "TXT",
      "content": "test2",
      "proxiable": false,
      "proxied": false
    }
    [01:06][root@host.hostname.com ~]#
    



    and I see new TXT on CF side.

    upload_2022-12-15_2-10-58.png
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    don't add TXT DNS via dashboard, remove those, this has to be added via the 2 curl commands I listed to verify if API Token has correct permissions to add a TXT DNS record which is what CF DNS API Letsencrypt domain validation does.

    cfzoneid variable doesn't output anything it just assigns the derived zone id to variable name cfzoneid which is used by the subsequent 2 curl commands.
     
  11. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    11:25 PM
    Haha you was too fast. I have corrected my mistake :)
    Please have a look above.

    I am waiting for next steps. :)
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Interesting that looks correct verifying API Token does have permissions to add a DNS TXT record for the domain name. So strange it doesn't work for Letsencrypt CF DNS API validation
     
  13. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    11:25 PM
    Any idea what to do next? How to fix it?
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you can see the invalid domain error reported via acme.sh logs when using CF DNS API for TXT DNS record validation

    Might need to search acme.sh Github repo for the error message to see for further clues Issues · acmesh-official/acme.sh"invalid+domain"+dns
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    double check the SAVED_CF_Token id was updated/correct in acme.sh client's /root/.acme.sh/account.conf

    You can inspect it's contents filtered for SAVED_CF keyword using command
    Code (Text):
    cat /root/.acme.sh/account.conf | grep SAVED_CF

    No need to post contents just verify the SAVED_CF_Token is correct and SAVED_CF_Account_ID is correct and SAVED_CF_ZONE_ID variable is empty with no value
     
  16. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    11:25 PM
    There is different CF_Token number then in
    Code (Text):
    [01:17][root@host.przewodnikpowarszawie.com ~]# cat /root/.acme.sh/account.conf | grep SAVED_CF
    SAVED_CF_Token='dFFRxxxxxxxxx'
    SAVED_CF_Account_ID='0a6xxxxxx'
    SAVED_CF_Zone_ID=''
    
    



    Code (Text):
    /etc/centminmod/custom_config.inc
    CF_DNSAPI_GLOBAL='y'
    CF_Token="N-P6xxxxxxx"
    CF_Account_ID="0a6xxxxx"


    CF_Account_ID is the same but CF_Token is diffrent.
    There is sign "" is it correct?

    In you post there is "" I mean here: https://community.centminmod.com/th...cloudflare-dns-api-domain-verification.22630/

    Code (Text):
    CF_DNSAPI_GLOBAL='y'
    CF_Token="YOUR_CF_TOKEN"
    CF_Account_ID="YOUR_CF_ACCOUNT_ID"




    That old API was roll (revoked) and changed to new one.

    How to correct it?

    I have update it via
    Code (Text):
    nano /root/.acme.sh/account.conf
    
     
    Last edited: Dec 15, 2022
  17. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah double quotes are fine and expected
    That's the problem then. When you set the variables in persistent config file at
    /etc/centminmod/custom_config.inc for
    Code (Text):
    CF_DNSAPI_GLOBAL='y'
    CF_Token="N-P6xxxxxxx"
    CF_Account_ID="0a6xxxxx"
    

    then run centmin.sh menu for menu options 2, 22, nv command or via addons/acmetool.sh directory - it should detect CF_Token and CF_Account_ID values and update them in /root/.acme.sh/account.conf used for renewal stage but also sets environmental variables for the current acme.sh session too.

    Which is your current CF_Token value, the one in /etc/centminmod/custom_config.inc or one in /root/.acme.sh/account.conf?

    Is the one in /root/.acme.sh/account.conf a previously used CF API Token you recognise that you have used in the past?
     
  18. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    11:25 PM
    This is current one.

    Yes I was using it in the past
     
  19. adamus007p

    adamus007p Member

    368
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    11:25 PM
    I have update
    Code (Text):
    nano /root/.acme.sh/account.conf

    with current CF_Token and then run
    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    and all domains are OK now. :)

    Only one domain not
    Code (Text):
    [Thu Dec 15 01:45:37 UTC 2022] Renew: 'domain2kr.com'
    [Thu Dec 15 01:45:38 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Thu Dec 15 01:45:38 UTC 2022] Multi domain='DNS:domain2kr.com,DNS:www.domain2kr.com'
    [Thu Dec 15 01:45:38 UTC 2022] Getting domain auth token for each domain
    [Thu Dec 15 01:45:41 UTC 2022] Getting webroot for domain='domain2kr.com'
    [Thu Dec 15 01:45:41 UTC 2022] Getting webroot for domain='www.domain2kr.com'
    [Thu Dec 15 01:45:42 UTC 2022] Adding txt value: Q5Kq-0bOIU44BbgMtxxxxxxx for domain:  _acme-challenge.domain2kr.com
    [Thu Dec 15 01:45:45 UTC 2022] Adding record
    [Thu Dec 15 01:45:46 UTC 2022] Added, OK
    [Thu Dec 15 01:45:46 UTC 2022] The txt record is added: Success.
    [Thu Dec 15 01:45:46 UTC 2022] Let's check each DNS record now. Sleep 20 seconds first.
    [Thu Dec 15 01:46:07 UTC 2022] You can use '--dnssleep' to disable public dns checks.
    [Thu Dec 15 01:46:07 UTC 2022] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
    [Thu Dec 15 01:46:08 UTC 2022] Checking domain2kr.com for _acme-challenge.domain2kr.com
    [Thu Dec 15 01:46:08 UTC 2022] Domain domain2kr.com '_acme-challenge.domain2kr.com' success.
    [Thu Dec 15 01:46:08 UTC 2022] All success, let's return
    [Thu Dec 15 01:46:08 UTC 2022] Verifying: domain2kr.com
    [Thu Dec 15 01:46:09 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
    [Thu Dec 15 01:46:12 UTC 2022] Success
    [Thu Dec 15 01:46:12 UTC 2022] Verifying: www.domain2kr.com
    [Thu Dec 15 01:46:13 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
    [Thu Dec 15 01:46:16 UTC 2022] www.domain2kr.com:Verify error:2606:4700:3036::6815:1d6c: Invalid response from https://domain2kr.com/.well-known/acme-challenge/xyJHm3xxxxx: 526
    [Thu Dec 15 01:46:16 UTC 2022] Removing DNS records.
    [Thu Dec 15 01:46:16 UTC 2022] Removing txt: Q5Kq-0bOIU44BbgMtaFM3L3QN7D9_04KnZtehHjBKOM for domain: _acme-challenge.domain2kr.com
    [Thu Dec 15 01:46:20 UTC 2022] Removed: Success
    [Thu Dec 15 01:46:20 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-130719-183030.log
    [Thu Dec 15 01:46:22 UTC 2022] Error renew domain2kr.com.
    [Thu Dec 15 01:46:22 UTC 2022] Renew: 'domain2kr.com'
    [Thu Dec 15 01:46:23 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Thu Dec 15 01:46:23 UTC 2022] Multi domain='DNS:domain2kr.com,DNS:www.domain2kr.com'
    [Thu Dec 15 01:46:23 UTC 2022] Getting domain auth token for each domain
    [Thu Dec 15 01:46:25 UTC 2022] Create new order error. Le_OrderFinalize not found. {
      "type": "urn:ietf:params:acme:error:rateLimited",
      "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/",
      "status": 429
    }
    [Thu Dec 15 01:46:25 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-130719-183030.log
    [Thu Dec 15 01:46:25 UTC 2022] Error renew domain2kr.com_ecc.
    


    Do I understand that there is day limit and I need wait for it?

    Thank you very much for your help. :)


    I belive that it may be a bug or my luck ;)
    To reproduce it go to API Tokens and roll the API and paste new API to persistant file. It was in my case.

    PS. I have updated the API also in my other VPS and there I see API is updated.
    In persistant file and
    Code (Text):
    cat /root/.acme.sh/account.conf | grep SAVED_CF
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ah I see the issue. It's a bug in addons/acmetool.sh in how it updates /root/.acme.sh/account.conf set variable for CF_Token value which is saved in SAVED_CF_Token in /root/.acme.sh/account.conf. I'll have to update both 124.00stable and 130.00beta01's addons/acmetool.sh which I will be doing in next 60 mins or so :)