Acme.sh: Cannot Issue new certificate Invalid Domain Error
I am not sure if this is an issue or if I am just misunderstanding the usage. I am unable to get a certificate issued and keep getting a invalid domain when using DNS with Cloudflare API. I found issue 1980 but that didn't seem to give me any idea of what is wrong. I do have a - in my domain name.
I did manage to work around the issue by using Manual mode to issue the certificate then I immediately force an issue of the certificate and it goes through.
Steps to reproduce
root@authserver:~/.acme.sh# acme.sh --issue --staging --dns dns_cf -d pw.my-domain.com
Debug log
root@authserver:~/.acme.sh# acme.sh --issue --staging --dns dns_cf -d pw.my-domain.com --debug 2
[Tue Oct 1 21:25:39 EDT 2019] Lets find script dir.
[Tue Oct 1 21:25:39 EDT 2019] _SCRIPT_='/root/.acme.sh/acme.sh'
[Tue Oct 1 21:25:39 EDT 2019] _script='/root/.acme.sh/acme.sh'
[Tue Oct 1 21:25:39 EDT 2019] _script_home='/root/.acme.sh'
[Tue Oct 1 21:25:39 EDT 2019] Using config home:/root/.acme.sh
[Tue Oct 1 21:25:39 EDT 2019] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/Neilpang/acme.sh
v2.8.3
[Tue Oct 1 21:25:39 EDT 2019] Running cmd: issue
[Tue Oct 1 21:25:39 EDT 2019] _main_domain='pw.my-domain.com'
[Tue Oct 1 21:25:39 EDT 2019] _alt_domains='no'
[Tue Oct 1 21:25:39 EDT 2019] Using config home:/root/.acme.sh
[Tue Oct 1 21:25:39 EDT 2019] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Tue Oct 1 21:25:39 EDT 2019] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
[Tue Oct 1 21:25:39 EDT 2019] _ACME_SERVER_HOST='acme-staging-v02.api.letsencrypt.org'
[Tue Oct 1 21:25:39 EDT 2019] DOMAIN_PATH='/root/.acme.sh/pw.my-domain.com'
[Tue Oct 1 21:25:39 EDT 2019] 'dns_cf' does not contain 'dns'
[Tue Oct 1 21:25:39 EDT 2019] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Tue Oct 1 21:25:39 EDT 2019] _init api for server: https://acme-staging-v02.api.letsencrypt.org/directory
[Tue Oct 1 21:25:39 EDT 2019] GET
[Tue Oct 1 21:25:39 EDT 2019] url='https://acme-staging-v02.api.letsencrypt.org/directory'
[Tue Oct 1 21:25:39 EDT 2019] timeout=
[Tue Oct 1 21:25:39 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.lbRg9hYvuV -g '
[Tue Oct 1 21:25:40 EDT 2019] ret='0'
[Tue Oct 1 21:25:40 EDT 2019] response='{
"YRJttQlNDoU": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org/docs/staging-environment/"
},
"newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}'
[Tue Oct 1 21:25:40 EDT 2019] ACME_KEY_CHANGE='https://acme-staging-v02.api.letsencrypt.org/acme/key-change'
[Tue Oct 1 21:25:40 EDT 2019] ACME_NEW_AUTHZ
[Tue Oct 1 21:25:40 EDT 2019] ACME_NEW_ORDER='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
[Tue Oct 1 21:25:40 EDT 2019] ACME_NEW_ACCOUNT='https://acme-staging-v02.api.letsencrypt.org/acme/new-acct'
[Tue Oct 1 21:25:40 EDT 2019] ACME_REVOKE_CERT='https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert'
[Tue Oct 1 21:25:40 EDT 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Tue Oct 1 21:25:40 EDT 2019] ACME_NEW_NONCE='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce'
[Tue Oct 1 21:25:40 EDT 2019] ACME_VERSION='2'
[Tue Oct 1 21:25:40 EDT 2019] Le_NextRenewTime
[Tue Oct 1 21:25:40 EDT 2019] _on_before_issue
[Tue Oct 1 21:25:40 EDT 2019] _chk_main_domain='pw.my-domain.com'
[Tue Oct 1 21:25:40 EDT 2019] _chk_alt_domains
[Tue Oct 1 21:25:40 EDT 2019] 'dns_cf' does not contain 'no'
[Tue Oct 1 21:25:40 EDT 2019] Le_LocalAddress
[Tue Oct 1 21:25:40 EDT 2019] d='pw.my-domain.com'
[Tue Oct 1 21:25:40 EDT 2019] Check for domain='pw.my-domain.com'
[Tue Oct 1 21:25:40 EDT 2019] _currentRoot='dns_cf'
[Tue Oct 1 21:25:40 EDT 2019] d
[Tue Oct 1 21:25:40 EDT 2019] 'dns_cf' does not contain 'apache'
[Tue Oct 1 21:25:40 EDT 2019] _saved_account_key_hash='3BKP6QKChp7JkgrjxQMIwiT0e2e0DZnuqRGg5tKQ7Tw='
[Tue Oct 1 21:25:40 EDT 2019] _saved_account_key_hash is not changed, skip register account.
[Tue Oct 1 21:25:40 EDT 2019] Read key length:
[Tue Oct 1 21:25:40 EDT 2019] _createcsr
[Tue Oct 1 21:25:40 EDT 2019] domain='pw.my-domain.com'
[Tue Oct 1 21:25:40 EDT 2019] domainlist
[Tue Oct 1 21:25:40 EDT 2019] csrkey='/root/.acme.sh/pw.my-domain.com/pw.my-domain.com.key'
[Tue Oct 1 21:25:40 EDT 2019] csr='/root/.acme.sh/pw.my-domain.com/pw.my-domain.com.csr'
[Tue Oct 1 21:25:40 EDT 2019] csrconf='/root/.acme.sh/pw.my-domain.com/pw.my-domain.com.csr.conf'
[Tue Oct 1 21:25:40 EDT 2019] Single domain='pw.my-domain.com'
[Tue Oct 1 21:25:40 EDT 2019] _is_idn_d='pw.my-domain.com'
[Tue Oct 1 21:25:40 EDT 2019] _idn_temp
[Tue Oct 1 21:25:40 EDT 2019] _is_idn_d='pw.my-domain.com'
[Tue Oct 1 21:25:40 EDT 2019] _idn_temp
[Tue Oct 1 21:25:40 EDT 2019] _csr_cn='pw.my-domain.com'
[Tue Oct 1 21:25:40 EDT 2019] Getting domain auth token for each domain
[Tue Oct 1 21:25:40 EDT 2019] _is_idn_d='pw.my-domain.com'
[Tue Oct 1 21:25:40 EDT 2019] _idn_temp
[Tue Oct 1 21:25:40 EDT 2019] d
[Tue Oct 1 21:25:40 EDT 2019] _identifiers='{"type":"dns","value":"pw.my-domain.com"}'
[Tue Oct 1 21:25:40 EDT 2019] url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
[Tue Oct 1 21:25:40 EDT 2019] payload='{"identifiers": [{"type":"dns","value":"pw.my-domain.com"}]}'
[Tue Oct 1 21:25:40 EDT 2019] RSA key
[Tue Oct 1 21:25:40 EDT 2019] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce'
[Tue Oct 1 21:25:40 EDT 2019] HEAD
[Tue Oct 1 21:25:40 EDT 2019] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce'
[Tue Oct 1 21:25:40 EDT 2019] body
[Tue Oct 1 21:25:40 EDT 2019] _postContentType='application/jose+json'
[Tue Oct 1 21:25:40 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.YRJCIPE2bX -g -I '
[Tue Oct 1 21:25:41 EDT 2019] _ret='0'
[Tue Oct 1 21:25:41 EDT 2019] _headers='HTTP/2 200
server: nginx
date: Wed, 02 Oct 2019 01:25:41 GMT
cache-control: public, max-age=0, no-cache
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0001zBKE6lANQENxTHS67_NLyZjEFKnq9r_WrP8L6CDwxiE
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Tue Oct 1 21:25:41 EDT 2019] _CACHED_NONCE='0001zBKE6lANQENxTHS67_NLyZjEFKnq9r_WrP8L6CDwxiE'
[Tue Oct 1 21:25:41 EDT 2019] nonce='0001zBKE6lANQENxTHS67_NLyZjEFKnq9r_WrP8L6CDwxiE'
[Tue Oct 1 21:25:41 EDT 2019] POST
[Tue Oct 1 21:25:41 EDT 2019] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
[Tue Oct 1 21:25:41 EDT 2019] body='{"protected": "eyJub25jZSI6ICIwMDAxekJLRTZsQU5RRU54VEhTNjdfTkx5WmpFRktucTlyX1dyUDhMNkNEd3hpRSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIiLCAiYWxnIjogIlJTMjU2IiwgImtpZCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTEyNDU1NzAifQ", "payload": "eyJpZGVudGlmaWVycyI6IFt7InR5cGUiOiJkbnMiLCJ2YWx1ZSI6InB3LmZhY3RvcnktdGVjaC5jb20ifV19", "signature": "Zh5Sd4IMaiU3YsCYksU0COlqUbhKSHQkIEj6ser0HwKjlEvYDbdff0MHnbrt7GkCcAwGH0fUv_q4WwiGzlAY0Oav9r_-jqwoN1BW-Ed_2F43z3xJeFbNwt7h4kpdXUV3zEpPdfTQhbDJV_yoCZb7aBA1sAzZU6KA3xyft5iwUF6rEkoX3YefKGFt12gqK9r7YtHGyMNU7mwec9d7Ffj2CODH2100B2ykJeEqEX7czPf9y1rh6KiliPqHvUb9ZknVXZgYpI8VsT_WAfQCT58M3vAJL7DhS6FS1h3CoZneOvP8zzfcgGv0qGEaEajz8J7fTD2gWYiB1LJY6xgXf_L_UQ"}'
[Tue Oct 1 21:25:41 EDT 2019] _postContentType='application/jose+json'
[Tue Oct 1 21:25:41 EDT 2019] Http already initialized.
[Tue Oct 1 21:25:41 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.YRJCIPE2bX -g '
[Tue Oct 1 21:25:42 EDT 2019] _ret='0'
[Tue Oct 1 21:25:42 EDT 2019] responseHeaders='HTTP/2 201
server: nginx
date: Wed, 02 Oct 2019 01:25:42 GMT
content-type: application/json
content-length: 361
boulder-requester: 11245570
cache-control: public, max-age=0, no-cache
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-staging-v02.api.letsencrypt.org/acme/order/11245570/53650039
replay-nonce: 000284RsBGAbgMnLN1M-k9JK-O7FFxw4lYpfaWgyqnCMUi0
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Tue Oct 1 21:25:42 EDT 2019] code='201'
[Tue Oct 1 21:25:42 EDT 2019] original='{
"status": "pending",
"expires": "2019-10-09T01:25:42.231392196Z",
"identifiers": [
{
"type": "dns",
"value": "pw.my-domain.com"
}
],
"authorizations": [
"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11907963"
],
"finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/11245570/53650039"
}'
[Tue Oct 1 21:25:42 EDT 2019] response='{"status":"pending","expires":"2019-10-09T01:25:42.231392196Z","identifiers":[{"type":"dns","value":"pw.my-domain.com"}],"authorizations":["https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11907963"],"finalize":"https://acme-staging-v02.api.letsencrypt.org/acme/finalize/11245570/53650039"}'
[Tue Oct 1 21:25:42 EDT 2019] Le_LinkOrder='https://acme-staging-v02.api.letsencrypt.org/acme/order/11245570/53650039'
[Tue Oct 1 21:25:42 EDT 2019] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/11245570/53650039'
[Tue Oct 1 21:25:42 EDT 2019] _authorizations_seg='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11907963'
[Tue Oct 1 21:25:42 EDT 2019] _authz_url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11907963'
[Tue Oct 1 21:25:42 EDT 2019] url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11907963'
[Tue Oct 1 21:25:42 EDT 2019] payload
[Tue Oct 1 21:25:42 EDT 2019] Use cached jwk for file: /root/.acme.sh/ca/acme-staging-v02.api.letsencrypt.org/account.key
[Tue Oct 1 21:25:42 EDT 2019] Use _CACHED_NONCE='000284RsBGAbgMnLN1M-k9JK-O7FFxw4lYpfaWgyqnCMUi0'
[Tue Oct 1 21:25:42 EDT 2019] nonce='000284RsBGAbgMnLN1M-k9JK-O7FFxw4lYpfaWgyqnCMUi0'
[Tue Oct 1 21:25:42 EDT 2019] POST
[Tue Oct 1 21:25:42 EDT 2019] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11907963'
[Tue Oct 1 21:25:42 EDT 2019] body='{"protected": "eyJub25jZSI6ICIwMDAyODRSc0JHQWJnTW5MTjFNLWs5SkstTzdGRnh3NGxZcGZhV2d5cW5DTVVpMCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMTkwNzk2MyIsICJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMTI0NTU3MCJ9", "payload": "", "signature": "gyN_oxWDzTU-RTaxgiVAMG1i3ugfSCEMnyL6Ynb7QHxPHX1Z9dxHlTZFQiE1NUUCQzofR_9rWzIpJUFIBgHMdtBHAgFnIWlmDuEa3if5QF-VYZAOCpXMjxrO4EDBfaeQsPsRdtVS3DWnvNt4h1jo-M7I19dJNZI7gOnn5fN9GH7XaozvBDPJxeMwRscP9xdOOOPXNNG9Ve5qFhK10YkO_bl2nV5gOMyqhcOBYVZVrhdox_UIQk3_Kzp-svGvbaMHhy7jHo2VIsFgQpRiTTUpbaEeVeoWAjMS3gAR-Iq8URxwZ8iE882nTi-NNUCxojrZgfS4cL4R3BqfGXJNnJWFGQ"}'
[Tue Oct 1 21:25:42 EDT 2019] _postContentType='application/jose+json'
[Tue Oct 1 21:25:42 EDT 2019] Http already initialized.
[Tue Oct 1 21:25:42 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.YRJCIPE2bX -g '
[Tue Oct 1 21:25:43 EDT 2019] _ret='0'
[Tue Oct 1 21:25:43 EDT 2019] responseHeaders='HTTP/2 200
server: nginx
date: Wed, 02 Oct 2019 01:25:43 GMT
content-type: application/json
content-length: 815
boulder-requester: 11245570
cache-control: public, max-age=0, no-cache
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0001jRenhMXpsIlpwiWKVeXouaao4MrnsWTDupioOP2XFLQ
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Tue Oct 1 21:25:43 EDT 2019] code='200'
[Tue Oct 1 21:25:43 EDT 2019] original='{
"identifier": {
"type": "dns",
"value": "pw.my-domain.com"
},
"status": "pending",
"expires": "2019-10-09T01:25:42Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/HDZt3A",
"token": "uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g",
"token": "uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/vSX4jw",
"token": "uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"
}
]
}'
[Tue Oct 1 21:25:43 EDT 2019] response='{"identifier":{"type":"dns","value":"pw.my-domain.com"},"status":"pending","expires":"2019-10-09T01:25:42Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/HDZt3A","token":"uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"},{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g","token":"uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/vSX4jw","token":"uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"}]}'
[Tue Oct 1 21:25:43 EDT 2019] response='{"identifier":{"type":"dns","value":"pw.my-domain.com"},"status":"pending","expires":"2019-10-09T01:25:42Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/HDZt3A","token":"uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"},{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g","token":"uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/vSX4jw","token":"uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"}]}'
[Tue Oct 1 21:25:43 EDT 2019] _d='pw.my-domain.com'
[Tue Oct 1 21:25:43 EDT 2019] _authorizations_map='pw.my-domain.com,{"identifier":{"type":"dns","value":"pw.my-domain.com"},"status":"pending","expires":"2019-10-09T01:25:42Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/HDZt3A","token":"uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"},{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g","token":"uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/vSX4jw","token":"uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"}]}
'
[Tue Oct 1 21:25:43 EDT 2019] d='pw.my-domain.com'
[Tue Oct 1 21:25:43 EDT 2019] Getting webroot for domain='pw.my-domain.com'
[Tue Oct 1 21:25:43 EDT 2019] _w='dns_cf'
[Tue Oct 1 21:25:43 EDT 2019] _currentRoot='dns_cf'
[Tue Oct 1 21:25:43 EDT 2019] _is_idn_d='pw.my-domain.com'
[Tue Oct 1 21:25:43 EDT 2019] _idn_temp
[Tue Oct 1 21:25:43 EDT 2019] response='{"identifier":{"type":"dns","value":"pw.my-domain.com"},"status":"pending","expires":"2019-10-09T01:25:42Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/HDZt3A","token":"uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"},{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g","token":"uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/vSX4jw","token":"uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"}]}'
[Tue Oct 1 21:25:43 EDT 2019] entry='"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g","token":"uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"'
[Tue Oct 1 21:25:43 EDT 2019] token='uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A'
[Tue Oct 1 21:25:43 EDT 2019] uri='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g'
[Tue Oct 1 21:25:43 EDT 2019] keyauthorization='uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A.TjnoHeVPYueMZve2Q2KxJaGdR80-Oi-E6GGUu6USoaU'
[Tue Oct 1 21:25:43 EDT 2019] dvlist='pw.my-domain.com#uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A.TjnoHeVPYueMZve2Q2KxJaGdR80-Oi-E6GGUu6USoaU#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g#dns-01#dns_cf'
[Tue Oct 1 21:25:43 EDT 2019] d
[Tue Oct 1 21:25:43 EDT 2019] vlist='pw.my-domain.com#uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A.TjnoHeVPYueMZve2Q2KxJaGdR80-Oi-E6GGUu6USoaU#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g#dns-01#dns_cf,'
[Tue Oct 1 21:25:43 EDT 2019] d='pw.my-domain.com'
[Tue Oct 1 21:25:43 EDT 2019] _d_alias
[Tue Oct 1 21:25:43 EDT 2019] txtdomain='_acme-challenge.pw.my-domain.com'
[Tue Oct 1 21:25:43 EDT 2019] txt='-9fc-zrT1ziRge3LPnlBVBdA-5xHv3TMkprsi5FRhWk'
[Tue Oct 1 21:25:43 EDT 2019] d_api='/root/.acme.sh/dnsapi/dns_cf.sh'
[Tue Oct 1 21:25:43 EDT 2019] dns_entry='pw.my-domain.com,_acme-challenge.pw.my-domain.com,,dns_cf,-9fc-zrT1ziRge3LPnlBVBdA-5xHv3TMkprsi5FRhWk,/root/.acme.sh/dnsapi/dns_cf.sh'
[Tue Oct 1 21:25:43 EDT 2019] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Tue Oct 1 21:25:43 EDT 2019] Adding txt value: -9fc-zrT1ziRge3LPnlBVBdA-5xHv3TMkprsi5FRhWk for domain: _acme-challenge.pw.my-domain.com
[Tue Oct 1 21:25:43 EDT 2019] First detect the root zone
[Tue Oct 1 21:25:43 EDT 2019] h='_acme-challenge.pw.my-domain.com'
[Tue Oct 1 21:25:43 EDT 2019] zones?name=_acme-challenge.pw.my-domain.com&account.id=FTZoneEdit
[Tue Oct 1 21:25:43 EDT 2019] GET
[Tue Oct 1 21:25:43 EDT 2019] url='https://api.cloudflare.com/client/v4/zones?name=_acme-challenge.pw.my-domain.com&account.id=FTZoneEdit'
[Tue Oct 1 21:25:43 EDT 2019] timeout=
[Tue Oct 1 21:25:43 EDT 2019] Http already initialized.
[Tue Oct 1 21:25:43 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.YRJCIPE2bX -g '
[Tue Oct 1 21:25:43 EDT 2019] ret='0'
[Tue Oct 1 21:25:43 EDT 2019] response='{"success":false,"errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.5e1d2d8b2891e26d9aaf665da812cbe1' requires permission 'com.cloudflare.api.account.zone.list' to list zones for 'com.cloudflare.api.account.FTZoneEdit'"}],"messages":[],"result":null}'
[Tue Oct 1 21:25:43 EDT 2019] h='pw.my-domain.com'
[Tue Oct 1 21:25:43 EDT 2019] zones?name=pw.my-domain.com&account.id=FTZoneEdit
[Tue Oct 1 21:25:43 EDT 2019] GET
[Tue Oct 1 21:25:43 EDT 2019] url='https://api.cloudflare.com/client/v4/zones?name=pw.my-domain.com&account.id=FTZoneEdit'
[Tue Oct 1 21:25:43 EDT 2019] timeout=
[Tue Oct 1 21:25:43 EDT 2019] Http already initialized.
[Tue Oct 1 21:25:43 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.YRJCIPE2bX -g '
[Tue Oct 1 21:25:44 EDT 2019] ret='0'
[Tue Oct 1 21:25:44 EDT 2019] response='{"success":false,"errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.5e1d2d8b2891e26d9aaf665da812cbe1' requires permission 'com.cloudflare.api.account.zone.list' to list zones for 'com.cloudflare.api.account.FTZoneEdit'"}],"messages":[],"result":null}'
[Tue Oct 1 21:25:44 EDT 2019] h='my-domain.com'
[Tue Oct 1 21:25:44 EDT 2019] zones?name=my-domain.com&account.id=FTZoneEdit
[Tue Oct 1 21:25:44 EDT 2019] GET
[Tue Oct 1 21:25:44 EDT 2019] url='https://api.cloudflare.com/client/v4/zones?name=my-domain.com&account.id=FTZoneEdit'
[Tue Oct 1 21:25:44 EDT 2019] timeout=
[Tue Oct 1 21:25:44 EDT 2019] Http already initialized.
[Tue Oct 1 21:25:44 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.YRJCIPE2bX -g '
[Tue Oct 1 21:25:45 EDT 2019] ret='0'
[Tue Oct 1 21:25:45 EDT 2019] response='{"success":false,"errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.5e1d2d8b2891e26d9aaf665da812cbe1' requires permission 'com.cloudflare.api.account.zone.list' to list zones for 'com.cloudflare.api.account.FTZoneEdit'"}],"messages":[],"result":null}'
[Tue Oct 1 21:25:45 EDT 2019] h='com'
[Tue Oct 1 21:25:45 EDT 2019] zones?name=com&account.id=FTZoneEdit
[Tue Oct 1 21:25:45 EDT 2019] GET
[Tue Oct 1 21:25:45 EDT 2019] url='https://api.cloudflare.com/client/v4/zones?name=com&account.id=FTZoneEdit'
[Tue Oct 1 21:25:45 EDT 2019] timeout=
[Tue Oct 1 21:25:45 EDT 2019] Http already initialized.
[Tue Oct 1 21:25:45 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.YRJCIPE2bX -g '
[Tue Oct 1 21:25:45 EDT 2019] ret='0'
[Tue Oct 1 21:25:45 EDT 2019] response='{"success":false,"errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.5e1d2d8b2891e26d9aaf665da812cbe1' requires permission 'com.cloudflare.api.account.zone.list' to list zones for 'com.cloudflare.api.account.FTZoneEdit'"}],"messages":[],"result":null}'
[Tue Oct 1 21:25:45 EDT 2019] h
[Tue Oct 1 21:25:45 EDT 2019] invalid domain
[Tue Oct 1 21:25:45 EDT 2019] Error add txt for domain:_acme-challenge.pw.my-domain.com
[Tue Oct 1 21:25:45 EDT 2019] _on_issue_err
[Tue Oct 1 21:25:45 EDT 2019] Please add '--debug' or '--log' to check more details.
[Tue Oct 1 21:25:45 EDT 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Tue Oct 1 21:25:45 EDT 2019] _chk_vlist='pw.my-domain.com#uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A.TjnoHeVPYueMZve2Q2KxJaGdR80-Oi-E6GGUu6USoaU#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g#dns-01#dns_cf,'
[Tue Oct 1 21:25:45 EDT 2019] start to deactivate authz
[Tue Oct 1 21:25:45 EDT 2019] Trigger domain validation.
[Tue Oct 1 21:25:45 EDT 2019] _t_url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g'
[Tue Oct 1 21:25:45 EDT 2019] _t_key_authz='uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A.TjnoHeVPYueMZve2Q2KxJaGdR80-Oi-E6GGUu6USoaU'
[Tue Oct 1 21:25:45 EDT 2019] _t_vtype
[Tue Oct 1 21:25:45 EDT 2019] url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g'
[Tue Oct 1 21:25:45 EDT 2019] payload='{}'
[Tue Oct 1 21:25:45 EDT 2019] Use cached jwk for file: /root/.acme.sh/ca/acme-staging-v02.api.letsencrypt.org/account.key
[Tue Oct 1 21:25:45 EDT 2019] Use _CACHED_NONCE='0001jRenhMXpsIlpwiWKVeXouaao4MrnsWTDupioOP2XFLQ'
[Tue Oct 1 21:25:45 EDT 2019] nonce='0001jRenhMXpsIlpwiWKVeXouaao4MrnsWTDupioOP2XFLQ'
[Tue Oct 1 21:25:45 EDT 2019] POST
[Tue Oct 1 21:25:45 EDT 2019] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g'
[Tue Oct 1 21:25:45 EDT 2019] body='{"protected": "eyJub25jZSI6ICIwMDAxalJlbmhNWHBzSWxwd2lXS1ZlWG91YWFvNE1ybnNXVER1cGlvT1AyWEZMUSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xMTkwNzk2My9vRlFxMGciLCAiYWxnIjogIlJTMjU2IiwgImtpZCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTEyNDU1NzAifQ", "payload": "e30", "signature": "ppens0dGHt2E_RkFIkdwrHoNqKV4ua2BcqRIs0ZwubhL5FDBix3c7WKZssAtjPRd1VcGY3sQpmwq-NksiLuCfkLCVRlwxgR9uuC2IfGYnc7HVamaXNYxhXp4kzMkmOndPz60wExT_UG3aEgUhUjJUSzLjQiVCKSLyM0InjdgLjMJkJB4WUangyeuSqx4Kx5RZ4x6KgSMuuVZcG71hrcbOa8sEUYETCD5op1juI9Xhc92XH39W5X3coQ7CvCUYL3I3KzXWUnViASp1_ylwB18s130jedy0jxCIJ0NPmv-DnEd-FHjL3IuqFaJ_L6zPddTWtUT7pxOrUNPBPPQTsjUnQ"}'
[Tue Oct 1 21:25:45 EDT 2019] _postContentType='application/jose+json'
[Tue Oct 1 21:25:45 EDT 2019] Http already initialized.
[Tue Oct 1 21:25:45 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.YRJCIPE2bX -g '
[Tue Oct 1 21:25:45 EDT 2019] _ret='0'
[Tue Oct 1 21:25:45 EDT 2019] responseHeaders='HTTP/2 200
server: nginx
date: Wed, 02 Oct 2019 01:25:45 GMT
content-type: application/json
content-length: 190
boulder-requester: 11245570
cache-control: public, max-age=0, no-cache
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
link: <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11907963>;rel="up"
location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g
replay-nonce: 0001j1Sq_wCgdf5m04SxPCGEDhV0xs5J8F3GsVXYn4ahJZA
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Tue Oct 1 21:25:45 EDT 2019] code='200'
[Tue Oct 1 21:25:45 EDT 2019] original='{
"type": "dns-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g",
"token": "uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"
}'
[Tue Oct 1 21:25:45 EDT 2019] response='{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11907963/oFQq0g","token":"uyJVLPdb8J9oT_CqFlksq0q4lyqRr1vTIhPI26CxW6A"}'
[Tue Oct 1 21:25:45 EDT 2019] Diagnosis versions:
openssl:openssl
OpenSSL 1.1.1 11 Sep 2018
apache:
apache doesn't exists.
nginx:
nginx doesn't exists.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
Usage:
socat [options] <bi-address> <bi-address>
options:
-V print version and feature information to stdout, and exit
-h|-? print a help text describing command line options and addresses
-hh like -h, plus a list of all common address option names
-hhh like -hh, plus a list of all available address option names
-d increase verbosity (use up to 4 times; 2 are recommended)
-D analyze file descriptors before loop
-ly[facility] log to syslog, using facility (default is daemon)
-lf<logfile> log to file
-ls log to stderr (default if no other log)
-lm[facility] mixed log mode (stderr during initialization, then syslog)
-lp<progname> set the program name used for logging
-lu use microseconds for logging timestamps
-lh add hostname to log messages
-v verbose data traffic, text
-x verbose data traffic, hexadecimal
-b<size_t> set data buffer size (8192)
-s sloppy (continue on error)
-t<timeout> wait seconds before closing second channel
-T<timeout> total inactivity timeout in seconds
-u unidirectional mode (left to right)
-U unidirectional mode (right to left)
-g do not check option groups
-L <lockfile> try to obtain lock, or fail
-W <lockfile> try to obtain lock, or wait
-4 prefer IPv4 if version is not explicitly specified
-6 prefer IPv6 if version is not explicitly specified
bi-address:
pipe[,<opts>] groups=FD,FIFO
<single-address>!!<single-address>
<single-address>
single-address:
<address-head>[,<opts>]
address-head:
abstract-client:<filename> groups=FD,SOCKET,RETRY,UNIX
abstract-connect:<filename> groups=FD,SOCKET,RETRY,UNIX
abstract-listen:<filename> groups=FD,SOCKET,LISTEN,CHILD,RETRY,UNIX
abstract-recv:<filename> groups=FD,SOCKET,RETRY,UNIX
abstract-recvfrom:<filename> groups=FD,SOCKET,CHILD,RETRY,UNIX
abstract-sendto:<filename> groups=FD,SOCKET,RETRY,UNIX
create:<filename> groups=FD,REG,NAMED
exec:<command-line> groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
fd:<num> groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
gopen:<filename> groups=FD,FIFO,CHR,BLK,REG,SOCKET,NAMED,OPEN,TERMIOS,UNIX
interface:<interface> groups=FD,SOCKET
ip-datagram:<host>:<protocol> groups=FD,SOCKET,RANGE,IP4,IP6
ip-recv:<protocol> groups=FD,SOCKET,RANGE,IP4,IP6
ip-recvfrom:<protocol> groups=FD,SOCKET,CHILD,RANGE,IP4,IP6
ip-sendto:<host>:<protocol> groups=FD,SOCKET,IP4,IP6
ip4-datagram:<host>:<protocol> groups=FD,SOCKET,RANGE,IP4
ip4-recv:<protocol> groups=FD,SOCKET,RANGE,IP4
ip4-recvfrom:<protocol> groups=FD,SOCKET,CHILD,RANGE,IP4
ip4-sendto:<host>:<protocol> groups=FD,SOCKET,IP4
ip6-datagram:<host>:<protocol> groups=FD,SOCKET,RANGE,IP6
ip6-recv:<protocol> groups=FD,SOCKET,RANGE,IP6
ip6-recvfrom:<protocol> groups=FD,SOCKET,CHILD,RANGE,IP6
ip6-sendto:<host>:<protocol> groups=FD,SOCKET,IP6
open:<filename> groups=FD,FIFO,CHR,BLK,REG,NAMED,OPEN,TERMIOS
openssl:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,OPENSSL
openssl-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP,OPENSSL
pipe:<filename> groups=FD,FIFO,NAMED,OPEN
proxy:<proxy-server>:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,HTTP
pty groups=FD,NAMED,TERMIOS,PTY
sctp-connect:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,SCTP
sctp-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,SCTP
sctp4-connect:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,SCTP
sctp4-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,SCTP
sctp6-connect:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP6,SCTP
sctp6-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,SCTP
socket-connect:<domain>:<protocol>:<remote-address> groups=FD,SOCKET,CHILD,RETRY
socket-datagram:<domain>:<type>:<protocol>:<remote-address> groups=FD,SOCKET,RANGE
socket-listen:<domain>:<protocol>:<local-address> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE
socket-recv:<domain>:<type>:<protocol>:<local-address> groups=FD,SOCKET,RANGE
socket-recvfrom:<domain>:<type>:<protocol>:<local-address> groups=FD,SOCKET,CHILD,RANGE
socket-sendto:<domain>:<type>:<protocol>:<remote-address> groups=FD,SOCKET
socks4:<socks-server>:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
socks4a:<socks-server>:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
stderr groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
stdin groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
stdio groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
stdout groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
system:<shell-command> groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
tcp-connect:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP
tcp-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP
tcp4-connect:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,TCP
tcp4-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,TCP
tcp6-connect:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP6,TCP
tcp6-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,TCP
tun[:<ip-addr>/<bits>] groups=FD,CHR,NAMED,OPEN,INTERFACE
udp-connect:<host>:<port> groups=FD,SOCKET,IP4,IP6,UDP
udp-datagram:<host>:<port> groups=FD,SOCKET,RANGE,IP4,IP6,UDP
udp-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,UDP
udp-recv:<port> groups=FD,SOCKET,RANGE,IP4,IP6,UDP
udp-recvfrom:<port> groups=FD,SOCKET,CHILD,RANGE,IP4,IP6,UDP
udp-sendto:<host>:<port> groups=FD,SOCKET,IP4,IP6,UDP
udp4-connect:<host>:<port> groups=FD,SOCKET,IP4,UDP
udp4-datagram:<remote-address>:<port> groups=FD,SOCKET,RANGE,IP4,UDP
udp4-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,UDP
udp4-recv:<port> groups=FD,SOCKET,RANGE,IP4,UDP
udp4-recvfrom:<host>:<port> groups=FD,SOCKET,CHILD,RANGE,IP4,UDP
udp4-sendto:<host>:<port> groups=FD,SOCKET,IP4,UDP
udp6-connect:<host>:<port> groups=FD,SOCKET,IP6,UDP
udp6-datagram:<host>:<port> groups=FD,SOCKET,RANGE,IP6,UDP
udp6-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP6,UDP
udp6-recv:<port> groups=FD,SOCKET,RANGE,IP6,UDP
udp6-recvfrom:<port> groups=FD,SOCKET,CHILD,RANGE,IP6,UDP
udp6-sendto:<host>:<port> groups=FD,SOCKET,IP6,UDP
unix-client:<filename> groups=FD,SOCKET,NAMED,RETRY,UNIX
unix-connect:<filename> groups=FD,SOCKET,NAMED,RETRY,UNIX
unix-listen:<filename> groups=FD,SOCKET,NAMED,LISTEN,CHILD,RETRY,UNIX
unix-recv:<filename> groups=FD,SOCKET,NAMED,RETRY,UNIX
unix-recvfrom:<filename> groups=FD,SOCKET,NAMED,CHILD,RETRY,UNIX
unix-sendto:<filename> groups=FD,SOCKET,NAMED,RETRY,UNIX
[Tue Oct 1 21:25:45 EDT 2019] pid
[Tue Oct 1 21:25:45 EDT 2019] No need to restore nginx, skip.
[Tue Oct 1 21:25:45 EDT 2019] _clearupdns
[Tue Oct 1 21:25:45 EDT 2019] dns_entries
[Tue Oct 1 21:25:45 EDT 2019] skip dns.
phantomdez
👍1
All 11 comments
@phantomdez sounds like you have the wrong token
errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.5e1d2d8b2891e26d9aaf665da812cbe1' requires permission 'com.cloudflare.api.account.zone.list' to list zones for 'com.cloudflare.api.account.FTZoneEdit'"}],"messages":[],"result":null}'
FernandoMiguel
on 2 Oct 2019
I rolled my API token and updated my account.conf file with the new token but I still get the error. Is there a permission on my API Token I might be missing? I have given it additional permissions of
Zone.Zone Settings, Zone.Zone, Zone.DNS. I have tried this with the Global API key as well and I get the same error.
[Wed Oct 2 10:54:55 EDT 2019] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Wed Oct 2 10:54:55 EDT 2019] Adding txt value: 3YoCU7FySdS1tpIkZGqvbIhKBJIlCZdgO1uaV0EZfOs for domain: _acme-challenge.test.my-domain.com
[Wed Oct 2 10:54:55 EDT 2019] First detect the root zone
[Wed Oct 2 10:54:55 EDT 2019] h='_acme-challenge.test.my-domain.com'
[Wed Oct 2 10:54:55 EDT 2019] zones?name=_acme-challenge.test.my-domain.com&account.id=FTZoneEdit
[Wed Oct 2 10:54:55 EDT 2019] GET
[Wed Oct 2 10:54:55 EDT 2019] url='https://api.cloudflare.com/client/v4/zones?name=_acme-challenge.test.my-domain.com&account.id=FTZoneEdit'
[Wed Oct 2 10:54:55 EDT 2019] timeout=
[Wed Oct 2 10:54:55 EDT 2019] Http already initialized.
[Wed Oct 2 10:54:55 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.dxPfH17NBD -g '
[Wed Oct 2 10:54:55 EDT 2019] ret='0'
[Wed Oct 2 10:54:55 EDT 2019] response='{"success":false,"errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.5e1d2d8b2891e26d9aaf665da812cbe1' requires permission 'com.cloudflare.api.account.zone.list' to list zones for 'com.cloudflare.api.account.FTZoneEdit'"}],"messages":[],"result":null}'
[Wed Oct 2 10:54:55 EDT 2019] h='test.my-domain.com'
[Wed Oct 2 10:54:55 EDT 2019] zones?name=test.my-domain.com&account.id=FTZoneEdit
[Wed Oct 2 10:54:55 EDT 2019] GET
[Wed Oct 2 10:54:55 EDT 2019] url='https://api.cloudflare.com/client/v4/zones?name=test.my-domain.com&account.id=FTZoneEdit'
[Wed Oct 2 10:54:55 EDT 2019] timeout=
[Wed Oct 2 10:54:55 EDT 2019] Http already initialized.
[Wed Oct 2 10:54:55 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.dxPfH17NBD -g '
[Wed Oct 2 10:54:55 EDT 2019] ret='0'
[Wed Oct 2 10:54:55 EDT 2019] response='{"success":false,"errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.5e1d2d8b2891e26d9aaf665da812cbe1' requires permission 'com.cloudflare.api.account.zone.list' to list zones for 'com.cloudflare.api.account.FTZoneEdit'"}],"messages":[],"result":null}'
[Wed Oct 2 10:54:55 EDT 2019] h='my-domain.com'
[Wed Oct 2 10:54:55 EDT 2019] zones?name=my-domain.com&account.id=FTZoneEdit
[Wed Oct 2 10:54:55 EDT 2019] GET
[Wed Oct 2 10:54:55 EDT 2019] url='https://api.cloudflare.com/client/v4/zones?name=my-domain.com&account.id=FTZoneEdit'
[Wed Oct 2 10:54:55 EDT 2019] timeout=
[Wed Oct 2 10:54:55 EDT 2019] Http already initialized.
[Wed Oct 2 10:54:55 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.dxPfH17NBD -g '
[Wed Oct 2 10:54:56 EDT 2019] ret='0'
[Wed Oct 2 10:54:56 EDT 2019] response='{"success":false,"errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.5e1d2d8b2891e26d9aaf665da812cbe1' requires permission 'com.cloudflare.api.account.zone.list' to list zones for 'com.cloudflare.api.account.FTZoneEdit'"}],"messages":[],"result":null}'
[Wed Oct 2 10:54:56 EDT 2019] h='com'
[Wed Oct 2 10:54:56 EDT 2019] zones?name=com&account.id=FTZoneEdit
[Wed Oct 2 10:54:56 EDT 2019] GET
[Wed Oct 2 10:54:56 EDT 2019] url='https://api.cloudflare.com/client/v4/zones?name=com&account.id=FTZoneEdit'
[Wed Oct 2 10:54:56 EDT 2019] timeout=
[Wed Oct 2 10:54:56 EDT 2019] Http already initialized.
[Wed Oct 2 10:54:56 EDT 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.dxPfH17NBD -g '
[Wed Oct 2 10:54:56 EDT 2019] ret='0'
[Wed Oct 2 10:54:56 EDT 2019] response='{"success":false,"errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.5e1d2d8b2891e26d9aaf665da812cbe1' requires permission 'com.cloudflare.api.account.zone.list' to list zones for 'com.cloudflare.api.account.FTZoneEdit'"}],"messages":[],"result":null}'
[Wed Oct 2 10:54:56 EDT 2019] h
[Wed Oct 2 10:54:56 EDT 2019] invalid domain
[Wed Oct 2 10:54:56 EDT 2019] Error add txt for domain:_acme-challenge.test.my-domain.com
[Wed Oct 2 10:54:56 EDT 2019] _on_issue_err
[Wed Oct 2 10:54:56 EDT 2019] Please check log file for more details: /root/.acme.sh/acme.sh.log
phantomdez
on 2 Oct 2019
In the api edit page, make sure the Zone Resources is Include => All zones
Neilpang
on 2 Oct 2019
It is set to all zones.
And I tested my token and it was accepted through the testing that cloudflare provides when you roll your token.
Also When I run the issue command my cloudflare account shows that the last used time was just a second ago. So It seems to be accepting of it.
phantomdez
on 2 Oct 2019
if you want to try again with global key, please remove the api key from the account.conf first.
Neilpang
on 2 Oct 2019
ok Weird. I tested with the global key last night and it didn't work but today it did. I must have been tired last night and missed something. Something with my Token doesn't seem to have permission.
phantomdez
on 2 Oct 2019
It works after set Permission to Zone.Zone, Zone.DNS, and Resources to All zones.
schemacs
on 3 Oct 2019
👍3
I read that setting already and set it to that. I cannot understand why my token is still rejecting it though. I even created a new token from scratch and I have the same issues. The global token works. I have been looking through the code and making my own API calls from the command line to find out why it might be failing unfortunately I don't have much for logging on the Cloudflare site in terms of failures.
`
Zone.Zone, Zone.DNS | All zones
-- | --
`
phantomdez
on 3 Oct 2019
@phantomdez If you selected "All Zones from an account" in the API token settings (fig. 1), you also need to set the value of CF_Account_ID to your "Account ID", which can be seen at the right bottom of your domain's overview page (fig. 2).
By the way, I think it's a good idea to record the solution to the wiki.
outloudvi
on 12 Dec 2019
😄1
This is working for me with the permissions for the API token set to only the specific zone resource/domain (not "All zones") for renewals only.
To issue the certificate, the API token permissions need to be set to "All zones."
javier-cr
on 31 Dec 2019
OK So its been a while on this one and I finally had a chance to test things out. It seems I had been referencing the wrong Account ID. I wasn't clear on what that was supppose to be but Cloud Flare doesn't make it obivious on API token page the account ID and I was entering the wrong info. Thanks for clarifying the Account ID location.
phantomdez
on 13 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings
Related issues
xiagw
路
3Comments
feiyu0
路
4Comments
duxiu-chen
路
4Comments
vitaly80
路
4Comments
extensionsapp
路
3Comments
Most helpful comment
It works after set Permission to
Zone.Zone, Zone.DNS, and Resources toAll zones.