Lego: Cloudflare needs "Account.Account Settings"

Hm, that must be a recent change in their API. I've just recently (11 days ago) created a new certificate with Cloudflare, using Zone/DNS/Edit and Zone/Zone/Read permission. Also, their API docs list for List Zones only #zone:read as needed.

Can you double check to which resources you have the Zone/Read permission scoped (include all zones, or all zones from an account, or specific zone)? The last option does not work with Lego.

Ah, I re-read the documentation and it's actually quite clear about all this, including the support for the split tokens. My mistake in missing those details.

FWIW, I think my solution of using this:

[email protected] Account - Account Settings:Read
domain.com - Zone:Read, DNS:Edit

Allows for a single token which only grants "DNS:Edit" for the one domain that lego is working with and read permissions otherwise might be easier than the split token approach.

Hello!

I recently switched to Cloudflare and having this exact issue.
While I read and re-read the issues and docs, tried every combo of settings under api token permissions (including specifying all zones etc.), I keep getting 403 error when listing zones.

I'm currently trying two tokens, CF_DNS pointing to Zone.DNS.Edit and CF_ZONE key with Zone.Zone.Read, tried adding Zone.Settings and User.Account settings, with little success.

The EMAIL/API_KEY route seems broken to me as well, I'm getting the following error:
acme: error presenting token: cloudflare: failed to find zone com.: Zone could not be found\n" providerName=le.acme

My guessis that it might be missing a zone ID in some request and cloudflare thinks it's trying to edit .com TLD...

Any help or debugging tips would be helpful, I'd love to be able to see the actual requests/responses in a trace log.

@bablat
I got the same error and solved it with:

The documentation says:
You also need to scope the access to all your domains for this to work.

Not 100% sure, but I think this is connected to the screenshot.

I did this the first time today...no guarantees but I got my certificate ;-)

EDIT:
If I try to get a certificate now for my internal domain "*.int.mydomain.com" I get the same error message...

cloudflare: failed to find zone int.mydomain.com: ListZonesContext command failed: errorfrom makeRequest: HTTP status 403: insufficient permissions

I'm not sure if this is a configuration issue in cloudflare or if it is a problem with lego ... I have only a zone for "mydomain.com"

@peschu123 did you find any workaround for subdomains?

@lexfrei my issue ended up being a split-DNS configuration, acme resolved DNS challenges against the wrong DNS server.

I found a configuration flag that lets you set explicit DNS servers for DNS challenges, which solved the problem.