v2.7.2: Dynamic DNS not working with Cloudflare

revengineer

After years of working fine, my pfSense no longer updates my dynamic DNS on cloudflare. The error I receive is:

/services_dyndns_edit.php: phpDynDNS (bouncer): PAYLOAD: {"success":false,"errors":[{"code":6003,"message":"Invalid request headers","error_chain":[{"code":6103,"message":"Invalid format for X-Auth-Key header"}]}],"messages":[],"result":null} 

This seems like a recent issue, perhaps occurred after I reconfigured my network card to use a different interface for WAN (igb3 instead of igb0). I am not 100% sure if this is related though.

I found several similar posts with a similar error message but I am not smart enough to understand them.

Is someone willing to help be debug?

Thank you.

revengineer

@revengineer

Here is the detailed log with some anonymization applied.

Jun 29 09:55:19 bouncer php-fpm[57057]: /services_dyndns_edit.php: Configuration Change: admin@192.168.1.10 (Local Database): Dynamic DNS client configured.
Jun 29 09:55:19 bouncer check_reload_status[428]: Syncing firewall
Jun 29 09:55:27 bouncer php-fpm[397]: /services_dyndns_edit.php: Configuration Change: admin@192.168.1.10 (Local Database): Dynamic DNS client configured.
Jun 29 09:55:27 bouncer check_reload_status[428]: Syncing firewall
Jun 29 09:55:27 bouncer php-fpm[397]: /services_dyndns_edit.php: Dynamic DNS: updatedns() starting
Jun 29 09:55:27 bouncer php-fpm[397]: /services_dyndns_edit.php: Dynamic DNS cloudflare (xxxx.yyyy.com): _checkIP() starting.
Jun 29 09:55:28 bouncer php-fpm[397]: /services_dyndns_edit.php: Dynamic DNS cloudflare (xxxx.yyyy.com): 73.222.111.0 extracted from local system.
Jun 29 09:55:28 bouncer php-fpm[397]: /services_dyndns_edit.php: Dynamic DNS (xxxx.yyyy.com): running get_failover_interface for wan. found igb3
Jun 29 09:55:28 bouncer php-fpm[397]: /services_dyndns_edit.php: Dynamic DNS cloudflare (xxxx.yyyy.com): _update() starting.
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: HTTP/2 400
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: date: Sun, 29 Jun 2025 13:55:29 GMT
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: content-type: application/json
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: cf-ray: 9575ebfcdc271281-IAD
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: cf-cache-status: DYNAMIC
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: expires: Sun, 25 Jan 1981 05:00:00 GMT
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: set-cookie: __cflb=0fgsdgdgdsfgsdfgnV4sqQxBDdatu; SameSite=Lax; path=/; expires=Sun, 29-Jun-25 16:25:30 GMT; HttpOnly
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: strict-transport-security: max-age=31536000
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: pragma: no-cache
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: api-version: 2025-06-29
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: cf-auditlog-id: 01666bf8-b66e-7162-669e-14c876666d14
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: x-content-type-options: nosniff
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: x-frame-options: SAMEORIGIN
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: set-cookie: __cf_bm=vkU1tEsnu1SHboq99FLoJC24WhkOoU4Lmma1gKLPqOs-1751205329-1.0.1.1-e.3qjveijEGwC3e2d2vAD6_4eUpkRXX6SWmEcuodfgsdfgdsgsdgsdfgoE4YnVAQFf.lolGOAEpVxi4M.UAcIu519f3LM; path=/; expires=Sun, 29-Jun-25 14:25:29 GMT; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: set-cookie: _cfuvid=3oQj6x4HxrwobdsdfgdsfgsdfgdgsdgfdZC1u_vA-1751205329510-0.0.1.1-604800000; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: server: cloudflare
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: 
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Header: 
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Response Data: {"success":false,"errors":[{"code":6003,"message":"Invalid request headers","error_chain":[{"code":6103,"message":"Invalid format for X-Auth-Key header"}]}],"messages":[],"result":null}
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Dynamic DNS cloudflare (xxxx.yyyy.com): _checkStatus() starting.
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: phpDynDNS (bouncer): PAYLOAD: {"success":false,"errors":[{"code":6003,"message":"Invalid request headers","error_chain":[{"code":6103,"message":"Invalid format for X-Auth-Key header"}]}],"messages":[],"result":null}
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: phpDynDNS (bouncer): UNKNOWN ERROR - Invalid request headers
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Dynamic DNS cloudflare (xxxx.yyyy.com): _checkStatus() ending.
Jun 29 09:55:29 bouncer php-fpm[397]: /services_dyndns_edit.php: Dynamic DNS cloudflare (xxxx.yyyy.com): _update() ending.
Jun 29 09:55:39 bouncer php-fpm[57057]: /services_dyndns_edit.php: Configuration Change: admin@192.168.1.10 (Local Database): Dynamic DNS client configured.
Jun 29 09:55:39 bouncer check_reload_status[428]: Syncing firewall

revengineer

One more piece of information. ChatGPT wrote me the script below to update cloudflare ddns from the command line. I can report that this script work. So this must be something in pfSense that is not working. Help really appreciated.

#!/bin/sh

# Config
ZONE_ID="aaa"
RECORD_ID="bbb"
API_TOKEN="ccc"
RECORD_NAME="ddd"
IP_FILE="/tmp/current_ip.txt"

# Get current public IP
CURRENT_IP="$(curl -s https://api.ipify.org)"
if [ -z "$CURRENT_IP" ]; then
  echo "Failed to get current IP."
  exit 1
fi

# Check if IP has changed
if [ -f "$IP_FILE" ]; then
  OLD_IP="$(cat $IP_FILE)"
  if [ "$OLD_IP" = "$CURRENT_IP" ]; then
    echo "IP has not changed ($CURRENT_IP). No update needed."
    exit 0
  fi
fi

# Update DNS record
RESPONSE=$(curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$RECORD_ID" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  --data "{\"type\":\"A\",\"name\":\"$RECORD_NAME\",\"content\":\"$CURRENT_IP\",\"ttl\":300,\"proxied\":false}")

# Check result
SUCCESS=$(echo "$RESPONSE" | grep '"success":true')
if [ -n "$SUCCESS" ]; then
  echo "$CURRENT_IP" > "$IP_FILE"
  echo "DNS record updated to $CURRENT_IP"
else
  echo "Failed to update DNS:"
  echo "$RESPONSE"
  exit 1
fi

revengineer

ok, I finally took 10 seconds to read the requirement for the username:

Cloudflare: Enter email for Global API Key or (optionally) Zone ID for API token.

I was entering my email address but am using an API token. This does not work. One must use the Zone ID when using the API token. Once I used the Zone ID, the updates started working again.

This configuration was a few years old; maybe something changed at Cloudfare. In any case, this is solved.

70tas

@revengineer Mine broke when I went to 2.8.0. I've tried variations of the id, Token and Zone ID, but nothing is working. Not getting an error from Cloudflare but it is saying it can't get my external IP.

revengineer

@70tas This seems to be a different failure mode. I encountered the problem on 2.7.2 and having fixed it, it still works after updating to 2.8.0. you could try running my script or the commands manually so that you can see where it gets stuck.

70tas

@revengineer Thank you. I will, but I think I will delete the client first and then recreate it. I have run the curl against a couple of sites, and it is detecting the IP.

If it doesn’t work, I’ll try your script,but I’m not sure where to get the record Id.

And I also changed my port, so I’m wondering if that had something to do with it.
Thank you

revengineer

@70tas You can get the record id with this command:

curl -s -X GET "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/dns_records?type=A&name=home.example.com" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"

You have to supply your zone id, domain name, and api token.

This is all in the cloudflare documentation but these are the kind of things that I use ChatGPT for because it is faster than a web search.

70tas

@revengineer starting to use GPT4All for help in scripting. The only problem is it spits out code as long and Structured as COBOL. ;)
It is all good I guess.

70tas

@revengineer So I was able to finally register my IP.
It appears that Cloudflare may only be using API_tokens now so it wouldn't work with my old Global Token; maybe.

I followed the above script, after creating an API toeken and it worked.

I tried to enter the information in the pfSense DDNS client form, but it is still not working. So I downloaded Cron and added a job every half hour, if it works I'll modify it to save the IP and only update when it changes.
Thank you very much for your help.