• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

ACME DNS Challenge & Cloudflare

Scheduled Pinned Locked Moved ACME
6 Posts 4 Posters 3.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rkgraves
    last edited by Oct 30, 2019, 3:11 AM

    Thanks for your help!

    I'm having trouble getting the ACME DNS challenge to work Cloudflare. I first attempted this on a production domain without success. For troubleshooting I have fresh pfSense install with only the ACME package added.

    In both cases when attempting to request a certificate I receive the below error message:
    (xxxx substituted for actual domain name)

    [Tue Oct 29 20:06:45 PDT 2019] Single domain='pf-cite.xxxx.info'
    [Tue Oct 29 20:06:45 PDT 2019] Getting domain auth token for each domain
    [Tue Oct 29 20:06:47 PDT 2019] Getting webroot for domain='pf-cite.xxxx.info'
    [Tue Oct 29 20:06:47 PDT 2019] Adding txt value: 0htNTdBUQ22vSgCDfQmJZ1R6OLR0352eK6Atq_UPyUA for domain: _acme-challenge.pf-cite.xxxx.info
    [Tue Oct 29 20:06:48 PDT 2019] invalid domain
    [Tue Oct 29 20:06:48 PDT 2019] Error add txt for domain:_acme-challenge.pf-cite.xxxx.info

    Dynamic DNS with Cloudflare works 100%.

    I've reviewed the pfSense provided video and exhausted all web resources found to-date.
    Any help is appreciated!

    Thank you,
    RKGraves

    1 Reply Last reply Reply Quote 1
    • R
      rkgraves
      last edited by rkgraves Oct 30, 2019, 6:53 PM Oct 30, 2019, 6:52 PM

      Thanks for everyone who viewed my post for potential help, I appreciate it!

      I found my ACME - Cloudflare DNS-01 configuration error. The error was with how I created my Cloudflare API Token:

      Cloudflare API Token: (incorrect)
      Permissions:
      Zone-DNS: Edit

      Zone Resources:
      Include-All zones

      Cloudflare API Token: (corrected)
      Permissions:
      Zone-Zone: Read
      Zone-DNS: Edit

      Zone Resources:
      Include-All zones (could also be a single zone)

      Again Thanks You,
      RKGraves

      A 1 Reply Last reply Dec 20, 2019, 3:01 PM Reply Quote 3
      • A
        artooro @rkgraves
        last edited by Dec 20, 2019, 3:01 PM

        @rkgraves I have not been able to get it to work setting the zone resource to a single zone. Unless I set the token to have access to all zones it fails with the invalid domain error.

        Have you been able to get it to work? I want to restrict the API tokens to the zone if at all possible.

        1 Reply Last reply Reply Quote 1
        • R
          rkgraves
          last edited by Dec 20, 2019, 6:22 PM

          @artooro - Yes, I verified that it is working correctly with these settings.

          Cloudflare API Token:
          Permissions:
          Zone-Zone: Read
          Zone-DNS: Edit

          Zone Resources:
          Include-All zones

          From my original post I noted that Zone Resources could point to a single zone. But I did not test that. For this domain name I have a simple parent DNS Zone hosted in Cloudflare.

          Let me know if I can help,
          Merry Christmas,
          Randy Graves

          F 1 Reply Last reply Feb 6, 2020, 8:53 AM Reply Quote 3
          • F
            fsamareanu @rkgraves
            last edited by Feb 6, 2020, 8:53 AM

            @rkgraves just want to add this worked for me as well.

            1 Reply Last reply Reply Quote 1
            • N NollipfSense referenced this topic on Jun 19, 2023, 8:10 PM
            • T
              tknospdr
              last edited by Aug 4, 2023, 5:18 PM

              Just wanted to add some relevant info to this topic for posterity.

              I just moved one of my domains' DNS service to Cloudflare in order to test out their Acme integration.
              Worked like a charm.

              All I put into the table was the 'Key' and 'Email', leaving all the other fields blank worked a treat.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received