ACME DNS Challenge & Cloudflare

rkgraves

Thanks for your help!

I'm having trouble getting the ACME DNS challenge to work Cloudflare. I first attempted this on a production domain without success. For troubleshooting I have fresh pfSense install with only the ACME package added.

In both cases when attempting to request a certificate I receive the below error message:
(xxxx substituted for actual domain name)

[Tue Oct 29 20:06:45 PDT 2019] Single domain='pf-cite.xxxx.info'
[Tue Oct 29 20:06:45 PDT 2019] Getting domain auth token for each domain
[Tue Oct 29 20:06:47 PDT 2019] Getting webroot for domain='pf-cite.xxxx.info'
[Tue Oct 29 20:06:47 PDT 2019] Adding txt value: 0htNTdBUQ22vSgCDfQmJZ1R6OLR0352eK6Atq_UPyUA for domain: _acme-challenge.pf-cite.xxxx.info
[Tue Oct 29 20:06:48 PDT 2019] invalid domain
[Tue Oct 29 20:06:48 PDT 2019] Error add txt for domain:_acme-challenge.pf-cite.xxxx.info

Dynamic DNS with Cloudflare works 100%.

I've reviewed the pfSense provided video and exhausted all web resources found to-date.
Any help is appreciated!

Thank you,
RKGraves

rkgraves

Thanks for everyone who viewed my post for potential help, I appreciate it!

I found my ACME - Cloudflare DNS-01 configuration error. The error was with how I created my Cloudflare API Token:

Cloudflare API Token: (incorrect)
Permissions:
Zone-DNS: Edit

Zone Resources:
Include-All zones

Cloudflare API Token: (corrected)
Permissions:
Zone-Zone: Read
Zone-DNS: Edit

Zone Resources:
Include-All zones (could also be a single zone)

Again Thanks You,
RKGraves

artooro

@rkgraves I have not been able to get it to work setting the zone resource to a single zone. Unless I set the token to have access to all zones it fails with the invalid domain error.

Have you been able to get it to work? I want to restrict the API tokens to the zone if at all possible.

rkgraves

@artooro - Yes, I verified that it is working correctly with these settings.

Cloudflare API Token:
Permissions:
Zone-Zone: Read
Zone-DNS: Edit

Zone Resources:
Include-All zones

From my original post I noted that Zone Resources could point to a single zone. But I did not test that. For this domain name I have a simple parent DNS Zone hosted in Cloudflare.

Let me know if I can help,
Merry Christmas,
Randy Graves

fsamareanu

@rkgraves just want to add this worked for me as well.

tknospdr

Just wanted to add some relevant info to this topic for posterity.

I just moved one of my domains' DNS service to Cloudflare in order to test out their Acme integration.
Worked like a charm.

All I put into the table was the 'Key' and 'Email', leaving all the other fields blank worked a treat.