Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to issue the cert with Cloudflare API. Possibly Cloudflare DNS issue #3013

Closed
unmec opened this issue Jun 28, 2020 · 3 comments
Closed

Unable to issue the cert with Cloudflare API. Possibly Cloudflare DNS issue #3013

unmec opened this issue Jun 28, 2020 · 3 comments

Comments

@unmec
Copy link

unmec commented Jun 28, 2020

Problem: _acme-challenge.example.com never become valid, endless check loop every 10 seconds.

acme.sh --upgrade
acme.sh --version
https://github.com/acmesh-official/acme.sh
v2.8.7

Cloudflare global key => OK
export CF_Key => OK
export CF_Email => OK

acme.sh --issue --dns dns_cf -d example.com --debug

Adding txt value: xxx
Adding record
Added, OK
Let's check each DNS record now. Sleep 20 seconds first.
Checking example.com for _acme-challenge.example.com
Not valid yet, let's wait 10 seconds and check next one.
Let's wait 10 seconds and check again.
Checking example.com for _acme-challenge.example.com
Not valid yet, let's wait 10 seconds and check next one.
...

I can see in debug output that there is a timeout with every attempt when requesting cloudflare dns:

Detect dns server first.
Use cloudflare doh server
GET
url='https://cloudflare-dns.com/dns-query?name=_acme-challenge.api.example.com&type=TXT'
timeout=
_CURL='curl -L --silent --dump-header /home/root/.acme.sh/http.header  -g '
ret='0'
Not valid yet, let's wait 10 seconds and check next one.

The request https://cloudflare-dns.com/dns-query?name=_acme-challenge.api.example.com&type=TXT returns error 400

According to this page: https://developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/, 400 means "DNS query not specified or too small."

Maybe add param to let user choose a diff dns server / have some automatic fallback mechanism?

Thanks
@auto-comment
Copy link

auto-comment bot commented Jun 28, 2020

If this is a bug report, please upgrade to the latest code and try again:
如果有 bug, 请先更新到最新版试试:
acme.sh --upgrade
please also provide the log with --debug 2.
同时请提供调试输出 --debug 2
see: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Without --debug 2 log, your issue will NEVER get replied.
没有调试输出, 你的 issue 不会得到任何解答.

@a123b a123b mentioned this issue Jul 8, 2020
Open
@x-Felix
Copy link

x-Felix commented Jul 16, 2020

I experienced similar issue recently. But actually the root cause was I implemented DoH blocking on my home network. My DoH blocking was done through PiHole DoH block list and Edge Router DoH server IP blocking. Whitelist all acme.sh clients solved the issue.

@haohetao
Copy link

同样的问题无法申请证书,正确的请求应该是
curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=example.com&type=AAAA'

@Neilpang Neilpang closed this as completed Apr 4, 2021
@unmec unmec changed the title Unable to issue the cert with Cloudflare API. Possiblely Cloudflare DNS issue Unable to issue the cert with Cloudflare API. Possibly Cloudflare DNS issue Apr 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@haohetao @Neilpang @unmec @x-Felix