subdomain error "No route for that URI"

[grasmanek94]

> uname -a
Linux HOSTNAME 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux

> lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 9.7 (stretch)
Release:        9.7
Codename:       stretch

Running manual-auth-hook command: /etc/letsencrypt/certbot-dns-challenge-cloudflare-hooks/cloudflare-update-dns.sh
Output from manual-auth-hook command cloudflare-update-dns.sh:
CHALLENGE_DOMAIN: _acme-challenge.subdomain.example.com
CHALLENGE_VALUE: ***
DNS_SERVER: 8.8.8.8
ZONE: null
Add record result: false,"Could not route to /zones/null/dns_records, perhaps your object identifier is invalid?","No route for that URI"
Add record failed, exit

manual-auth-hook command "/etc/letsencrypt/certbot-dns-challenge-cloudflare-hooks/cloudflare-update-dns.sh" returned error code 1
Running manual-auth-hook command: /etc/letsencrypt/certbot-dns-challenge-cloudflare-hooks/cloudflare-update-dns.sh
Output from manual-auth-hook command cloudflare-update-dns.sh:
CHALLENGE_DOMAIN: _acme-challenge.example.com
CHALLENGE_VALUE: ***
DNS_SERVER: 8.8.8.8
ZONE: ***
Add record result: true
DNS records have not been propagate, sleep 10s...
DNS record have been propagated, finish

Waiting for verification...
Challenge failed for domain subdomain.example.com
dns-01 challenge for subdomain.example.com
Cleaning up challenges

It seems to work for example.com but not for subdomain.example.com, any tips?

CF response for the URL https://api.cloudflare.com/client/v4/zones?name=subdomain.example.com:

{"result":[],"result_info":{"page":1,"per_page":20,"total_pages":0,"count":0,"total_count":0},"success":true,"errors":[],"messages":[]}

After I forcefully put in my CLOUDFLARE_ZONE and remove the code to determine the zone it seems to proceed but then stalls at DNS records have not been propagate, sleep 10s....

I suspect the root domain must be extracted and then the acme challenge constructed to _acme-challenge.subdomain? Then a manual renewal succeeds (I changed the DNS manually from _acme-challenge to _acme-challenge.subdomain while renewing.

[7sDream]

The reason is I'm using a wildcard SSL certificate for all my subdomain, so I don't notice the challenge in _acme-challenge.subdomain format when write this little script.

As the readme said:

Simple scripts I use to auto renew my Let's encrypt wildcard SSL cert.

But use acme.sh is always recommended.

---

So, you can fork and modify this script as you like to meet your needs.

But I am also VERY happy to receive PR as long as it doesn't break my origin needs :)

Happy hacking.

😆

[7sDream]

close due to not active.

[7sDream]

@grasmanek94

May be fixed by pr #2, you can try it again if you want.

[tobor88]

I use a wildcard certificate as well and think I had this same issue. As mentioned in the README you need to generate your certificate through certbot first. That places the _acme-challenge DNS record in your registrar. If you did not do that then you will not be able to get the CHALLENGE_RESPONSE value and it will return as null. I already had a wildcard certificate generated that was expiring. I used this tool https://github.com/joohoi/acme-dns-certbot-joohoi/blob/master/acme-dns-auth.py to get a new value for the DNS challenge. Then I set up these scripts in my crontab for autorenewals.

I was going to open an issue but it is likely covering this as well. The API headers are outdated. An example from the Cloudflare site to authenticate to the API is below.

curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" -H "Authorization: Bearer ${CLOUDFLARE_KEY}" -H "Content-Type:application/json"

Thanks for this awesome script. Saved me a ton of time I am sure.