search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
37.52k stars 4.83k forks source link

Cloudflare: Add TXT record fails with curl error 92 #4263

Open keg247 opened 1 year ago

keg247 commented 1 year ago

I'm testing the issuance of a wildcard cert using the cloudflare dns hook. I've set the api token and cloudflare email, and used the following command in a docker container:

acme.sh --issue --dns dns_cf -d "*.<domain>" --test --debug 2

This results in reading my DNS records and then attempting to add the TXT record. At that point, the process fails with a curl error 92.

Here is the relevant portion of the debug (with sensitive information redacted):

[Mon Aug 22 18:52:25 UTC 2022] Adding record [Mon Aug 22 18:52:25 UTC 2022] zones/zone-id/dns_records [Mon Aug 22 18:52:25 UTC 2022] data='{"type":"TXT","name":"_acme-challenge.domain","content":"07IzpB_RwNrw1-DL-XQTO7EjUosRVq9SzH9f-JaFTHs","ttl":120}' [Mon Aug 22 18:52:25 UTC 2022] POST [Mon Aug 22 18:52:25 UTC 2022] _post_url='https://api.cloudflare.com/client/v4/zones/zone-id/dns_records' [Mon Aug 22 18:52:25 UTC 2022] body='{"type":"TXT","name":"_acme-challenge.domain","content":"07IzpB_RwNrw1-DL-XQTO7EjUosRVq9SzH9f-JaFTHs","ttl":120}' [Mon Aug 22 18:52:25 UTC 2022] _postContentType [Mon Aug 22 18:52:25 UTC 2022] Http already initialized. [Mon Aug 22 18:52:25 UTC 2022] _CURL='curl --silent --dump-header /acme.sh/http.header -L --trace-ascii /tmp/tmp.zmZuiGIbTK ' [Mon Aug 22 18:52:25 UTC 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 92

...[curl dump was here, now attached (curl-dump.txt)]...

[Mon Aug 22 18:52:25 UTC 2022] _ret='92' [Mon Aug 22 18:52:25 UTC 2022] error zones/zone-id/dns_records [Mon Aug 22 18:52:25 UTC 2022] Add txt record error. [Mon Aug 22 18:52:25 UTC 2022] Error add txt for domain:_acme-challenge.domain [Mon Aug 22 18:52:25 UTC 2022] _on_issue_err

If I try to add the record using curl from the shell command line in the docker container, the request succeeds. The following is the curl command:

curl -X POST "https://api.cloudflare.com/client/v4/zones/zone-id/dns_records" \ -H "Authorization: Bearer token" \ -H "Content-Type: application/json" \ -d '{"type":"TXT","name":"_acme-challenge.domain","content":"07IzpB_RwNrw1-DL-XQTO7EjUosRVq9SzH9f-JaFTHs","ttl":120}'

Any idea why this fails when using acme.sh?

cenk1cenk2 commented 1 year ago

This is still the case for me, I can confirm this issue.

1trapbox commented 1 year ago

Add txt record error. https://github.com/acmesh-official/acme.sh/wiki/dnsapi You should check your cf settings, and in the shell you should first type export CF_Key="xxxx" export XX_XXX="xxxx" Then the next steps of certificate issuance will begin

thaindq commented 1 year ago

I'm having the same issue :(

Cloudflare token settings: image

and these are specified:

CF_Token='xxxxxxxxxxxxxxxxxx'
CF_Account_ID='xxxxxxxxxxxxxxxxxx'
CF_Zone_ID='xxxxxxxxxxxxxxxxxx'

Edit: using curl directly as suggested by @keg247 worked. Curl dump log (from acme.sh) if it helps:

== Info:   Trying 104.19.192.29:443...
== Info: Connected to api.cloudflare.com (104.19.192.29) port 443 (#0)
== Info: ALPN: offers h2,http/1.1
=> Send SSL data, 5 bytes (0x5)
0000: .....
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
0000: ......mKzpx".R......O.1....S......1H.. lLT.w....@..(;~o?.c)...p.
0040: .....$..>.......,.0.........+./...$.(.k.#.'.g.....9.....3.....=.
0080: <.5./.....u.........api.cloudflare.com..........................
00c0: ...............h2.http/1.1.........1.....*.(....................
0100: .....................+............-.....3.&.$... .$....}...l."..
0140: .8.#..EjA.F.K...................................................
0180: ................................................................
01c0: ................................................................
== Info:  CAfile: /etc/ssl/certs/ca-certificates.crt
== Info:  CApath: none
<= Recv SSL data, 5 bytes (0x5)
0000: ....z
== Info: TLSv1.3 (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 122 bytes (0x7a)
0000: ...v.....t.No...J....0<......&N.-..-]. lLT.w....@..(;~o?.c)...p.
0040: .....$.......3.$... ..k.u...p...~X.J.v....r.w...|..%.+....
<= Recv SSL data, 5 bytes (0x5)
0000: .....
<= Recv SSL data, 5 bytes (0x5)
0000: .....
<= Recv SSL data, 1 bytes (0x1)
0000: .
== Info: TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
<= Recv SSL data, 19 bytes (0x13)
0000: .................h2
== Info: TLSv1.3 (IN), TLS handshake, Certificate (11):
<= Recv SSL data, 2318 bytes (0x90e)
0000: ..........+0..'0...........K..cz.X...?..D80...*.H.=...0J1.0...U.
0040: ...US1.0...U....Cloudflare, Inc.1 0...U....Cloudflare Inc ECC CA
0080: -30...220519000000Z..230519235959Z0r1.0...U....US1.0...U....Cali
00c0: fornia1.0...U....San Francisco1.0...U....Cloudflare, Inc.1.0...U
0100: ....api.cloudflare.com0Y0...*.H.=....*.H.=....B....:.|.c...V....
0140: .Z.8.....~..vwu....f"^......N..qI@.1....6.1^m..6....k0..g0...U.#
0180: ..0.....7...u..g..E..$....0...U.........D..e@.....Y.aIR..03..U..
01c0: .,0*..api.cloudflare.com..*.api.cloudflare.com0...U...........0.
0200: ..U.%..0...+.........+.......0{..U...t0r07.5.3.1http://crl3.digi
0240: cert.com/CloudflareIncECCCA-3.crl07.5.3.1http://crl4.digicert.co
0280: m/CloudflareIncECCCA-3.crl0>..U. .70503..g.....0)0'..+.........h
02c0: ttp://www.digicert.com/CPS0v..+........j0h0$..+.....0...http://o
0300: csp.digicert.com0@..+.....0..4http://cacerts.digicert.com/Cloudf
0340: lareIncECCCA-3.crt0...U.......0.0..|..+.....y......l...h.f.u..>.
0380: .>..52.W(..k......k..i.w}m..n.............F0D. `..........*.*6..
03c0: .W.lS.N5.....'.. 2[..$.....z}.:.t.....a4.._...."M.u.5.....lW...L
0400: mB...' &Q.?.*....;.L.............F0D. Ak`u:.....n0..k..<.v".xcP.
0440: ...D... L.g..i...."..l...{.G..$Am.V....c.v..sw...P.c.......Jy-.g
0480: .......y6...............G0E. ]....U...........| p..(h'...)/...!.
04c0: ..T..m.n@.u.....B..GY.mc.#....Yg0...*.H.=....H.0E.!........X.w+.
0500: OF+P.........SM...o%. Zm...H..z.7......l./......ED...=.....0...0
0540: ...........7.d^_.."N.....<0...*.H........0Z1.0...U....IE1.0...U.
0580: ...Baltimore1.0...U....CyberTrust1"0 ..U....Baltimore CyberTrust
05c0:  Root0...200127124808Z..241231235959Z0J1.0...U....US1.0...U....C
0600: loudflare, Inc.1 0...U....Cloudflare Inc ECC CA-30Y0...*.H.=....
0640: *.H.=....B....Mf...F....*P..../4.}-...8.._...M.aF..s.$O....l.Qq/
0680: j.L..w.rb......h0..d0...U........7...u..g..E..$....0...U.#..0...
06c0: ..Y0.GX....T6.{:..M.0...U...........0...U.%..0...+.........+....
0700: ...0...U.......0.......04..+........(0&0$..+.....0...http://ocsp
0740: .digicert.com0:..U...3010/.-.+.)http://crl3.digicert.com/Omniroo
0780: t2025.crl0m..U. .f0d07..`.H...l..0*0(..+.........https://www.dig
07c0: icert.com/CPS0...`.H...l..0...g.....0...g.....0...g.....0...*.H.
0800: .............$....*.....9M^kW..W...1.W.e...D8Zw....B.....E'..G,h
0840: .V.ST...@.......8HlP,I..[d...H0.....I"....^..... .Vl....z..7..I.
0880: .+.t9......WX`O.....F{41>MG..:...]..M.n...$.2%].xQ.=.5#./eo...C.
08c0: ...1gY'.k.u...$$..)..#...r?...$DSz..ae.L..H..uc..pER....E...1.~.
0900: ...>..<^t.....
== Info: TLSv1.3 (IN), TLS handshake, CERT verify (15):
<= Recv SSL data, 80 bytes (0x50)
0000: ...L...H0F.!..."....0............~c.P.5%A.)LI.!......V...@.&]]9.
0040: @...H.C|.F..l...
== Info: TLSv1.3 (IN), TLS handshake, Finished (20):
<= Recv SSL data, 52 bytes (0x34)
0000: ...0..e....H.....D}w...gW.j$..Bb.3......u=...;.i....
=> Send SSL data, 5 bytes (0x5)
0000: .....
== Info: TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
=> Send SSL data, 1 bytes (0x1)
0000: .
=> Send SSL data, 5 bytes (0x5)
0000: ....E
=> Send SSL data, 1 bytes (0x1)
0000: .
== Info: TLSv1.3 (OUT), TLS handshake, Finished (20):
=> Send SSL data, 52 bytes (0x34)
0000: ...0.Y..g...;y....I......."Lc...5U.|.K.....?...+....
== Info: SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
== Info: ALPN: server accepted h2
== Info: Server certificate:
== Info:  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=api.cloudflare.com
== Info:  start date: May 19 00:00:00 2022 GMT
== Info:  expire date: May 19 23:59:59 2023 GMT
== Info:  subjectAltName: host "api.cloudflare.com" matched cert's "api.cloudflare.com"
== Info:  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
== Info:  SSL certificate verify ok.
=> Send SSL data, 5 bytes (0x5)
0000: ....Q
=> Send SSL data, 1 bytes (0x1)
0000: .
== Info: using HTTP/2
== Info: h2h3 [:method: POST]
== Info: h2h3 [:path: /client/v4/zones/xxxxxxxxxxxxxxxxxxxxx/dns_records]
== Info: h2h3 [:scheme: https]
== Info: h2h3 [:authority: api.cloudflare.com]
== Info: h2h3 [user-agent: acme.sh/3.0.6 (https://github.com/acmesh-official/acme.sh)]
== Info: h2h3 [accept: */*]
== Info: h2h3 [content-type: application/json]
== Info: h2h3 [authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxx]
== Info: h2h3 [
content-length: 116]
== Info: Using Stream ID: 1 (easy handle 0x7f9faa604550)
=> Send SSL data, 5 bytes (0x5)
0000: .....
=> Send SSL data, 1 bytes (0x1)
0000: .
=> Send header, 306 bytes (0x132)
0000: POST /client/v4/zones/xxxxxxxxxxxxxxxxxxxxx/dns_recor
0040: ds HTTP/2
004b: Host: api.cloudflare.com
0065: user-agent: acme.sh/3.0.6 (https://github.com/acmesh-official/ac
00a5: me.sh)
00ad: accept: */*
00ba: content-type: application/json
00da: authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxx
011b: content-length: 116
0130: 
=> Send SSL data, 5 bytes (0x5)
0000: .....
=> Send SSL data, 1 bytes (0x1)
0000: .
=> Send data, 116 bytes (0x74)
0000: {"type":"TXT","name":"_acme-challenge.xxxxxxxxxx","content":"L7Q
0040: Yi9zC7IdZD69GIXXvLWCp8V-iwVBMT0nG6wvEHVw","ttl":120}
== Info: We are completely uploaded and fine
<= Recv SSL data, 5 bytes (0x5)
0000: .....
<= Recv SSL data, 1 bytes (0x1)
0000: .
== Info: TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
<= Recv SSL data, 238 bytes (0xee)
0000: ....... 6XH.........,....l.I.g..a#.s2u..n.....dr.-e.v..[F.`.....
0040: n.]..f..&@..4C$&...0../\........a~.....bg..Gj.r.......:nF ......
0080: ?}.....^u{..q.%>...O]..x..*........q.0]..b.#..y....t3eG...x..().
00c0: %..,...o.....!...i}M k)....r!......*....8.....
== Info: TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
<= Recv SSL data, 238 bytes (0xee)
0000: ....... .l.2........,....l.I.g..0..r.Z....L.U.8w.....:rO.,.8@c..
0040: .....2..FZ...N..?F.q.b.....f..63.......^........_.P.. ..AAT.0..h
0080: 3...0....Ih...P..}.._.._...A...E.M;h..D7s.0...D..s..T..yigq..e.1
00c0: 7ug.G..[...Y.K...B...`......i......*....8.....
== Info: old SSL session ID is stale, removing
<= Recv SSL data, 5 bytes (0x5)
0000: ....O
<= Recv SSL data, 1 bytes (0x1)
0000: .
=> Send SSL data, 5 bytes (0x5)
0000: .....
=> Send SSL data, 1 bytes (0x1)
0000: .
== Info: HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
== Info: Connection #0 to host api.cloudflare.com left intact

Edit 2: I tried to switch to wget and got this instead

[Sun Mar 19 10:43:12 UTC 2023] Getting domain auth token for each domain
[Sun Mar 19 10:43:12 UTC 2023] Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: 1
[Sun Mar 19 10:43:12 UTC 2023] Could not get nonce, let's try again.

@Neilpang: do you have any suggestion?

ajmassi commented 1 year ago

Was encountering the same error - I resolved by using either CF_Account_ID or CF_Email, and getting rid of CF_Zone_ID. This was also for a token with a restricted zone and DNS:Edit. Have not gotten a chance to look into why CF_Zone_ID is causing an issue, but hope this helps!