Log errors when applying for certificates (Cloudflare)

[Paul-Reed]

A colleague has kindly written a node-RED node which uses Acme, and acme-dns-01-cloudflare to auto install certificates for the node-RED community. We are having some problems and your help would be very much appreciated.

When the cert application is made, we are getting error messages despite the cert renewal being successful.

8 Jun 14:09:27 - [info] [acme-client:Certificate Management] Acme certificate_order message =  status =
8 Jun 14:09:29 - [info] [acme-client:Certificate Management] Acme challenge_select message =  status =
8 Jun 14:09:29 - [info] [acme-client:Certificate Management] Acme _challenge_select message =  status =
DNS not propagated yet for _greenlock-dryrun-172cefb6.testsub.digitalnut.co.uk. Checking again in 10000ms. (Attempt 1 / 30)
8 Jun 14:09:55 - [info] [acme-client:Certificate Management] Acme challenge_status message =  status = pending
8 Jun 14:09:57 - [info] [acme-client:Certificate Management] Acme challenge_status message =  status = valid
8 Jun 14:09:58 - [info] [acme-client:Certificate Management] Acme certificate_status message =  status = valid
DNS not propagated yet for _greenlock-dryrun-172cefb6.testsub.digitalnut.co.uk. Checking again in 10000ms. (Attempt 2 / 30)
8 Jun 14:09:58 - [info] [acme-client:Certificate Management] Acme client has stored the new certificate into /home/opc/.node-red/cert.pem
DNS not propagated yet for _greenlock-dryrun-172cefb6.testsub.digitalnut.co.uk. Checking again in 10000ms. (Attempt 3 / 30)
DNS not propagated yet for _acme-challenge.testsub.digitalnut.co.uk. Checking again in 10000ms. (Attempt 1 / 30)
DNS not propagated yet for _greenlock-dryrun-172cefb6.testsub.digitalnut.co.uk. Checking again in 10000ms. (Attempt 4 / 30)
DNS not propagated yet for _acme-challenge.testsub.digitalnut.co.uk. Checking again in 10000ms. (Attempt 2 / 30)
DNS not propagated yet for _greenlock-dryrun-172cefb6.testsub.digitalnut.co.uk. Checking again in 10000ms. (Attempt 5 / 30)
DNS not propagated yet for _acme-challenge.testsub.digitalnut.co.uk. Checking again in 10000ms. (Attempt 3 / 30)

// and continues up to 30/30 before the final line added -

8 Jun 14:15:18 - [error] [acme-client:Certificate Management] Acme error message = Could not verify challenge for '_acme-challenge.testsub.digitalnut.co.uk'. status =

The Cloudflare token has the correct permissions (as per your readme), and your plugin is used with the following settings;

                case "cloudflare": 
                        dns01Challenge = require('acme-dns-01-cloudflare').create({
                        token: node.dnsToken,
                        verifyPropagation: true,
                        verbose: true,
                        retries: 5, // number of propagation retries
                        waitFor: 20000 // delay between retries
                    });

Any ideas why we are getting these errors?

[Cherry]

Hey, thanks for the report. It's exciting to see this in use in node-RED!

As for the errors you're seeing, these are result of DNS propagation not working. The plugin (when verifyPropagation is set) will verify propagation of both created and deleted records. If the cert renewal is successful but you're still seeing the errors, it's possible that the propagation for the record deletion simply hasn't propagated yet.

However, the [error] [acme-client:Certificate Management] Acme error message = Could not verify challenge for '_acme-challenge.testsub.digitalnut.co.uk'. status = message is coming directly from acme, which would imply the cert generation really wasn't successful - are you certain the renewal is happening for all certs?

Re: propagation issues, there's not much we can do about this besides some generic DNS suggestions as in https://github.com/nodecraft/acme-dns-01-cloudflare/issues/7. There's also some discussion in https://github.com/nodecraft/acme-dns-01-cloudflare/issues/9 about whether it's even worth waiting for the record deletion, but we haven't come to a conclusion there yet.

If there's any further info you can provide, that'd be really helpful.

[Paul-Reed]

Thanks James I am already using Cloudflare's 1.1.1.1 public DNS Sure enough, removing verifyPropogation stops that error from being displayed, but what I don't understand, is that the DNS TXT entry is removed as soon as the certificate has been issued (looking at my Cloudflare dashboard), so acme it is never going to find an entry to verify?

Also yes I can confirm that a fresh working certificate is issued each time, see https://testsub.digitalnut.co.uk:2086/ but the error still persists [error] [acme-client:Certificate Management] Acme error message = Could not verify challenge for '_acme-challenge.testsub.digitalnut.co.uk'. status =

So not sure where to go with that.

[Cherry]

Thanks Paul. With the verification step on deletion, the script explicitly checks if the record no longer exists. When creating, it of course checks if the record exists and matches what is expected. This can be seen in https://github.com/nodecraft/acme-dns-01-cloudflare/blob/a59961b5d5f0cc516a739f6ce63f5bc1b7f24072/index.js#L194

The status = log being blank is very odd, and not something I can replicate on my end strangely. That log is coming from something upstream though, and not directly this module. Let me see if I can get any more information here.