Closed jb773 closed 1 year ago
I'm not able to reproduce it.
@jb773 can you confirm this is occurring every time, or it is transient?
Using configuration:
certfile: test-fullchain.pem
keyfile: test-privkey.pem
dns:
provider: cloudflare
cloudflare_auth_username: cloudflare.com@s.example.com
cloudflare_auth_token: 44bfa8f4257b116a774424de18c08179
domains:
- test001.example.com *.test001.example.com
- test002.example.com
email: user@example.com
updatedelay: 30
I get
Manage certificate from Let's Encrypt using Lexicon DNS
-----------------------------------------------------------
Add-on version: 3.0.2
You are running the latest version of this add-on.
System: Home Assistant OS 9.5 (amd64 / qemux86-64)
Home Assistant Core: 2023.3.4
Home Assistant Supervisor: 2023.03.1
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
cont-init: info: /etc/cont-init.d/00-banner.sh exited 0
cont-init: info: running /etc/cont-init.d/01-log-level.sh
cont-init: info: /etc/cont-init.d/01-log-level.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun certificates (no readiness notification)
s6-rc: info: service legacy-services successfully started
[13:05:07] INFO: Starting Certificate Refresh...
[13:05:07] INFO: Seconds between each refresh is set to: 86400
[13:05:07] INFO: Set cloudflare_auth_token
[13:05:07] INFO: Set cloudflare_auth_username
[13:05:14] INFO: [test001_example_au]: test001.example.com *.test001.example.com
[13:05:14] INFO: [test002_example_au]: test002.example.com
[13:05:14] INFO: Requesting domains from LetsEncrypt
# Home Assistant Domains
# Provider: cloudflare
test001.example.com *.test001.example.com > test001_example_au
test002.example.com > test002_example_au
# END Home Assistant Domains
# INFO: Using main config file /etc/dehydrated/config
Processing test001.example.com with alternative names: *.test001.example.com
+ Creating new directory /ssl/test001_example_au ...
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 2 authorizations URLs from the CA
+ Handling authorization for test001.example.com
+ Handling authorization for test001.example.com
+ 2 pending challenge(s)
+ Deploying challenge tokens...
deploy_challenge called: test001.example.com, VGqVmAeebGR2OokBk0QCVPsoD2Hx41-YbIGQem5KyAs, CD8_YCNm9S-5EMvFf4pwhEqwUX3W6_huEGAxj9JbgGw
RESULT
------
True
30
29
28
27
26
25
24
23
22
21
20
19
18
17
16
15
14
13
12
11
10
9
8
7
6
5
4
3
2
1
deploy_challenge called: test001.example.com, kS2quHMX2A4yXTDi0mbSDkSGKu15WZJ7dysIsv4rv9k, lb8fAYfF6N_tH6usb0vTvWLExWCwSOH5tq5F_du7teo
RESULT
------
True
30
29
28
27
26
25
24
23
22
21
20
19
18
17
16
15
14
13
12
11
10
9
8
7
6
5
4
3
2
1
+ Responding to challenge for test001.example.com authorization...
+ Challenge is valid!
+ Responding to challenge for test001.example.com authorization...
+ Challenge is valid!
+ Cleaning challenge tokens...
clean_challenge called: test001.example.com, VGqVmAeebGR2OokBk0QCVPsoD2Hx41-YbIGQem5KyAs, CD8_YCNm9S-5EMvFf4pwhEqwUX3W6_huEGAxj9JbgGw
RESULT
------
True
clean_challenge called: test001.example.com, kS2quHMX2A4yXTDi0mbSDkSGKu15WZJ7dysIsv4rv9k, lb8fAYfF6N_tH6usb0vTvWLExWCwSOH5tq5F_du7teo
RESULT
------
True
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
deploy_cert called: test001.example.com, /ssl/test001_example_au/privkey.pem, /ssl/test001_example_au/cert.pem, /ssl/test001_example_au/fullchain.pem, /ssl/test001_example_au/chain.pem
+ Done!
Processing test002.example.com
+ Creating new directory /ssl/test002_example_au ...
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 1 authorizations URLs from the CA
+ Handling authorization for test002.example.com
+ 1 pending challenge(s)
+ Deploying challenge tokens...
deploy_challenge called: test002.example.com, Qc2TNuFTYmPaNtw8RL3PYAhh1p6d3INJyFFpZv_qtMc, VeVOS4yMIjwv_DHSJdjENtMHCTiWIDvjyn2uLFeoRV8
RESULT
------
True
30
29
28
27
26
25
24
23
22
21
20
19
18
17
16
15
14
13
12
11
10
9
8
7
6
5
4
3
2
1
+ Responding to challenge for test002.example.com authorization...
+ Challenge is valid!
+ Cleaning challenge tokens...
clean_challenge called: test002.example.com, Qc2TNuFTYmPaNtw8RL3PYAhh1p6d3INJyFFpZv_qtMc, VeVOS4yMIjwv_DHSJdjENtMHCTiWIDvjyn2uLFeoRV8
RESULT
------
True
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
deploy_cert called: test002.example.com, /ssl/test002_example_au/privkey.pem, /ssl/test002_example_au/cert.pem, /ssl/test002_example_au/fullchain.pem, /ssl/test002_example_au/chain.pem
+ Done!
[13:07:43] INFO: Copying domains and keys
[13:07:43] INFO: Cleaning Up
# INFO: Using main config file /etc/dehydrated/config
[13:07:43] INFO: Certificates refreshed at @ 13:07:43
OK, so good news is that I fixed my configuration. I did not realize that in Home Assistant you have to go to "Edit in YAML" to access the full configuration file. I had the DNS section nested underneath an existing DNS section since I was editing it in the default view. I also had the provider as "dns-cloudflare" instead of "cloudflare". So now I went to Edit in YAML and my configuration looks like yours. That part works fine.
The issue now is that I am getting a new error. Please see my configuration and the error:
certfile: fullchain.pem
dns:
provider: cloudflare
cloudflare_auth_username: me@gmail.com
cloudflare_auth_token: [redacted]
domains:
- mydomain.com
email: me@gmail.com
keyfile: privkey.pem
updatedelay: 30
deploy_challenge called: mydomain.com, [redacted], [redacted]
Traceback (most recent call last):
File "/usr/local/bin/lexicon", line 8, in <module>
sys.exit(main())
File "/usr/local/lib/python3.10/site-packages/lexicon/cli.py", line 131, in main
results = client.execute()
File "/usr/local/lib/python3.10/site-packages/lexicon/client.py", line 81, in execute
self.provider.authenticate()
File "/usr/local/lib/python3.10/site-packages/lexicon/providers/base.py", line 73, in authenticate
self._authenticate()
File "/usr/local/lib/python3.10/site-packages/lexicon/providers/cloudflare.py", line 48, in _authenticate
payload = self._get("/zones", {"name": self.domain, "status": "active"})
File "/usr/local/lib/python3.10/site-packages/lexicon/providers/base.py", line 173, in _get
return self._request("GET", url, query_params=query_params)
File "/usr/local/lib/python3.10/site-packages/lexicon/providers/cloudflare.py", line 204, in _request
response.raise_for_status()
File "/usr/local/lib/python3.10/site-packages/requests/models.py", line 1021, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://api.cloudflare.com/client/v4/zones?name=mydomain.com&status=active
ERROR: deploy_challenge hook returned with non-zero exit code
[09:19:12] WARNING: certificate refresh crashed, halting add-on
s6-rc: info: service legacy-services: stopping
[09:19:12] INFO: certificate refresh stoped, restarting...
[09:19:12] INFO: certificate refresh stoped, restarting...
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
Fixed it. This ultimately was a configuration issue. My Cloudflare token was a scoped API token and apparently Lexicon requires the zone ID and the Auth token. My issue was that I was using the username and the Auth token. Once I got rid of the username and added the zone ID, it started working!
Thanks again for this beautiful add on, such a great way to get Let's Encrypt working without opening ports for it!
Problem/Motivation
I am trying to set up Let's Encrypt via DNS-01 authentication method on Cloudflare. When I try to set up my config with Cloudflare as DNS provider (not proxied) I get the error as below.
Expected behavior
I expect it to authenticate with Cloudflare.
Actual behavior
I get the error message: "deploy_challenge hook returned with non-zero exit code"
Steps to reproduce
Use the below configuration in HASS Add-On:
Certificate File - fullchain.pem DNS Configuration:
Domains: mydomain.com Email Address: me@gmail.com Key File: privkey.pem Update Delay: 30
Full Error Message