Bug 2180352

Summary: Let's Encrypt Certbot does not work with Cloudflare DNS authentication
Product: [Fedora] Fedora EPEL Reporter: jorge.gonzalez
Component: python-cloudflareAssignee: Jonathan Wright <jonathan>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: epel7CC: anon.amish, certbot-sig, elyscape, jonathan, luk.claes, nb
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: python-cloudflare-2.3.1-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-30 02:40:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description jorge.gonzalez 2023-03-21 09:21:14 UTC 
Description of problem:

When renewing a Let's Encrypt certificate with certbot and Cloudflare DNS authentication, an error is generated and the certificate is not renewed. the error says:

<pre>
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.3.0)
</pre>

Version-Release number of selected component (if applicable):

certbot-1.11.0-2.el7.noarch
python2-cloudflare-2.3.0-2.el7.noarch
python2-certbot-dns-cloudflare-1.11.0-1.el7.noarch

How reproducible:

Always

Steps to Reproduce:

/usr/bin/certbot  certonly --text --non-interactive --agree-tos  --register-unsafely-without-email  --preferred-challenges dns --dns-cloudflare --dns-cloudflare-credentials /tmp/credentials.ini --dns-cloudflare-propagation-seconds 15 -d <redacted_domain.com>  --preferred-chain 'ISRG Root X1'

The domain to renew must be managed in Cloudflare DNS and the CF credentials must be included in the file /tmp/credentials.ini in Certbot format.

Actual results:

Error:

Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.3.0)

And the certificate is not renewed.

Expected results:

No errors and certificate renewed.

Additional info:

I rebuilt the RPM for python-cloudflare 2.3.1 using the SRC RPM from 2.3.0 and changing just the Python package version (and disabling the GPG key check). The RPM was rebuilt without any issues, I installed the new RPM and certbot worked fine, my domain was renewed.

Just upgrading the Python cloudflare package to 2.3.1 makes certbot work again. There are later version of python-cloudflare, but 2.3.1 works just fine.
Comment 1 Fedora Update System 2023-03-21 14:19:37 UTC 
FEDORA-EPEL-2023-786a81c558 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-786a81c558
Comment 2 Fedora Update System 2023-03-22 02:54:09 UTC 
FEDORA-EPEL-2023-786a81c558 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-786a81c558

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Fedora Update System 2023-03-30 02:40:09 UTC 
FEDORA-EPEL-2023-786a81c558 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.