Problem issue wildcard certificate with Cloudflare: Add txt record error.

jasom

Hi,
I cannot issue wildcard certificate with Cloudflare. It froze on Error add txt for domain:_acme-challenge.example.com

this is acme.sh.log:

[Tue 14 Jun 2022 10:43:54 PM CEST] Running cmd: issue
[Tue 14 Jun 2022 10:43:54 PM CEST] _main_domain='example.com'
[Tue 14 Jun 2022 10:43:54 PM CEST] _alt_domains='*.example.com'
[Tue 14 Jun 2022 10:43:54 PM CEST] Using config home:/etc/letsencrypt/config
[Tue 14 Jun 2022 10:43:54 PM CEST] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Tue 14 Jun 2022 10:43:54 PM CEST] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Tue 14 Jun 2022 10:43:54 PM CEST] DOMAIN_PATH='/etc/letsencrypt/renewal/example.com'
[Tue 14 Jun 2022 10:43:54 PM CEST] Le_NextRenewTime
[Tue 14 Jun 2022 10:43:54 PM CEST] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Tue 14 Jun 2022 10:43:54 PM CEST] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Tue 14 Jun 2022 10:43:54 PM CEST] GET
[Tue 14 Jun 2022 10:43:54 PM CEST] url='https://acme-v02.api.letsencrypt.org/directory'
[Tue 14 Jun 2022 10:43:54 PM CEST] timeout=
[Tue 14 Jun 2022 10:43:54 PM CEST] _CURL='curl --silent --dump-header /etc/letsencrypt/config/http.header  -L  -g '
[Tue 14 Jun 2022 10:43:55 PM CEST] ret='0'
[Tue 14 Jun 2022 10:43:55 PM CEST] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Tue 14 Jun 2022 10:43:55 PM CEST] ACME_NEW_AUTHZ
[Tue 14 Jun 2022 10:43:55 PM CEST] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Tue 14 Jun 2022 10:43:55 PM CEST] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Tue 14 Jun 2022 10:43:55 PM CEST] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Tue 14 Jun 2022 10:43:55 PM CEST] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Tue 14 Jun 2022 10:43:55 PM CEST] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Tue 14 Jun 2022 10:43:55 PM CEST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue 14 Jun 2022 10:43:55 PM CEST] _on_before_issue
[Tue 14 Jun 2022 10:43:55 PM CEST] _chk_main_domain='example.com'
[Tue 14 Jun 2022 10:43:55 PM CEST] _chk_alt_domains='*.example.com'
[Tue 14 Jun 2022 10:43:55 PM CEST] Le_LocalAddress
[Tue 14 Jun 2022 10:43:55 PM CEST] d='example.com'
[Tue 14 Jun 2022 10:43:55 PM CEST] Check for domain='example.com'
[Tue 14 Jun 2022 10:43:55 PM CEST] _currentRoot='dns_cf'
[Tue 14 Jun 2022 10:43:55 PM CEST] d='*.example.com'
[Tue 14 Jun 2022 10:43:55 PM CEST] Check for domain='*.example.com'
[Tue 14 Jun 2022 10:43:55 PM CEST] _currentRoot='dns_cf'
[Tue 14 Jun 2022 10:43:55 PM CEST] d
[Tue 14 Jun 2022 10:43:55 PM CEST] _saved_account_key_hash is not changed, skip register account.
[Tue 14 Jun 2022 10:43:55 PM CEST] Read key length:2048
[Tue 14 Jun 2022 10:43:55 PM CEST] _createcsr
[Tue 14 Jun 2022 10:43:55 PM CEST] Multi domain='DNS:example.com,DNS:*.example.com'
[Tue 14 Jun 2022 10:43:55 PM CEST] Getting domain auth token for each domain
[Tue 14 Jun 2022 10:43:55 PM CEST] d='*.example.com'
[Tue 14 Jun 2022 10:43:55 PM CEST] d
[Tue 14 Jun 2022 10:43:55 PM CEST] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Tue 14 Jun 2022 10:43:55 PM CEST] payload='{"identifiers": [{"type":"dns","value":"example.com"},{"type":"dns","value":"*.example.com"}]}'
[Tue 14 Jun 2022 10:43:55 PM CEST] RSA key
[Tue 14 Jun 2022 10:43:55 PM CEST] HEAD
[Tue 14 Jun 2022 10:43:55 PM CEST] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Tue 14 Jun 2022 10:43:55 PM CEST] _CURL='curl --silent --dump-header /etc/letsencrypt/config/http.header  -L  -g  -I  '
[Tue 14 Jun 2022 10:43:56 PM CEST] _ret='0'
[Tue 14 Jun 2022 10:43:56 PM CEST] POST
[Tue 14 Jun 2022 10:43:56 PM CEST] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Tue 14 Jun 2022 10:43:56 PM CEST] _CURL='curl --silent --dump-header /etc/letsencrypt/config/http.header  -L  -g '
[Tue 14 Jun 2022 10:43:56 PM CEST] _ret='0'
[Tue 14 Jun 2022 10:43:56 PM CEST] code='201'
[Tue 14 Jun 2022 10:43:56 PM CEST] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/99592116/97768026066'
[Tue 14 Jun 2022 10:43:56 PM CEST] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/99592116/97768026066'
[Tue 14 Jun 2022 10:43:56 PM CEST] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/119680446756'
[Tue 14 Jun 2022 10:43:56 PM CEST] payload
[Tue 14 Jun 2022 10:43:56 PM CEST] POST
[Tue 14 Jun 2022 10:43:56 PM CEST] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/119680446756'
[Tue 14 Jun 2022 10:43:56 PM CEST] _CURL='curl --silent --dump-header /etc/letsencrypt/config/http.header  -L  -g '
[Tue 14 Jun 2022 10:43:57 PM CEST] _ret='0'
[Tue 14 Jun 2022 10:43:57 PM CEST] code='200'
[Tue 14 Jun 2022 10:43:57 PM CEST] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/119680446766'
[Tue 14 Jun 2022 10:43:57 PM CEST] payload
[Tue 14 Jun 2022 10:43:57 PM CEST] POST
[Tue 14 Jun 2022 10:43:57 PM CEST] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/119680446766'
[Tue 14 Jun 2022 10:43:57 PM CEST] _CURL='curl --silent --dump-header /etc/letsencrypt/config/http.header  -L  -g '
[Tue 14 Jun 2022 10:43:57 PM CEST] _ret='0'
[Tue 14 Jun 2022 10:43:57 PM CEST] code='200'
[Tue 14 Jun 2022 10:43:57 PM CEST] d='example.com'
[Tue 14 Jun 2022 10:43:57 PM CEST] Getting webroot for domain='example.com'
[Tue 14 Jun 2022 10:43:57 PM CEST] _w='dns_cf'
[Tue 14 Jun 2022 10:43:57 PM CEST] _currentRoot='dns_cf'
[Tue 14 Jun 2022 10:43:58 PM CEST] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/119680446766/Q1vZsA","token":"QTB-I6d94Ovdl9AOdOvzOPTe6tRRX30om7-PFmi3CuM"'
[Tue 14 Jun 2022 10:43:58 PM CEST] token='QTB-I6d94Ovdl9AOdOvzOPTe6tRRX30om7-PFmi3CuM'
[Tue 14 Jun 2022 10:43:58 PM CEST] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/119680446766/Q1vZsA'
[Tue 14 Jun 2022 10:43:58 PM CEST] keyauthorization='QTB-I6d94Ovdl9xxxOvzOPTe6tRRX30om7-PFmi3CuM.ja5AXtcwBf9mdrNG_DWagdEcdUTWTc5mMuNALn7q3t8'
[Tue 14 Jun 2022 10:43:58 PM CEST] dvlist='example.com#QTB-I6d94Ovdl9AOdOvzOPTxxxRRX30om7-PFmi3CuM.ja5AXtcwBf9mdrNG_DWagdEcdUTWTc5mMuNALn7q3t8#https://acme-v02.api.letsencrypt.org/acme/chall-v3/119680446766/Q1vZsA#dns-01#dns_cf'
[Tue 14 Jun 2022 10:43:58 PM CEST] d='*.example.com'
[Tue 14 Jun 2022 10:43:58 PM CEST] Getting webroot for domain='*.example.com'
[Tue 14 Jun 2022 10:43:58 PM CEST] _w='dns_cf'
[Tue 14 Jun 2022 10:43:58 PM CEST] _currentRoot='dns_cf'
[Tue 14 Jun 2022 10:43:58 PM CEST] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/119680446756/i-qHCg","token":"TwVcZZ9mgkv2-UW5gKIce_WLRj2i6lsNwdamRQABf_M"'
[Tue 14 Jun 2022 10:43:58 PM CEST] token='TwVcZZ9mgkv2-UW5gKIce_WLRj2i6lsNwdamRQABf_M'
[Tue 14 Jun 2022 10:43:58 PM CEST] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/119680446756/i-qHCg'
[Tue 14 Jun 2022 10:43:58 PM CEST] keyauthorization='TwVcZZ9mgkv2-UW5gKIce_WLRj2i6lsNwdamRQABf_M.ja5AXtcwBf9mdrNG_DWagdEcdUTWTc5mMuNALn7q3t8'
[Tue 14 Jun 2022 10:43:58 PM CEST] dvlist='*.example.com#TwVcxxxmgkv2-UW5gKIce_WLRj2i6lsNwdamRQABf_M.ja5AXtcwBf9mdrNG_DWagdEcdUTWTc5mMuNALn7q3t8#https://acme-v02.api.letsencrypt.org/acme/chall-v3/119680446756/i-qHCg#dns-01#dns_cf'
[Tue 14 Jun 2022 10:43:58 PM CEST] d
[Tue 14 Jun 2022 10:43:58 PM CEST] vlist='example.com#QTB-I6d94Ovdl9AOdOvzOPTe6tRRX30om7-PFmi3CuM.ja5AXtcwBf9mdrNG_DWagdEcdUTWTc5mMuNALn7q3t8#https://acme-v02.api.letsencrypt.org/acme/chall-v3/119680446766/Q1vZsA#dns-01#dns_cf,*.example.com#TwVcZZ9mgkv2-UW5gKIce_WLRj2i6lsNwdamRQABf_M.ja5AXtcwBf9mdrNG_DWxxxxcdUTWTc5mMuNALn7q3t8#https://acme-v02.api.letsencrypt.org/acme/chall-v3/119680446756/i-qHCg#dns-01#dns_cf,'
[Tue 14 Jun 2022 10:43:58 PM CEST] d='example.com'
[Tue 14 Jun 2022 10:43:58 PM CEST] _d_alias
[Tue 14 Jun 2022 10:43:58 PM CEST] txtdomain='_acme-challenge.example.com'
[Tue 14 Jun 2022 10:43:58 PM CEST] txt='Is1lvqom9RM7EArOnGH0U8KFk8zyLEC-6KrmvZmrGzw'
[Tue 14 Jun 2022 10:43:58 PM CEST] d_api='/etc/letsencrypt/dnsapi/dns_cf.sh'
[Tue 14 Jun 2022 10:43:58 PM CEST] Found domain api file: /etc/letsencrypt/dnsapi/dns_cf.sh
[Tue 14 Jun 2022 10:43:58 PM CEST] Adding txt value: Is1lvqom9RM7EArOnGH0U8KFk8zyLEC-6KrmvZmrGzw for domain:  _acme-challenge.example.com
[Tue 14 Jun 2022 10:43:58 PM CEST] First detect the root zone
[Tue 14 Jun 2022 10:43:58 PM CEST] h='_acme-challenge.example.com'
[Tue 14 Jun 2022 10:43:58 PM CEST] zones?name=_acme-challenge.example.com
[Tue 14 Jun 2022 10:43:58 PM CEST] GET
[Tue 14 Jun 2022 10:43:58 PM CEST] url='https://api.cloudflare.com/client/v4/zones?name=_acme-challenge.example.com'
[Tue 14 Jun 2022 10:43:58 PM CEST] timeout=
[Tue 14 Jun 2022 10:43:58 PM CEST] _CURL='curl --silent --dump-header /etc/letsencrypt/config/http.header  -L  -g '
[Tue 14 Jun 2022 10:43:59 PM CEST] ret='0'
[Tue 14 Jun 2022 10:43:59 PM CEST] h='example.com'
[Tue 14 Jun 2022 10:43:59 PM CEST] zones?name=example.com
[Tue 14 Jun 2022 10:43:59 PM CEST] GET
[Tue 14 Jun 2022 10:43:59 PM CEST] url='https://api.cloudflare.com/client/v4/zones?name=example.com'
[Tue 14 Jun 2022 10:43:59 PM CEST] timeout=
[Tue 14 Jun 2022 10:43:59 PM CEST] _CURL='curl --silent --dump-header /etc/letsencrypt/config/http.header  -L  -g '
[Tue 14 Jun 2022 10:43:59 PM CEST] ret='0'
[Tue 14 Jun 2022 10:43:59 PM CEST] _domain_id='0e2720aa1a38df1d21a249e99fac5d68'
[Tue 14 Jun 2022 10:43:59 PM CEST] _sub_domain='_acme-challenge'
[Tue 14 Jun 2022 10:44:00 PM CEST] _domain='example.com'
[Tue 14 Jun 2022 10:44:00 PM CEST] Getting txt records
[Tue 14 Jun 2022 10:44:00 PM CEST] zones/0e2720aa1a38df1d21a249e99fac5d68/dns_records?type=TXT&name=_acme-challenge.example.com
[Tue 14 Jun 2022 10:44:00 PM CEST] GET
[Tue 14 Jun 2022 10:44:00 PM CEST] url='https://api.cloudflare.com/client/v4/zones/0e2720aa1a38df1d21a249e99fac5d68/dns_records?type=TXT&name=_acme-challenge.example.com'
[Tue 14 Jun 2022 10:44:00 PM CEST] timeout=
[Tue 14 Jun 2022 10:44:00 PM CEST] _CURL='curl --silent --dump-header /etc/letsencrypt/config/http.header  -L  -g '
[Tue 14 Jun 2022 10:44:01 PM CEST] ret='0'
[Tue 14 Jun 2022 10:44:01 PM CEST] Adding record
[Tue 14 Jun 2022 10:44:01 PM CEST] zones/0e2720aa1a38dfxxxa249e99fac5d68/dns_records
[Tue 14 Jun 2022 10:44:01 PM CEST] data='{"type":"TXT","name":"_acme-challenge.example.com","content":"Is1lvqom9RM7EArOnGH0Uxxx8KFk8zyLEC-6KrmvZmrGzw","ttl":120}'
[Tue 14 Jun 2022 10:44:01 PM CEST] POST
[Tue 14 Jun 2022 10:44:01 PM CEST] _post_url='https://api.cloudflare.com/client/v4/zones/0e2720aa1a38xxx249e99fac5d68/dns_records'
[Tue 14 Jun 2022 10:44:01 PM CEST] _CURL='curl --silent --dump-header /etc/letsencrypt/config/http.header  -L  -g '
[Tue 14 Jun 2022 10:44:02 PM CEST] _ret='0'
[Tue 14 Jun 2022 10:44:02 PM CEST] Add txt record error.
[Tue 14 Jun 2022 10:44:02 PM CEST] Error add txt for domain:_acme-challenge.example.com
[Tue 14 Jun 2022 10:44:02 PM CEST] _on_issue_err
[Tue 14 Jun 2022 10:44:02 PM CEST] Please check log file for more details: /etc/letsencrypt/config/acme.sh.log
[Tue 14 Jun 2022 10:44:02 PM CEST] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/119680446766/Q1vZsA'
[Tue 14 Jun 2022 10:44:02 PM CEST] payload='{}'
[Tue 14 Jun 2022 10:44:02 PM CEST] POST
[Tue 14 Jun 2022 10:44:02 PM CEST] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/119680446766/Q1vZsA'
[Tue 14 Jun 2022 10:44:02 PM CEST] _CURL='curl --silent --dump-header /etc/letsencrypt/config/http.header  -L  -g '
[Tue 14 Jun 2022 10:44:02 PM CEST] _ret='0'
[Tue 14 Jun 2022 10:44:02 PM CEST] code='200'
[Tue 14 Jun 2022 10:44:02 PM CEST] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/119680446756/i-qHCg'
[Tue 14 Jun 2022 10:44:02 PM CEST] payload='{}'
[Tue 14 Jun 2022 10:44:02 PM CEST] POST
[Tue 14 Jun 2022 10:44:03 PM CEST] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/119680446756/i-qHCg'
[Tue 14 Jun 2022 10:44:03 PM CEST] _CURL='curl --silent --dump-header /etc/letsencrypt/config/http.header  -L  -g '
[Tue 14 Jun 2022 10:44:03 PM CEST] _ret='0'
[Tue 14 Jun 2022 10:44:03 PM CEST] code='200'
[Tue 14 Jun 2022 10:44:03 PM CEST] pid
[Tue 14 Jun 2022 10:44:03 PM CEST] No need to restore nginx, skip.
[Tue 14 Jun 2022 10:44:03 PM CEST] _clearupdns
[Tue 14 Jun 2022 10:44:03 PM CEST] dns_entries
[Tue 14 Jun 2022 10:44:03 PM CEST] skip dns.

This is account.conf

LOG_FILE='/etc/letsencrypt/config/acme.sh.log'
#LOG_LEVEL=1

AUTO_UPGRADE='1'

#NO_TIMESTAMP=1

CERT_HOME='/etc/letsencrypt/renewal'
UPGRADE_HASH='hash'
USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin'
DEFAULT_ACME_SERVER='https://acme-v02.api.letsencrypt.org/directory'
SAVED_CF_Key='hash'
SAVED_CF_Email='mail'

Several notes:

"export" (saving Cloudflare API Credentials through the command line) did not work event after 2 reboots so I copied SAVED_CF_KEY and SAVED_CF_Email from other server where error is the same: "Add txt record error."
CF key is actual, double checked
Proxy in CF is off + basically I went through all from this post https://community.wordops.net/d/674-please-make-sure-your-properly-set-your-dns-api-credentials-for-acmesh
/etc/letsencrypt/acme.sh --issue --dns dns_cf -d example.com -d *.example.com froze in same step

My goal is issue wildcard SSL cert. What are your suggestions? (im out of ideas and google keywords)

Lucky007

I face the exact same issue.