Skip to content

follow_cnames: Not working as expected #1295

New issue
New issue
Open
Open
follow_cnames: Not working as expected#1295
@g00gling

Description

@g00gling
g00gling
opened on Jul 2, 2025

Got myself a special case, and I think that follow_cnames is not working as expected.

I have a (special) situation where I do not have access to the DNS (API) of the domain where I'm going to request / manage the certificate for. So to explain my situation a little bit more:

Certificate we are going to request: (We do not have API access to this domains DNS)
subdomain.example.com
We have a cname available to a domain where we do have API access:
_acme-challenge.subdomain.example.com CNAME: certs-challange.mydomain.com}

The last one mentioned above is my TXT record that I have available trough cloudflare API, to do changes.

So my config file is as followed:

acme:
  email_account: mymail@private.com
  staging: true
profiles:
- name: cloudflare
  provider: cloudflare
  provider_options:
    auth_username: mymail@private.com
    auth_token: <workingapitoken>
certificates:
- domains:
  - subdomain.example.com
  profile: cloudflare
  follow_cnames: true

But this is not working as I thought it should, so here is some logging from the actual application:

2025-07-02 15:52:10 8481c08cc444 dnsrobocert.core.utils[1] INFO Launching command: /usr/local/bin/python3 -m dnsrobocert.core.certbot certonly -n --user-agent-comment DNSroboCert/3.26.1 --preferred-chain "ISRG Root X1" --config-dir /etc/letsencrypt --work-dir /etc/letsencrypt/workdir --logs-dir /etc/letsencrypt/logs --manual --preferred-challenges=dns --manual-auth-hook "/usr/local/bin/python3 -m dnsrobocert.core.hooks -t auth -c \"/tmp/tmpuejhfc6_/dnsrobocert-runtime.yml\" -l \"subdomain.example.com\"" --manual-cleanup-hook "/usr/local/bin/python3 -m dnsrobocert.core.hooks -t cleanup -c \"/tmp/tmpuejhfc6_/dnsrobocert-runtime.yml\" -l \"subdomain.example.com\"" --expand --deploy-hook "/usr/local/bin/python3 -m dnsrobocert.core.hooks -t deploy -c \"/tmp/tmpuejhfc6_/dnsrobocert-runtime.yml\" -l \"subdomain.example.com\"" --server https://acme-staging-v02.api.letsencrypt.org/directory --cert-name subdomain.example.com --key-type rsa -d subdomain.example.com
Saving debug log to /etc/letsencrypt/logs/letsencrypt.log
Requesting a certificate for subdomain.example.com
Hook '--manual-auth-hook' for subdomain.example.com reported error code 1
Hook '--manual-auth-hook' for subdomain.example.com ran with output:
 Executing auth hook for domain subdomain.example.com, lineage subdomain.example.com.
 Trying to resolve the canonical challenge name for _acme-challenge.subdomain.example.com.
 Canonical challenge name found for _acme-challenge.subdomain.example.com.: certs-challange.mydomain.com.
Hook '--manual-auth-hook' for subdomain.example.com ran with error output:
 Error while executing the auth hook:
 400 Client Error: Bad Request for url: https://api.cloudflare.com/client/v4/zones?name=mydomain.com
 Traceback (most recent call last):
   File "/usr/local/lib/python3.11/site-packages/dnsrobocert/core/hooks.py", line 46, in main
     globals()[parsed_args.type](dnsrobocert_config, parsed_args.lineage)
   File "/usr/local/lib/python3.11/site-packages/dnsrobocert/core/hooks.py", line 77, in auth
     txt_challenge(certificate, profile, token, domain, action="create")
   File "/usr/local/lib/python3.11/site-packages/dnsrobocert/core/challenge.py", line 53, in txt_challenge
     with Client(ConfigResolver().with_dict(config_dict)) as operations:
   File "/usr/local/lib/python3.11/site-packages/lexicon/client.py", line 169, in __enter__
     raise e
   File "/usr/local/lib/python3.11/site-packages/lexicon/client.py", line 162, in __enter__
     provider.authenticate()
   File "/usr/local/lib/python3.11/site-packages/lexicon/_private/providers/cloudflare.py", line 56, in authenticate
     payload = self._get("/zones", {"name": self.domain})
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/usr/local/lib/python3.11/site-packages/lexicon/interfaces.py", line 163, in _get
     return self._request("GET", url, query_params=query_params)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/usr/local/lib/python3.11/site-packages/lexicon/_private/providers/cloudflare.py", line 218, in _request
     response.raise_for_status()
   File "/usr/local/lib/python3.11/site-packages/requests/models.py", line 1024, in raise_for_status
     raise HTTPError(http_error_msg, response=self)
 requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://api.cloudflare.com/client/v4/zones?name=mydomain.com

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: subdomain.example.com
  Type:   unauthorized
  Detail: Incorrect TXT record "tobechanged" found at _acme-challenge.subdomain.example.com

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

I think that this has something to do with:

Hook '--manual-auth-hook' for subdomain.example.com reported error code 1
Hook '--manual-auth-hook' for subdomain.example.com ran with output:

Maybe it's just a config fluke, or something simple. Hope to get some help here. Thanks a lot!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions