Cloudflare invalid credentials

[aniel300]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • No
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug
when i tried to renew ssl cert i get "internal error". note: am using wildcard with Cloudflare.

Nginx Proxy Manager Version
latest as the time of this posting

To Reproduce
Steps to reproduce the behavior:

1. Go to 'ssl certificate'
2. Click on 'renew cert'
3. See error

Expected behavior
be able to renew cert which also bring me to a question. isn't npm supposed to auto do this ?

Screenshots
https://i.imgur.com/3KpuUjy.png

Operating System
ubuntu 18/docker

Additional context
i did tried to find a similar issue to this and found some but i cant figure out if there is a fix for this or not
some post i found:
#1659
#1625

thank you in advance.

[chaptergy]

Have a look at #1271, especially the certificate section and provide some the letsencrypt logs, otherwise the issue could be anything.

[aniel300]

ok will do sir, is it safe to share my logs here ?

[chaptergy]

The only sensitive information in the letsencrypt logs should be the domain and maybe the email address you entered as the notification address. You can search and replace them with placeholders if you like. The other information is ramdomly generated challenge data which is useless by the time you have posted the logs.

[aniel300]

sorry for my ignorance where is it that i find the required logs ? maybe here ?: \docker\proxymanager\data\logs

[aniel300]

here is the docker logs, let me know if u need anything else and also if i have included any sensible info.

Docker Logs

    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Socket.<anonymous> (node:internal/child_process:450:11)
    at Socket.emit (node:events:390:28)
    at Pipe.<anonymous> (node:net:687:12)
[12/28/2021] [9:24:33 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[12/28/2021] [9:30:18 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?)
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

    at ChildProcess.exithandler (node:child_process:397:12)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
[12/28/2021] [10:24:33 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[12/28/2021] [10:29:00 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?)
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

    at ChildProcess.exithandler (node:child_process:397:12)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
[12/28/2021] [11:24:33 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[12/28/2021] [11:24:33 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[12/28/2021] [11:24:33 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[12/28/2021] [11:24:33 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[12/28/2021] [11:24:33 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[12/28/2021] [11:24:33 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[12/28/2021] [11:25:04 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?)
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

    at ChildProcess.exithandler (node:child_process:397:12)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
[12/29/2021] [12:24:33 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[12/29/2021] [12:27:16 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?)
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

    at ChildProcess.exithandler (node:child_process:397:12)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
[12/29/2021] [1:24:33 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[12/29/2021] [1:27:58 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?)
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

    at ChildProcess.exithandler (node:child_process:397:12)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
[12/29/2021] [2:24:33 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[12/29/2021] [2:30:56 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?)
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

    at ChildProcess.exithandler (node:child_process:397:12)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
[12/29/2021] [3:24:33 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[12/29/2021] [3:28:17 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?)
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

    at ChildProcess.exithandler (node:child_process:397:12)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
Connection Error: Error: read ECONNRESET
Connection Error: Error: read ECONNRESET
[12/29/2021] [4:03:27 AM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates via Cloudflare for Cert #1: *.qbanguy.xyz
[12/29/2021] [4:03:27 AM] [SSL      ] › ℹ  info      Command: certbot renew --config "/etc/letsencrypt.ini" --cert-name "npm-1" --disable-hook-validation --no-random-sleep-on-renew 
[12/29/2021] [4:03:30 AM] [Express  ] › ⚠  warning   Command failed: certbot renew --config "/etc/letsencrypt.ini" --cert-name "npm-1" --disable-hook-validation --no-random-sleep-on-renew 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Unsafe permissions on credentials configuration file: /etc/letsencrypt/credentials/credentials-1
Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?)
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[chaptergy]

@aniel300 Your logs say

Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?)

Have you provided valid credentials?

[aniel300]

Yes. this wildcard cert was created by the first host i did.

[chaptergy]

Then your issue is either related to #1697, or it is not an npm issue at all. Go ahead and try using docker image jc21/nginx-proxy-manager:github-pr-1697. If that does not work, try it with your own installation of certbot to see if that works.

EDIT: sorry, I got confused by all the different issues in this thread, forgot that you are the original author.

[chaptergy]

It could also be possible that the reason is the slightly changed namespace syntax in certbot. You should connect to the database, go to the certificate table, and the meta column for your certificates row should contain your credentials. Make sure it says dns_cloudflare_api_token = ... and not something like certbot-dns-cloudflare:dns_cloudflare_api_token = ...

[aniel300]

Then your issue is either related to #1697, or it is not an npm issue at all. Go ahead and try using docker image jc21/nginx-proxy-manager:github-pr-1697. If that does not work, try it with your own installation of certbot to see if that works.

ahh ok. so does this response still valid ?

[chaptergy]

Sure, so first check the database, if that does not work try the different docker image, and if that still does not work try it with a custom certbot installation on a different machine.

[aniel300]

i can try to do few of those things except for the one of using a different machine since this is a dedicated server

[christofkac]

Hi,
I don't know if this is related but I ran into the same problem.
It is important to configure your DNS entry In Cloudflare as "DNS only" as long as you don't have a certificate and once the certificate is created, switch to "Proxied".
Hope that helps

[aniel300]

@christofkac i tried with dsn only and issue still happening

[github-actions]

Issue is now considered stale. If you want to keep it open, please comment 👍

[aniel300]

closing as i never got it fix or got the time to attempt to fix it. long time has passed and I now use traefik. still this project is amazing for pp looking to get into reverse proxies and want/ need a ui to help them trough the journey. thank u to the devs and keep up the good work.