I have an issue trying to obtain wildcard cert for my domain with generated API token for DNS zone (with edit rights).
I’ve used this article to setup certbot-auto, but with no luck. In console i’ve got after cleaning up challenges:
Unable to determine zone_id for xxx.yy using zone names: [u'xxx.yy', u'yy']. Please confirm that the domain name has been entered correctly and is already associated with the supplied Cloudflare account. The error from Cloudflare was: 0 Actor 'com.cloudflare.api.token.xxxxxxxxxxxxxxxxxxx' requires permission 'com.cloudflare.api.account.zone.list' to list zones
There is no issues if I use Global API, but this is not secure.
Could anyone help me to figure this out, please?
The API Token needs to read all zones on your account. You probably gave it only write permissions on the zone you are working on.
I can definitely see a use case for a special API token that has “acme only” permissions on a single hostname, but currently you have to give the token wider permissions.