Lego letsencrypt 'cloudflare: unexpected response code 'REFUSED'

Answer these questions to help the Community help you with Security questions.

What is the domain name?
media.connor.asia

Have you searched for an answer?
yes

Please share your search results url:

When you tested your domain, what were the results?
tested what?
Server has existing cert √
Cannot renew√

Describe the issue you are having:
Unable to renew cert using acme client
Another Server with different subdomain is working fine

What error message or number are you receiving?
2023/11/13 15:53:46 [INFO] [media.connor.asia] acme: Trying renewal with 296 hours remaining
2023/11/13 15:53:46 [INFO] [media.connor.asia] acme: Obtaining bundled SAN certificate
2023/11/13 15:53:47 [INFO] [media.connor.asia] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/283303261396
2023/11/13 15:53:47 [INFO] [media.connor.asia] acme: Could not find solver for: tls-alpn-01
2023/11/13 15:53:47 [INFO] [media.connor.asia] acme: Could not find solver for: http-01
2023/11/13 15:53:47 [INFO] [media.connor.asia] acme: use dns-01 solver
2023/11/13 15:53:47 [INFO] [media.connor.asia] acme: Preparing to solve DNS-01
2023/11/13 15:53:47 [INFO] [media.connor.asia] acme: Cleaning DNS-01 challenge
2023/11/13 15:53:47 [WARN] [media.connor.asia] acme: cleaning up failed: cloudflare: unexpected response code ‘REFUSED’ for _acme-challenge.media.connor.asia.
2023/11/13 15:53:47 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/283303261396
2023/11/13 15:53:47 error: one or more domains had a problem:
[media.connor.asia] [media.connor.asia] acme: error presenting token: cloudflare: unexpected response code ‘REFUSED’ for _acme-challenge.media.connor.asia.

What steps have you taken to resolve the issue?

1. validated script
2. renewed token, verified token
3. deleted API setup including token and set up from scratch

Was the site working with SSL prior to adding it to Cloudflare?
Yes

What are the steps to reproduce the error:

1. run /usr/local/bin/synology-letsencrypt.sh = error
2. run CLOUDFLARE_DNS_API_TOKEN=
   lego --email --dns cloudflare --domains media.connor.asia run = error
3. tried a bunch of other stuff as well

Have you tried from another browser and/or incognito mode?
no

Please attach a screenshot of the error:

Screenshot 2023-11-17 at 6.19.32 pm1157×213 65.8 KB

ok this isn’t getting much traction, so maybe I can make it simpler-

What does this error message mean, or can I get more verbosity to explain it?

It’s a DNS Status Code, generally used when the nameserver cannot/refuses to perform the specific operation. Like if that nameserver can’t answer that query because it doesn’t know about the domain, for example you get refused if you ask Cloudflare Authoritive Nameservers about google.com.

There’s a few other cases:

If you are using a DNS Resolver that supports Extended DNS Errors (EDE) and the DNS Client you are using can read and display those, maybe: Dig through SERVFAILs with EDE

This seems more related to Traefik/Lego then Cloudflare though. This has already been talked about before on the forum as well:

It looks like there’s an option to disable that check entirely:

or disable it and force a delay like this user did:
https://old.reddit.com/r/Traefik/comments/wysdxu/stuck_on_waiting_for_dns_record_propagation/

I’m guessing something is going wrong with the check (default dns block, etc). Cloudflare propogates DNS changes so quickly anyway (like ~1-2s globally excluding local/resolver dns cache, which Let’s Encrypt bypasses) that just waiting a static amount of time works.

That error specifically is thrown by here: https://github.com/go-acme/lego/blob/7186ebb6f194c55781432162a47ff62a0bb21023/challenge/dns01/nameserver.go#L210
Part of the pre-checks for DNS Propogation, which can be disabled as described above

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.