Cloudflare - DNS Challenge Broken #7540
Comments
cert-manager-prow
bot
added
the
kind/bug
|
Of note, we could keep |
|
I have noticed this as well on my end as well: The certificate status is |
It only took them 2 months after the date they gave to actually update their API. 😢 |
|
I've had the same issue in my testing environment. I was able to at least get the certificate request working by logging in to cloudflare and manually modfiy the new txt record adding"" (so for example "recordadccd..."). It still doesn't delete the record but it's still possibile to generate a certificate if needed. |
|
The DNS record is successfully created and verified using the Token or Global API key, but it cannot be deleted. Since the cleanup process cannot be completed, the certificate issuance has failed. Environment details: Kubernetes version: v1.24.3 Minikube version: v1.35.0 Both have the same Cleanup error: |
Cloudflare have stopped including zone IDs in their record responses now, 2 months after they said they did and with their trademark zero effort in outreach to consumers of their API. Ensure that findTxtRecord returns a record struct with the zone ID set regardless. Fixes cert-manager#7540
Cloudflare have stopped including zone IDs in their record responses now, 2 months after they said they did and with their trademark zero effort in outreach to consumers of their API. Ensure that findTxtRecord returns a record struct with the zone ID set regardless. Fixes cert-manager#7540 Signed-off-by: Luke Carrier <luke@carrier.family>
|
A small workaround that worked for us yesterday was to manually delete the TXT Record _acme_challenge created in Cloudflare by the Cert Manager. |
Also worked for us, good workaround for now |
|
When you delete that txt record, how long should it take for the Kubernetes cluster to stop throwing the error? Do I need to force a refresh with a specific command? I tried resetting my cluster, but it just re-created the TXT entry in cloudflare. Update it seems to have finally gone through. Thanks for the workaround! |
This is the approach I took in #7549 👍 |
|
I was in a rush and ended up writing a hacky script to delete the records: function request() {
curl "https://api.cloudflare.com/client/v4$2" \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
--header "Content-Type: application/json" \
--request "$1"
}
records=$(
kubectl --namespace cert-manager logs deployment/cert-manager |
perl -ne '/DELETE "\/zones\/\/dns_records\/([[:xdigit:]]+)"/ and print "$1\n"' |
sort --uniq
)
request GET /zones |
jq --raw-output '.result[].id' |
while read zone; do
for record in $records; do
request DELETE "/zones/$zone/dns_records/$record"
done
done |
|
This is affecting all versions of cert-manager, correct? We are running 1.15.3 and are starting to notice that our Challenges are never successfully going through. I don't get a specific error as others are reporting ( I tried upgrading to 1.17 on a different environment, and I am getting the same error as others are seeing where the record isn't being cleaned up and the certificate is not being created. In my case, on my environments which still have 1.15.3, the 
On that note, would the fix for this be backported to 1.15, and would this require all users who are using the CloudFlare DNS challenge mechanism to upgrade? |
Cannot speak to all versions, but we are running 1.15.1 and are affected. |
|
Anyone here or the company they work for pay for cert-manager support or uses Venafi / CyberArk and has support thru them that can get this issue prioritized? 😄 Pretty crazy this has been broken for two weeks without a word from the maintainers. |
@uofirob How long did it take? Deleting the TXT record is doing nothing for me 😐 |
|
I ended up just having to let it sit for 5-10 minutes and it cleared the
error.
…On Tue, Feb 11, 2025 at 5:42 PM Alex Cantu ***@***.***> wrote:
When you delete that txt record, how long should it take for the
Kubernetes cluster to stop throwing the error? Do I need to force a refresh
with a specific command? I tried resetting my cluster, but it just
re-created the TXT entry in cloudflare.
Update it seems to have finally gone through. Thanks for the workaround!
@uofirob <https://github.com/uofirob> How long did it take? Deleting the
TXT record is doing nothing for me 😐
—
Reply to this email directly, view it on GitHub
<#7540 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AANMNWWVL5HPIOO2RSJQXRT2PKDHPAVCNFSM6AAAAABWH4AEQSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJSGMYDMNJQGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
[image: alextricity25]*alextricity25* left a comment
(cert-manager/cert-manager#7540)
<#7540 (comment)>
When you delete that txt record, how long should it take for the
Kubernetes cluster to stop throwing the error? Do I need to force a refresh
with a specific command? I tried resetting my cluster, but it just
re-created the TXT entry in cloudflare.
Update it seems to have finally gone through. Thanks for the workaround!
@uofirob <https://github.com/uofirob> How long did it take? Deleting the
TXT record is doing nothing for me 😐
—
Reply to this email directly, view it on GitHub
<#7540 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AANMNWWVL5HPIOO2RSJQXRT2PKDHPAVCNFSM6AAAAABWH4AEQSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJSGMYDMNJQGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Hello Team., Facing the issue isssue with all cert-manager versions. We observed it is an isssue from Feb 3rd when a cert renewal did not happen and is in renewing status. Error cleaning up challenge: while querying the Cloudflare API for DELETE "/zones//dns_records/XXXXXXX" Error: 7003: Could not route to /client/v4/zones/dns_records/XXXXXXX, perhaps your object identifier is invalid? |
|
Thanks all for raising this, I'll take a look and try to get a fix deployed. Quick note: the only versions where this would be patched would be the currently supported releases: 1.17, 1.16 and 1.12 LTS - I mention that because I've seen a few mentions of 1.15.x in this issue and we won't do a patch release for 1.15 since it's now EOL! |
Cloudflare have stopped including zone IDs in their record responses now, 2 months after they said they did and with their trademark zero effort in outreach to consumers of their API. Ensure that findTxtRecord returns a record struct with the zone ID set regardless. Fixes cert-manager#7540 Signed-off-by: Luke Carrier <luke@carrier.family>
Cloudflare have stopped including zone IDs in their record responses now, 2 months after they said they did and with their trademark zero effort in outreach to consumers of their API. Ensure that findTxtRecord returns a record struct with the zone ID set regardless. Fixes cert-manager#7540 Signed-off-by: Luke Carrier <luke@carrier.family>
Cloudflare have stopped including zone IDs in their record responses now, 2 months after they said they did and with their trademark zero effort in outreach to consumers of their API. Ensure that findTxtRecord returns a record struct with the zone ID set regardless. Fixes cert-manager#7540 Manually fixed up to apply cleanly, also includes dfba339 cherry picked from master Signed-off-by: Luke Carrier <luke@carrier.family> Signed-off-by: Ashley Davis <SgtCoDFish@users.noreply.github.com>
|
Reopening as this isn't fixed until releases are published! |
|
First release is published, notifying here for anyone that wants to fix ASAP: https://github.com/cert-manager/cert-manager/releases/tag/v1.17.1 I tested this on my own site (which conveniently happens to use cert-manager + Cloudflare) and it worked as expected. I'll edit this message when I've done 1.16 (EDIT: v1.16.4 is done!) and 1.12, although 1.12 will be slower. Once they're done, I'll close this issue. That said: I'd recommend anyone on 1.12 using Cloudflare DNS to update to a newer version since newer versions contain other improvements to the Cloudflare DNS solver which you almost certainly want! |
|
Can you tell me when we can expect an update for version 1.12 on quay.io/repository/jetstack/cert-manager-controller? |
|
We don't give definitive dates for any releases, but I'm hoping to do the release either tomorrow or Monday. It takes a little more time to release v1.12 because of how it's structured, and there's another PR (#7570) I want to land before I start the release. As in my previous message though: I'd strongly recommend updating to v1.16.4 (which is now released) or v1.17.1 if using the Cloudflare DNS-01 solver - obviously v1.12 is still supported for now, but we don't backport everything and there are other improvements in the newer versions that you'd probably want. We have a full guide on upgrading from 1.12 -> 1.16 on the website. |
|
cert-manager v1.12.16 and v1.16.4 are now live with the fix included. Please test it out! Given the nature of the issue, it's possible that there might need to be some manual cleanup of the DNS records before it works, but I'm not in a position to be able to test or confirm that. Hopefully, though, this should be enough to fix the issue! Thanks again to everyone involved, I'll close this now! |
|
@SgtCoDFish Yes I needed to clean up the TXT |
Describe the bug:
Cloudflare is no longer returning zone information in individual dns records. This is now breaking the interaction when cert-manager goes to delete the txt record here.
Of note, while the deprecation shows last November, I just noticed this breaking yesterday. So I imagine they just recently went through with the deprecation on their end.
Expected behaviour:
Deletion of the txt record should be successful, leading to a successful certificate generation.
Steps to reproduce the bug:
Attempt to generate a certificate using cloudflare as the dns challenge provider.
Anything else we need to know?:
As is, generating certificates using cloudflare as the dns challenge provider is broken.
Environment details:
/kind bug
The text was updated successfully, but these errors were encountered: