Cloudflare API Token Auth Failure with Certbot DNS Challenge (Requires cloudflare>=2.3.1)

[Jutsch]

Description:

When attempting to issue or renew Let's Encrypt certificates using the DNS-01 challenge with Cloudflare credentials configured in NPMplus, the process fails if a Cloudflare API Token is used.

The Certbot logs show the following specific error:

Requesting a certificate for [your-domain.com]
Saving debug log to /tmp/certbot-log/letsencrypt.log
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.19.4)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log/letsencrypt.log or re-run Certbot with -v for more details.

Analysis:

The error message clearly indicates that the version of the cloudflare python library used by the certbot-dns-cloudflare plugin within the NPMplus container (2.19.4 as reported by Certbot) is too old to properly support Cloudflare API Tokens. Correct support for API Tokens requires cloudflare version 2.3.1 or newer.

Impact:

This forces users who prefer the more secure and granular API Tokens to fall back to using the less secure Cloudflare Global API Key as a workaround (which appears to work with the older library version).

Request:

Could the cloudflare python package dependency (likely installed as part of certbot-dns-cloudflare) be updated in the Docker image build process to a version compatible with API Tokens (>= 2.3.1)? This would allow users to utilize the recommended and more secure authentication method provided by Cloudflare.

Environment:

NPMplus Image: docker.io/zoeyvid/npmplus:latest (as of April 10th, 2025 )

Challenge Type: DNS-01

DNS Provider: Cloudflare (using API Token)

Thanks for maintaining NPMplus!

[Zoey2936]

NPMplus always uses the latest version of all dns plugins

This certbot is running cloudflare 2.19.4

2.19.4 is a version higher than 2.3.1, at least from what I know, 2 = 2 and 19 > 3. Are you sure that you correctly configured your API keys?

[Jutsch]

Oh, sorry, you are absolutely right. Strange that I get this wrong error in docker-logs. The API-keys are working. I switched from NPM (working for month) to NPMPlus yesterday and got the strange error. That's why I reported it. Sorry for the falls alarm and wasting your time, the problem must be on my side. Thank you very much for the great software again.

[Zoey2936]

did you removed the seconds api key example?

[Jutsch]

sorry for the late replay - something went wrong in my instance. i removed everything and started from scratch and now its working. again: thank you, for your great work and sorry for stealing your time.