Error instantiating cloudflare challenge solver: Cloudflare token invalid

[jmgilman]

Describe the bug:
When attempting to solve dns01 challenges using the CloudFlare provider the challenge resource is presenting the following error:

Error presenting challenge: error instantiating cloudflare challenge solver: Cloudflare token invalid (does the token contain a newline?)

Expected behaviour:
Expected the challenge to use the provided valid token successfully.

Steps to reproduce the bug:
Follow the steps here and then create a certificate that uses the dns01 challenge.

Anything else we need to know?:

I verified the secret data does not have an inerrant newline in it:

$> kubectl get secret cloudflare-api-token -n cert-manager -o json | jq -r .data.token
$> echo "mytoken" | base64

The above two commands produce the exact same base64 encoded string. CloudFlare provides an endpoint for validating tokens which makes a more definitive test:

$> curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \
     -H "Authorization: Bearer $(kubectl get secret cloudflare-api-token -n cert-manager -o json | jq -r .data.token | base64 --decode)" \
     -H "Content-Type:application/json" | jq

{
  "result": {
    "id": "REDACTED",
    "status": "active"
  },
  "success": true,
  "errors": [],
  "messages": [
    {
      "code": 10000,
      "message": "This API Token is valid and active",
      "type": null
    }
  ]
}

So it's fairly clear there is nothing wrong with the token. Unfortunately, I can't find any more details on why cert-manager is convinced that the token is invalid. I've included the configs for reference. I've also added a screenshot of the token configuration.

ClusterIssuer

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    email: REDACTED
    privateKeySecretRef:
      name: letsencrypt-issuer-account-key
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
      - dns01:
          cloudflare:
            apiTokenSecretRef:
              key: token
              name: cloudflare-api-token
            email: REDACTED

Secret

apiVersion: v1
data:
  token: REDACTED
kind: Secret
metadata:
  annotations: {}
  labels:
    name: cloudflare-api-token
  name: cloudflare-api-token
type: Opaque

Certificate

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: nginx-wildcard-cert
spec:
  commonName: REDACTED
  dnsNames:
    - REDACTED
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt
  secretName: nginx-wildcard-cert-tls

Environment details::

• Kubernetes version (e.g. v1.10.2): v1.18.3
• Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): On-premise
• cert-manager version (e.g. v0.4.0): v0.15.1
• Install method (e.g. helm or static manifests): Static manifest

/kind bug

[jmgilman]

Might be related to #3021.

[meyskens]

That errors comes from the cert-manager header value validation function, which is a copy out of Go's validation
https://github.com/jetstack/cert-manager/blob/master/pkg/issuer/acme/dns/cloudflare/cloudflare.go#L67

It seems to have an invalid (invisible) character in that token.

/remove-kind bug
/triage support

[docent-net]

@jmgilman if this issue still persists - verify how you create the secret itself. Above error will also show when instead os stringData you'd use Data:

apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-token
  namespace: cert-manager
type: Opaque
data:
  token: XYZ

And the above problem might be hard to debug.

[meyskens]

Closing this as the documentation and errors have been improved. Feel free to /reopen

/close

[jetstack-bot]

@meyskens: Closing this issue.

In response to this:

Closing this as the documentation and errors have been improved. Feel free to /reopen

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.