I did try to setup the dns-01 challenge, but ran into several issues:
There are several different kinds of cloudflare tokens (ones that require an id and ones that don’t)
Appropriate configuration directive answers for a particular provider (in this case cloudflare)
A guide on how todo this step-by-step
Proposal
Have documentation on how to setup dns-01 challenges for EACH provider. I would vounteer to be a beta builder / tester of this.
How does this sound? I don’ thave the knowledge to do EVERYTHING, but I could build a howto from cloudlfare to INCUS and post wherever if others could help fill in the appropriate details.
The tricky part is the cloudflare environment the BAR thing followed by the minus. I tried this exact config and had very much sadness. One thing that is NOT clear is the
acme.provider.resolvers should it be filled in? And if so do I use my default dns server? IP or dns name?
here are the errors (I have NO idea how to enter the multi line thing in the webui or the cli. Is it a @#$@#$@$#^%$#^Y yaml stupidity thing?
CzrMw_N0VMXlrIGWUMtUWxmpfW-8NZ6lUJ4ncI7I: Timeout during connect (likely firewall problem)\n"
time="2025-03-10T22:06:46-04:00" level=warning msg="Failed reverting cluster config" err="Failed to begin transaction: context canceled"
time="2025-03-10T22:06:46-04:00" level=warning msg="Failed reverting node config" err="Failed to begin transaction: context canceled"
time="2025-03-10T22:08:19-04:00" level=warning msg="AppArmor support has been disabled because of lack of kernel support"
time="2025-03-10T22:08:19-04:00" level=warning msg=" - AppArmor support has been disabled, Disabled because of lack of kernel support"
time="2025-03-10T22:08:21-04:00" level=error msg="Failed to create DNS-01 challenge provider" err="cloudflare: some credentials information are missing: CLOUDFLARE_EMAIL,CLOUDFLARE_API_KEY or some credentials information are missing: CLOUDFLARE_DNS_API_TOKEN,CLOUDFLARE_ZONE_API_TOKEN"
The web UI input for the “acme.provider.environment” needs changing to support multi-line input. In the meantime, incus config edit will need to be used to edit the DNS-01 challenge environment configuration.
Without seeing your complete config it is difficult to work out exactly what the issue is, but the error message does state that CLOUDFLARE_DNS_API_TOKEN and CLOUDFLARE_ZONE_API_TOKEN are missing.
As @FoxtrotCZ mentioned, Incus uses LEGO. The configuration for the Cloudflare DNS provider describes what environment settings are required and / or optional.
The “acme.provider.resolvers” setting is only required where you have a local split horizon DNS configuration, e.g., you are using a local DNS service for an owned domain, but the DNS authority exists elsewhere. In this situation, you need to configure the DNS-01 challenge to use the authoritative DNS, i.e., when checking for the challenge token you want your providers DNS server to be used, not your local DNS server.
Incus config edit is nice. I did test lego directly, and was able to get a certificate from cloudflare using just the proper envirohments and the dns entry to modify.
The system then converts this to a single line and then the logs:
ime="2025-03-14T15:35:08-04:00" level=error msg="Failed to create DNS-01 challenge provider" err="cloudflare: some credentials information are missing: CLOUDFLARE_API_KEY or some credentials information are missing: CLOUDFLARE_DNS_API_TOKEN,CLOUDFLARE_ZONE_API_TOKEN"
time="2025-03-14T15:48:17-04:00" level=error msg="Failed to create DNS-01 challenge provider" err="cloudflare: some credentials information are missing: CLOUDFLARE_API_KEY or some credentials information are missing: CLOUDFLARE_DNS_API_TOKEN,CLOUDFLARE_ZONE_API_TOKEN"
Dumb question: do I just paste in with incus config edit? It seemed to transform everything into one line, or is this some YAML file I need to put somewhere?