Cloudflare DNS TXT record inserting works but not quite

[JulioQc]

Update doesn't add quotations to TXT record in Cloudflare and therefore fails:

root@machine [ ~/.acme.sh ]# ./acme.sh --cron --force --home "/root/.acme.sh"
[Thu Apr 10 11:02:23 EDT 2025] ===Starting cron===
[Thu Apr 10 11:02:23 EDT 2025] Renewing: 'machine.domain.com'
[Thu Apr 10 11:02:23 EDT 2025] Renewing using Le_API=https://acme.zerossl.com/v2/DV90
[Thu Apr 10 11:02:24 EDT 2025] Using CA: https://acme.zerossl.com/v2/DV90
[Thu Apr 10 11:02:24 EDT 2025] Single domain='machine.domain.com'
[Thu Apr 10 11:02:28 EDT 2025] Getting webroot for domain='machine.domain.com'
[Thu Apr 10 11:02:28 EDT 2025] Adding TXT value: 0aC3Uy6UUNgy########################### for domain: _acme-challenge.machine.domain.com
[Thu Apr 10 11:02:29 EDT 2025] Adding record
[Thu Apr 10 11:02:30 EDT 2025] Added, OK
[Thu Apr 10 11:02:30 EDT 2025] The TXT record has been successfully added.
[Thu Apr 10 11:02:30 EDT 2025] Let's check each DNS record now. Sleeping for 20 seconds first.
[Thu Apr 10 11:02:51 EDT 2025] You can use '--dnssleep' to disable public dns checks.
[Thu Apr 10 11:02:51 EDT 2025] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Thu Apr 10 11:02:51 EDT 2025] Checking machine.domain.com for _acme-challenge.machine.domain.com
[Thu Apr 10 11:02:51 EDT 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Thu Apr 10 11:02:51 EDT 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Thu Apr 10 11:02:51 EDT 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Thu Apr 10 11:02:51 EDT 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Thu Apr 10 11:02:51 EDT 2025] No DOH
[Thu Apr 10 11:02:51 EDT 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Thu Apr 10 11:02:51 EDT 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Thu Apr 10 11:02:51 EDT 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Thu Apr 10 11:02:51 EDT 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Thu Apr 10 11:02:51 EDT 2025] No DOH
[Thu Apr 10 11:02:51 EDT 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Thu Apr 10 11:02:51 EDT 2025] Not valid yet, let's wait for 10 seconds then check the next one.
[Thu Apr 10 11:02:51 EDT 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Thu Apr 10 11:03:02 EDT 2025] Let's wait for 10 seconds and check again.
[Thu Apr 10 11:03:13 EDT 2025] You can use '--dnssleep' to disable public dns checks.
[Thu Apr 10 11:03:13 EDT 2025] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Thu Apr 10 11:03:13 EDT 2025] Checking machine.domain.com for _acme-challenge.machine.domain.com

Adding quotations in TXT record while script looping will not fix
Adding quotations in TXT record and re-run the script will not fix. Script will recreate a TXT record without quotations.
Creating the TXT record manually letting Cloudflare add quotations itself will not fix. Script will recreate a TXT record without quotations.

So can't update certs at all, i'd say its rather urgently broken!

Running version 3.1.1, never had issue for 5 years until renewal this week (last successful was January).

[JulioQc]

root@machine [ ~/.acme.sh ]# ./acme.sh --upgrade
[Thu Apr 10 11:46:36 EDT 2025] Already up to date!
[Thu Apr 10 11:46:36 EDT 2025] Upgrade successful!

[Neilpang]

sorry for the trouble, can you please provide log with --debug 2 ?

[Neilpang]

your log shows error code: 60
https://curl.se/libcurl/c/libcurl-errors.html

It seems your server can not verify the certifiate from cloudflare, can you please try this on your server:

curl -vvv https://cloudflare-dns.com

[JulioQc]

Good catch:

root@machine [ ~ ]# curl -vvv https://cloudflare-dns.com
*   Trying 146.112.61.106:443...
* Connected to cloudflare-dns.com (146.112.61.106) port 443 (#0)
* ALPN: offers http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I'll see why it's that on that machine. Thank you.

it does however still manage to insert a record, just not in a correct format. Weird...