From 2dcb4b7fa48ff67a6881157461b8c8c053b0bc8d Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Mon, 23 Mar 2026 22:32:27 +0200
Subject: [PATCH] fix(renew-tls): clean stale _acme-challenge TXT records
 before certbot

21+ stale TXT records accumulated from previous runs, causing certbot
DNS-01 challenge to fail. Now deletes all _acme-challenge records
from Cloudflare before certbot creates fresh ones.
---
 modules/kubernetes/setup_tls_secret/renew2.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/kubernetes/setup_tls_secret/renew2.sh b/modules/kubernetes/setup_tls_secret/renew2.sh
index ba35dbe6..d75840fc 100755
--- a/modules/kubernetes/setup_tls_secret/renew2.sh
+++ b/modules/kubernetes/setup_tls_secret/renew2.sh
@@ -67,6 +67,14 @@ chmod 700 $certbot_cleanup
 cat $certbot_cleanup
 
 
+echo "Cleaning up stale _acme-challenge TXT records from Cloudflare"
+curl -s "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records?type=TXT&name=_acme-challenge.viktorbarzin.me" \
+    -H "Authorization: Bearer $CLOUDFLARE_TOKEN" | jq -r '.result[].id' | while read -r old_id; do
+    echo "Deleting stale record $old_id"
+    curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records/$old_id" \
+        -H "Authorization: Bearer $CLOUDFLARE_TOKEN" > /dev/null
+done
+
 echo "Executing certbot renew command"
 certbot certonly --manual --preferred-challenges=dns --email me@viktorbarzin.me --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --manual-auth-hook $certbot_auth --config-dir $config_dir --work-dir $le_dir/workdir --logs-dir $le_dir/logsdir --no-eff-email --manual-cleanup-hook $certbot_cleanup -d viktorbarzin.me -d *.viktorbarzin.me