Acme: error presenting token: cloudflare: could not find zone for domain

I've got Traefik setup as a Docker container, and have been running it just fine for the longest time. I was looking at logs today because I was notified that one of my certs has expired, and I see the following in the container logs:

time="2024-03-04T02:13:33Z" level=error msg="Error renewing certificate from LE: { []}" providerName=cloudflare.acme ACME CA="" error="error: one or more domains had a problem:\n[] [] acme: error presenting token: cloudflare: could not find zone for domain \"\" ( unexpected response code 'SERVFAIL' for\n"

I've looked at all the similar topics, and tried many things, but none seem to apply in this situation. The part that makes this weird, is that I have about a dozen other certs that Traefik issued for subdomains of (Obviously not the real domain name). As a test case, I deleted a couple of them from the acme.json, and it had no issue issuing new ones for those subdomains, just for this one particular it won't renew. Any thoughts?

Here are the pertinent bits from Docker:

version: "3.3"


    image: "traefik:v2.11"
    container_name: "traefik"
    restart: unless-stopped
      - "--log.level=INFO"
      - "--accesslog=true"
      - "--accesslog.filepath=./access.log"
      - "--accesslog.bufferingsize=100"
      - "--serverstransport.insecureskipverify=true"
      - "--providers.docker=true"
      - "--providers.file.filename=/config.yml"
      - ""
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
      - "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
      #- "--certificatesresolvers.cloudflare.acme.caserver="
      - "<REDACTED>"
      - ""
      - "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=,"

      - "--certificatesresolvers.le.acme.tlschallenge=true"
      - "<REDACTED>"
      - ""
      #- "--certificatesresolvers.le.acme.caserver="

      - "--entrypoints.websecure.http.tls=true" # websecure entrypoint is always tls
      - "" # global http to https redirect to entrypoint websecure
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https" # global http to https redirect schema rewrite
      - "--entrypoints.websecure.http.tls.certresolver=cloudflare" # websecure entrypoint (https) should use CF resolver by default
      - "--entrypoints.websecure.http3"    # <== ADD
      - "--experimental.http3=true"         # <== ADD

Here are the pertinent bits from the config where this subdomain is pulled from:

      service: sub1
      entrypoints: "websecure"
      rule: "Host(``)"
        - "secureHeaders"
        certResolver: cloudflare

          - url: "http://192.168.2:80"

Do sub-domain and domain exist with Cloudflare?

Yes, they are. I didn’t explicitly state that because I figured it would be obvious given this is a renewal, but yes.

Post about SERVFAIL (link).

It still sound to me like the sub-domain is not configured the same way the other working sub-domains are.

How could it be a sub domain configuration issue when 1) the DNS auth is configured just to authenticate that you own the domain, and 2) you can issue a cert for a subdomain not in dns so long as you prove the auth that you own the domain.
If you can point to something specific you’d like for me to check I’m happy to look, but pure speculation “just because” isn’t terribly helpful.

zone usually indicates an issue with missing or mismatched sub-domain settings.

Sorry that I am just guessing, other answers probably have better ideas how to fix it.