Cloudflare: failed to find zone DOMAIN

Traefik Traefik v2
,
1

Hi There. I'm getting the failed to find zone <insert my.domain here> : ListZonesContext command failed: Invalid request headers (6003) error.

I need it to successfully get the certs so when I load the traefik web interface the https certs show up as valid. Currently, when I go to to the traefik interface, the https certs are shown as invalid. I.e. I appear to be getting the default treafik cert.

I've looked at a few posts here with similar issue, such as this one. However, following those configs just doesn't appear to fix my problem.

Is there something wrong with my config?

Here are each of my config files.

docker-compose.yml

version: '3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443

    environment:
      - CF_API_EMAIL=redacted@email.com
      #- CF_DNS_API_TOKEN=redactedAPItoken
      - CF_API_KEY=YOUR_API_KEY=RedactedAPIkey
      # be sure to use the correct one depending on if you are using a token or key
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/mux/dockerfiles/traefik/data/traefik.yml:/traefik.yml:ro
      - /home/mux/dockerfiles/traefik/data/acme.json:/acme.json
      - /home/mux/dockerfiles/traefik/data/config.yml:/config.yml:ro
    
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.redaced.domain`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=redacted@email.com:redacetedSaltedPassword"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.redacted.domain`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.redacted.domain"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.redacted.domain"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true

traefik.yml


api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: redacted@email.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

I spin up the container with a :

docker-compose up -d --build --force-recreate

it comes up and I can login to the website, albeit with the invalid https certificates.

the error I see in the logs is :

traefik  | time="2023-09-18T21:57:48-07:00" level=error msg="Unable to obtain ACME certificate for do
mains \"local.redacted.domain,*.local.redacted.domain\"" rule="Host(`traefik-dashboard.loca
l.redacted.domain`)" error="unable to generate a certificate for the domains [local.redacted.domain *.local.redacted.domain]: error: one or more domains had a problem:\n[*.local.redacted.domain] [*.local.redacted.domain] acme: error presenting token: cloudflare: failed to find
zone redacted.domain.: ListZonesContext command failed: Invalid request headers (6003)\n[local.redacted.domain] [local.redacted.domain] acme: error presenting token: cloudflare: failed to
 find zone redacted.domain.: ListZonesContext command failed: Invalid request headers (6003)\n"
providerName=cloudflare.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=trae
fik-secure@docker

my acme.json., oddly , appears to be getting something after I spin up the

acme.json

{
  "cloudflare": {
    "Account": {
      "Email": "redacted@email.com",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:redacted@email.com"
          ]
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/1313638246"
      },
      "PrivateKey": "MIIJKAIBBq+8wz8ViR7jOgwRrJmFRRDL_REDACTED-KEY_S/cQ=",
      "KeyType": "4096"
    },
    "Certificates": null
  }
}

I'm new to Cloudflare, but I think I'm configuring it correctly. see image attached.

cloudflare
cloudflare1044×460 67.6 KB

my home router is forwarding port 80 and port 443 to my internal server, and the router's firewall has the same allowed.

When I load the traefik web interface I'm not seeing valid https certificates come to my browser. And I'm seeing the above described failed to find zone error. How do I fix this?

2

If you have multiple levels (sub2.sub1.domain.tld), I would assume you need to create an DNS wildcard entry for every level.

3

@bluepuma77
I added the additional record for *.sub1.domain.tld. Unfortunately it didn't fix the issue. i.e. Same error still results.

Capture2
Capture21295×557 46.4 KB

current cloudflare config.:

Capture
Capture982×449 42.6 KB

Where each of the A records are being pointed to my currently assigned IP address I've received from ISP.

Any other ideas?

4

Sometimes there is an issue with Traefik LetsEncrypt and CNAME, try enabling and disabling the setting (doc).

5

@bluepuma77

I added LEGO_DISABLE_CNAME_SUPPORT=false to my docker-compose.yml while my cloudflare dns settings were configured in the above mentioned way with the CNAME record. Same error still results.

I tried changing it to - LEGO_DISABLE_CNAME_SUPPORT=true in the environments section my docker-compose.yml.

And I changed my cloudflare DNS to use all A records.

Capture3
Capture31023×444 41.6 KB

I stopped my traefik container. and then re-ran it with a:
~/dockerfiles/traefik$ docker-compose up -d --build --force-recreate

Unfortunately, even here, the same error is still occurring.

Thanks for the help so far. What else should I look at to troubleshoot?

6

You posted your PrivateKey, make sure to change it.

You got error presenting token and Invalid request headers, maybe your CF credentials are wrong? (doc)

CF_API_EMAIL, CF_API_KEY [5]
or
CF_DNS_API_TOKEN, [CF_ZONE_API_TOKEN]

7

@bluepuma77

Thankfully, that isn't my private key. I removed most of it and replaced the removed part with _REDACTED-KEY_. I'm still secure there.

I've triple checked. The value I'm using for CF_API_KEY in my docker-compose.yml matches the value for Global API Key in my cloudflare account.

regarding CF_DNS_API_TOKEN, ... It's my understanding that I should use either the key (which is what I'm using) or the Token. Not both. Is that incorrect?

I also don't see a way, in cloudflare, to generate a ZONE api token .I only see a way to generate an API token.

I believe I have a zone token , generated. not sure.
I.e. in cloudfront I have the following setup

capture4
capture41322×546 45.3 KB

see that it is pointing to one zone in my account (the one with my domain)

and the permissions on the account and ... then the zone (see the sub group below the permissions) are all read except for DNS which is marked as edit permissions.

Capture5
Capture51282×540 113 KB

But, again, I'm not using this token ... as you can see in my config in my docker-compose.yml. (it's commented out). I orginally chose the API_key route because when I first tried with the API-token, my local traefik web interface wasn't showing the login challenge for some reason.

Should I be specifying both the token and the api_key? both of them?

8

This is a Traefik forum. You probably better check if there is a forum for the used library le-go or check directly at a Cloudflare forum.

My understanding is you use CF_API_EMAIL and CF_API_KEY or only CF_DNS_API_TOKEN. But I am not a CF user.

9

Ok. Understood that this is Traefik forum. I’ll go ahead and check if maybe Lego or maybe CF forums have info regarding this issue, specific to their domains of influence. Will update if I’m pointed back to issue being within Traefik domain of influence.

I’ll also try the combinations of environment variables to see if that changes things.

10

Did you try searching for "Traefik Cloudflare Zone"? You will find a lot of posts with issues, some resolved like this one.

11

@bluepuma77
Yes, I did search through this forum. I had seen that post. No, it did not help me. However, I did, separately, fix my problem. As always: "it's dns. it's always dns." Regardless I appreciate the assistance.

And for good measure, I'll detail what I did to fix this, here. In hopes it also helps guide whoever runs into something similar next time.

fyi, all my config is derived from the helpful Techno Tim video about ssl. No sarcasm, it's really great.

So, in order to fix this there are some elements about Cloudflare that aren't quite covered in said video ... or much of any homelab-type of youtube videos.

The important part is the api tokens section of the lego documentation that talks about cloudflare config. It's important that this is followed. And to pay special attention to the part that says "You also need to scope the access to all your domains for this to work."

I looked at this cloudflare documentation about generally creating an api key, and applied the aformentioned specific Lego documentation to this more simple process. I.e. I created the token like this

Capture6
Capture6627×553 31.7 KB

I left my dns wildcard and forwarding rules the way they are shown in my previous message.

I changed the environment: area of my docker-compose.yml to the following:

environment:
      #- CF_API_EMAIL=redacted@tmail.com
      - CF_DNS_API_TOKEN=RedactedTokenCreatedWithCorrectCloudFlareOptionsNotedAbove
      #- CF_API_KEY=YOUR_API_KEY=redacted
      # be sure to use the correct one depending on if you are using a token or key
      #- LEGO_DISABLE_CNAME_SUPPORT=true

Note , not using email env variable + api token env variable. just token env variable.
Then stopped my traefik server. After saving all the above changes, I started my traefik server with a:
~/dockerfiles/traefik$ docker-compose up -d --build --force-recreate

and gave it a minute to acquire certs. Then opened a incognito browser (no lingering certs that may be used) and went to the dns url of my traefik server via https. then , shazam! HTTPS certs come across to the browser and everything in the https chain works and the certs and valid!

Phew.

Thanks again for the assist.

Edit:

Prologue:

it's pretty wild that CF_API_KEY didn't work. it's supposed to give Lego full access, but clearly it doesn't.

Also, after some testing, I was able to remove all my dns rules and just have one dns rule that pointed domain.my to my internet public IP address.. The rest I handle internally inside my internal home network via pihole dns serving.

That's all folks. Happy proxy-ing!

2 Likes
12

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.