Cloudflare: failed to find zone DOMAIN

Traefik Traefik v2
,
11

@bluepuma77
Yes, I did search through this forum. I had seen that post. No, it did not help me. However, I did, separately, fix my problem. As always: "it's dns. it's always dns." Regardless I appreciate the assistance.

And for good measure, I'll detail what I did to fix this, here. In hopes it also helps guide whoever runs into something similar next time.

fyi, all my config is derived from the helpful Techno Tim video about ssl. No sarcasm, it's really great.

So, in order to fix this there are some elements about Cloudflare that aren't quite covered in said video ... or much of any homelab-type of youtube videos.

The important part is the api tokens section of the lego documentation that talks about cloudflare config. It's important that this is followed. And to pay special attention to the part that says "You also need to scope the access to all your domains for this to work."

I looked at this cloudflare documentation about generally creating an api key, and applied the aformentioned specific Lego documentation to this more simple process. I.e. I created the token like this

Capture6
Capture6627×553 31.7 KB

I left my dns wildcard and forwarding rules the way they are shown in my previous message.

I changed the environment: area of my docker-compose.yml to the following:

environment:
      #- CF_API_EMAIL=redacted@tmail.com
      - CF_DNS_API_TOKEN=RedactedTokenCreatedWithCorrectCloudFlareOptionsNotedAbove
      #- CF_API_KEY=YOUR_API_KEY=redacted
      # be sure to use the correct one depending on if you are using a token or key
      #- LEGO_DISABLE_CNAME_SUPPORT=true

Note , not using email env variable + api token env variable. just token env variable.
Then stopped my traefik server. After saving all the above changes, I started my traefik server with a:
~/dockerfiles/traefik$ docker-compose up -d --build --force-recreate

and gave it a minute to acquire certs. Then opened a incognito browser (no lingering certs that may be used) and went to the dns url of my traefik server via https. then , shazam! HTTPS certs come across to the browser and everything in the https chain works and the certs and valid!

Phew.

Thanks again for the assist.

Edit:

Prologue:

it's pretty wild that CF_API_KEY didn't work. it's supposed to give Lego full access, but clearly it doesn't.

Also, after some testing, I was able to remove all my dns rules and just have one dns rule that pointed domain.my to my internet public IP address.. The rest I handle internally inside my internal home network via pihole dns serving.

That's all folks. Happy proxy-ing!

2 Likes