Could not find the start of authority ACME DNS

Hi guys,

i have setup traefik with cloudflare acme dns challange, it all worked when i set it up a few month ago. Today my certificate expired and as i checked the logs of traefik i found this error message (domainname chaged to 'domain.com', URL addad a extra space because of new user limit):

Unable to obtain ACME certificate for domains "local.domain.com,.local.domain.com" : unable to generate a certificate for the domains [local.domain .com .local.domain .com]: error: one or more domains had a problem: [.local.domain .com] [.local.domain .com] acme: error presenting token: cloudflare: could not find the start of authority for _acme-challenge.local.domain.com.: read udp 192.168.35.8:41136->1.0.0.1:53: i/o timeout [local.domain .com] [local.domain .com] acme: error presenting token: cloudflare: could not find the start of authority for _acme-challenge.local.domain.com.: read udp 192.168.35.8:36016->1.0.0.1:53: i/o timeout\n" providerName=cloudflare.acme

I checked of dns is working properly inside docker, and i can confirm it works:

docker exec -it traefik /bin/sh
/ # nslookup google.com
Server: 127.0.0.11
Address: 127.0.0.11:53
Non-authoritative answer:
Name: google.com
Address: 142.251.36.78

Here is my config for traefik:

docker-compose.yml

services:
  traefik:
    container_name: traefik
    hostname: traefik
    domainname: local.domain.local
    image: "traefik:latest"
    environment:
      - CF_API_EMAIL=email@gmail.com
      - CF_DNS_API_TOKEN=KEY
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /docker/traefik/traefik.yml:/traefik.yml:ro
      - /docker/traefik/acme.json:/acme.json
      - /docker/traefik/config.yml:/config.yml:ro
      - /docker/traefik/logs:/logs
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      dockervlan:
        ipv4_address: 192.168.35.8
    healthcheck:
      test: traefik healthcheck --ping
networks:
  dockervlan:
    name: dockervlan
    driver: macvlan
    driver_opts:
      parent: eth0
    ipam:
      config:
        - subnet: "192.168.35.0/24"
          ip_range: "192.168.35.0/28"
          gateway: "192.168.35.1"

traefik.yml

certificatesResolvers:
  cloudflare:
    acme:
      email: email@gmail.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        delaybeforecheck: 0
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

config.yml

http:
  routers:
    traefik-secure:
      entryPoints:
        - web
        - websecure
      rule: "Host(`dash.local.domain.com`)"
      middlewares:
        - secured
        - authelia-auth
      tls:
        certresolver: cloudflare
        domains:
          - main: "local.domain.com"
            sans:
            - "*.local.domain.com"
      service: api@internal
      priority: 2

Intersting is that the acme.json file is being filled with vaild values, but no certificate:

{
  "cloudflare": {
    "Account": {
      "Email": "email@gmail.com",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:email@gmail.com"
          ]
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/475451810"
      },
      "PrivateKey": "KEY"
      "KeyType": "4096"
    },
    "Certificates": null
  }
}

I hope some of you can help me out.
In the first place I used [the tutorial from techno-tim](https://techno-tim.github.io/posts/traefik-portainer-ssl/) to set this up.

Cheers

1 Like

Did you ever resolve this issue? I seem to be getting this error but I don't understand when it started happening as this originally worked. I have a near identical configuration and the result is the same in the acme.json file and error message.

I appear to have resolved it by reverting to v2.6.1
Looks like there might be some regression issues.

1 Like

+1
Same issue and same temporary fix.

Yes! thank you. This resolved my issue as well :slight_smile:

thanks a lot... that did fixed it

Hello,

FYI, there is 0 change around DNS challenges between v2.6.0 and v2.6.7.

could not find the start of authority for means that the SOA DNS query doesn't work.

It's usually a network problem.

Can someone who a the problem try the different versions between v2.6.0 and v2.7.0?

I did try with 2.7.0 and 2.7.1, the only thing that resolved the issue was to come to 2.6.1

I do have another test server that I haven't rolled back it's with 2.7.1 and I have the issue

time="2022-06-17T08:36:14Z" 
level=error 
msg="Error renewing certificate from LE: {xxxxx.xxxxx.xx [xxxxx.xxxxx.xx]}, error: one or more domains had a problem:\n[xxxxx.xxxxx.xx] [xxxxx.xxxxx.xx] acme: error presenting token: ovh: could not determine zone for domain \"_acme-challenge.xxxxx.xxxxx.xx.\": could not find the start of authority for _acme-challenge.xxxxx.xxxxx.xx.: dial udp: lookup 1.1.1.1:53,8.8.8.8:53: no such host\n[xxxxx.xxxxx.xx] [xxxxx.xxxxx.xx] acme: error presenting token: ovh: could not determine zone for domain \"_acme-challenge.xxxxx.xxxxx.xx.\": could not find the start of authority for _acme-challenge.xxxxx.xxxxx.xx.: dial udp: lookup 1.1.1.1:53,8.8.8.8:53: no such host\n" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"

have you tried v2.6.2,v2.6.3, v2.6.4, etc. ?