Could not find the start of authority ACME DNS

Hi guys,

i have setup traefik with cloudflare acme dns challange, it all worked when i set it up a few month ago. Today my certificate expired and as i checked the logs of traefik i found this error message (domainname chaged to 'domain.com', URL addad a extra space because of new user limit):

Unable to obtain ACME certificate for domains "local.domain.com,.local.domain.com" : unable to generate a certificate for the domains [local.domain .com .local.domain .com]: error: one or more domains had a problem: [.local.domain .com] [.local.domain .com] acme: error presenting token: cloudflare: could not find the start of authority for _acme-challenge.local.domain.com.: read udp 192.168.35.8:41136->1.0.0.1:53: i/o timeout [local.domain .com] [local.domain .com] acme: error presenting token: cloudflare: could not find the start of authority for _acme-challenge.local.domain.com.: read udp 192.168.35.8:36016->1.0.0.1:53: i/o timeout\n" providerName=cloudflare.acme

I checked of dns is working properly inside docker, and i can confirm it works:

docker exec -it traefik /bin/sh
/ # nslookup google.com
Server: 127.0.0.11
Address: 127.0.0.11:53
Non-authoritative answer:
Name: google.com
Address: 142.251.36.78

Here is my config for traefik:

docker-compose.yml

services:
  traefik:
    container_name: traefik
    hostname: traefik
    domainname: local.domain.local
    image: "traefik:latest"
    environment:
      - CF_API_EMAIL=email@gmail.com
      - CF_DNS_API_TOKEN=KEY
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /docker/traefik/traefik.yml:/traefik.yml:ro
      - /docker/traefik/acme.json:/acme.json
      - /docker/traefik/config.yml:/config.yml:ro
      - /docker/traefik/logs:/logs
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      dockervlan:
        ipv4_address: 192.168.35.8
    healthcheck:
      test: traefik healthcheck --ping
networks:
  dockervlan:
    name: dockervlan
    driver: macvlan
    driver_opts:
      parent: eth0
    ipam:
      config:
        - subnet: "192.168.35.0/24"
          ip_range: "192.168.35.0/28"
          gateway: "192.168.35.1"

traefik.yml

certificatesResolvers:
  cloudflare:
    acme:
      email: email@gmail.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        delaybeforecheck: 0
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

config.yml

http:
  routers:
    traefik-secure:
      entryPoints:
        - web
        - websecure
      rule: "Host(`dash.local.domain.com`)"
      middlewares:
        - secured
        - authelia-auth
      tls:
        certresolver: cloudflare
        domains:
          - main: "local.domain.com"
            sans:
            - "*.local.domain.com"
      service: api@internal
      priority: 2

Intersting is that the acme.json file is being filled with vaild values, but no certificate:

{
  "cloudflare": {
    "Account": {
      "Email": "email@gmail.com",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:email@gmail.com"
          ]
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/475451810"
      },
      "PrivateKey": "KEY"
      "KeyType": "4096"
    },
    "Certificates": null
  }
}

I hope some of you can help me out.
In the first place I used [the tutorial from techno-tim](https://techno-tim.github.io/posts/traefik-portainer-ssl/) to set this up.

Cheers

1 Like

Did you ever resolve this issue? I seem to be getting this error but I don't understand when it started happening as this originally worked. I have a near identical configuration and the result is the same in the acme.json file and error message.

I appear to have resolved it by reverting to v2.6.1
Looks like there might be some regression issues.

+1
Same issue and same temporary fix.