Dns-01 No TXT record found on cloudflare name servers for _acme-challenge.mydomain.com

ashwink1029 · March 5, 2025, 6:18am

Hi all, I'm setting up Traefik as a reverse proxy on my home lab. I'm having issues getting SSL certs for my services. Specifically, the ACME DNS01 challenge fails. I can see that the _acme-challenge DNS records are created in cloudflare DNS. I can also see that the records are propagated to cloudflare name servers, but Traefik is not able to read these records to validate domain ownership, and I cannot get SSL certificate. I've attached some screenshots below, with the clock on the bottom right, where you can see the _acme-challenge records have been propagated to cloudflare servers, but Traefik times out waiting for propagation to complete and the server rerturns a SERVFAIL error. Any help would be appreciated.

_acme-challenge.mydomain.com records have propagated to cloudflare servers.

Traefik still looking for records even though they have been propagated. Finally timesout, and gets a SERVFAIL error.

I have one more screen shot, which I'll add as a reply to this post as I'm limited to 2 screen shots.

Please help. Thanks.

ashwink1029 · March 5, 2025, 6:19am

Here is another screen shot where Traefik is looking for records even though they have propagated, and times out with a SERVFAIL error.

Thanks.

bluepuma77 · March 5, 2025, 6:56am

We happily accept config and log as text here, place it between 3 backticks.

You have not shared any context, are you using something like Pi-Hole, are you in a corporate network?

You can try to disable the DNS check by Traefik itself (doc). Also note the possible delay (doc).

ashwink1029 · March 5, 2025, 7:05am

Sorry, this is for my home network, and I'm using cloudflare as my domain provider. I'm not using Pi-Hole. Traefik is running in a docker container on Proxmox Virtual Environment. Please let me know if any other context would be helpful.

I did add delay before checks, but as you can see from the screenshots, the records have been replicated and are available in the cloudflare name servers (verified via the dig command), but Traefik is not able to read them.

bluepuma77 · March 5, 2025, 7:28am

Try to disable the DNS check by Traefik itself, link above.

ashwink1029 · March 6, 2025, 11:10pm

Thanks. Disabling the DNS check worked. Although it worked, I have to admit I don't quite understand what the flag did that made it work. I'd appreciate a little bit of info on why it helped. Thanks.

bluepuma77 · March 7, 2025, 5:48am

DNS check let’s Traefik check if the DNS TXT is set correct, before triggering LetsEncrypt service, which checks itself on the Internet.

So if only Traefak has a DNS issue, maybe because of local network settings, you can switch the check off.

ashwink1029 · March 7, 2025, 6:20am

Thanks for the response and explanation. I appreciate it.

system · March 10, 2025, 6:21am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DNS-01 challenge not working (No TXT record found) Traefik v2 letsencrypt-acme	1	1031	January 22, 2023
Fetching certificates with DNS-01 is suddenly failing Traefik v3 (latest) docker , letsencrypt-acme	4	422	June 19, 2024
dnsChallenge sporadically failing: TXT record invalid Traefik v2 letsencrypt-acme	16	5982	July 2, 2021
DNS-01 challenge fails Traefik v3 (latest) docker , letsencrypt-acme	12	1500	March 5, 2025
Lets encrypt dns challenge via traefik docker compose (problem only on arch) Traefik v2 letsencrypt-acme	6	3297	May 28, 2023

Dns-01 No TXT record found on cloudflare name servers for _acme-challenge.mydomain.com

Related topics