Docker Traefik + Cloudflare provider: ACME DNS-Challenge error "failed to find zone"

Hello to all!

Sorry if this is the wrong place to post.

I've been trying to setup Traefik on Docker for my Synology NAS running DSM 7, for the last 3 days without success.

I'm using Cloudflare as my provider.
Cloudflare is also the registrar for my domain and DNS.
I have the origin certificate installed, running in strict mode.

I'm using TLS for securing the Docker Daemon as well as a socket-proxy for controling access to it by my containers.

Everything is working great.
I'm now trying to add Traefik instead of using the built-in synology reverse proxy (nginx-based).

During the DNS challenge, I keep getting the following error:

cloudflare: failed to find zone [DOMAIN_REDACTED].com.: ListZonesContext command failed: HTTP status 400: Invalid request headers (6003)

Here is my "debug" docker-compose, where I have only kept the strict minimum to be able to reproduce the error.

I've based this file on the guide available at this link: https://doc.traefik.io/traefik/user-guides/docker-compose/acme-dns/

version: "3.3"

secrets:
    cloudflare_apikey_dns:
        file: /volume1/docker/secrets/cloudflare/cloudflare_apikey_dns.txt
    cloudflare_apikey_zone:
        file: /volume1/docker/secrets/cloudflare/cloudflare_apikey_zone.txt

services:
    traefik:
        image: "traefik:v2.5"
        container_name: "traefik"
        command:
            - "--log.level=DEBUG"
            - "--api.insecure=true"
            - "--providers.docker=true"
            - "--providers.docker.exposedbydefault=false"
            - "--entrypoints.web.address=:80"
            - "--entrypoints.websecure.address=:443"
            - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
            - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
            - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
            - "--certificatesresolvers.myresolver.acme.email=[REDACTED EMAIL]"
            - "--certificatesresolvers.myresolver.acme.storage=/acme.json"
        ports:
            - "80:80"
            - "443:443"
            - "8080:8080"
        secrets:
            - "cloudflare_apikey_dns"
            - "cloudflare_apikey_zone"
        environment:
            - "CF_API_EMAIL=[REDACTED EMAIL]"
            - "CF_DNS_API_TOKEN=/run/secrets/cloudflare_apikey_dns"
            - "CF_ZONE_API_TOKEN=/run/secrets/cloudflare_apikey_zone"
        volumes:
            - "/volume1/docker/traefik/acme/acme.json:/acme.json"
            - "/var/run/docker.sock:/var/run/docker.sock:ro"

    whoami:
        image: "traefik/whoami"
        container_name: "simple-service"
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.whoami.rule=Host(`whoami.[REDACTED DOMAIN].com`)"
            - "traefik.http.routers.whoami.entrypoints=websecure"
            - "traefik.http.routers.whoami.tls.certresolver=myresolver"

    dozzle:
        image: amir20/dozzle
        container_name: dozzle
        ports:
            - 9999:8080/tcp
        volumes:
            - "/var/run/docker.sock:/var/run/docker.sock:ro"

Here is the rather long the log file:

2021-12-31T06:28:23.247518575Z time="2021-12-31T06:28:23Z" level=info msg="Configuration loaded from flags."
2021-12-31T06:28:23.247573007Z time="2021-12-31T06:28:23Z" level=info msg="Traefik version 2.5.6 built on 2021-12-22T16:30:52Z"
2021-12-31T06:28:23.248928942Z time="2021-12-31T06:28:23Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"myresolver\":{\"acme\":{\"email\":\"[EMAIL_REDACTED]\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"}}}},\"pilot\":{\"dashboard\":true}}"
2021-12-31T06:28:23.249034523Z time="2021-12-31T06:28:23Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
2021-12-31T06:28:23.253187091Z time="2021-12-31T06:28:23Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
2021-12-31T06:28:23.253227374Z time="2021-12-31T06:28:23Z" level=debug msg="Start TCP Server" entryPointName=traefik
2021-12-31T06:28:23.253235365Z time="2021-12-31T06:28:23Z" level=debug msg="Start TCP Server" entryPointName=web
2021-12-31T06:28:23.253242223Z time="2021-12-31T06:28:23Z" level=debug msg="Start TCP Server" entryPointName=websecure
2021-12-31T06:28:23.253249173Z time="2021-12-31T06:28:23Z" level=info msg="Starting provider *traefik.Provider {}"
2021-12-31T06:28:23.253255790Z time="2021-12-31T06:28:23Z" level=info msg="Starting provider *acme.ChallengeTLSALPN {\"Timeout\":4000000000}"
2021-12-31T06:28:23.253265439Z time="2021-12-31T06:28:23Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"}"
2021-12-31T06:28:23.253412940Z time="2021-12-31T06:28:23Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect@internal\",\"dashboard_stripprefix@internal\"],\"service\":\"dashboard@internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/(\\\\[[\\\\w:.]+\\\\]|[\\\\w\\\\._-]+)(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"tls\":{}}" providerName=internal
2021-12-31T06:28:23.253449976Z time="2021-12-31T06:28:23Z" level=info msg="Starting provider *acme.Provider {\"email\":\"[EMAIL_REDACTED]\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"},\"ResolverName\":\"myresolver\",\"store\":{},\"TLSChallengeProvider\":{\"Timeout\":4000000000},\"HTTPChallengeProvider\":{}}"
2021-12-31T06:28:23.253509786Z time="2021-12-31T06:28:23Z" level=info msg="Testing certificate renew..." providerName=myresolver.acme
2021-12-31T06:28:23.253525371Z time="2021-12-31T06:28:23Z" level=debug msg="Configuration received from provider myresolver.acme: {\"http\":{},\"tls\":{}}" providerName=myresolver.acme
2021-12-31T06:28:23.253595202Z time="2021-12-31T06:28:23Z" level=debug msg="No default certificate, generating one" tlsStoreName=default
2021-12-31T06:28:23.263670524Z time="2021-12-31T06:28:23Z" level=debug msg="Provider connection established with docker 20.10.12 (API 1.41)" providerName=docker
2021-12-31T06:28:23.279878942Z time="2021-12-31T06:28:23Z" level=debug msg="Filtering disabled container" providerName=docker container=dozzle-docker-4ca0d7a490143d3d046a506ce4b7d3b41375527051339358a29c3c534e833ddd
2021-12-31T06:28:23.279912716Z time="2021-12-31T06:28:23Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-docker-3cc358073aaa23e79e664465ba1b373875ec229dbabd9d3df31593de0693fb91
2021-12-31T06:28:23.279959402Z time="2021-12-31T06:28:23Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"whoami\":{\"entryPoints\":[\"websecure\"],\"service\":\"whoami-docker\",\"rule\":\"Host(`whoami.[DOMAIN_REDACTED].com`)\",\"tls\":{\"certResolver\":\"myresolver\"}}},\"services\":{\"whoami-docker\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.23.0.3:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
2021-12-31T06:28:24.194870152Z time="2021-12-31T06:28:24Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
2021-12-31T06:28:24.194924843Z time="2021-12-31T06:28:24Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik
2021-12-31T06:28:24.194958629Z time="2021-12-31T06:28:24Z" level=debug msg="Creating middleware" routerName=dashboard@internal middlewareType=StripPrefix middlewareName=dashboard_stripprefix@internal entryPointName=traefik
2021-12-31T06:28:24.194993082Z time="2021-12-31T06:28:24Z" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_stripprefix@internal entryPointName=traefik routerName=dashboard@internal
2021-12-31T06:28:24.195002572Z time="2021-12-31T06:28:24Z" level=debug msg="Creating middleware" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
2021-12-31T06:28:24.195012174Z time="2021-12-31T06:28:24Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
2021-12-31T06:28:24.195039263Z time="2021-12-31T06:28:24Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
2021-12-31T06:28:24.195048942Z time="2021-12-31T06:28:24Z" level=debug msg="Creating middleware" middlewareType=Recovery middlewareName=traefik-internal-recovery entryPointName=traefik
2021-12-31T06:28:24.195219789Z time="2021-12-31T06:28:24Z" level=debug msg="No default certificate, generating one" tlsStoreName=default
2021-12-31T06:28:24.399248196Z time="2021-12-31T06:28:24Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing middlewareType=TracingForwarder routerName=api@internal entryPointName=traefik
2021-12-31T06:28:24.399285151Z time="2021-12-31T06:28:24Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" middlewareType=TracingForwarder middlewareName=tracing entryPointName=traefik routerName=dashboard@internal
2021-12-31T06:28:24.399293575Z time="2021-12-31T06:28:24Z" level=debug msg="Creating middleware" middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
2021-12-31T06:28:24.399302535Z time="2021-12-31T06:28:24Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
2021-12-31T06:28:24.399317940Z time="2021-12-31T06:28:24Z" level=debug msg="Creating middleware" routerName=dashboard@internal entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
2021-12-31T06:28:24.399326379Z time="2021-12-31T06:28:24Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2021-12-31T06:28:24.399368023Z time="2021-12-31T06:28:24Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal
2021-12-31T06:28:24.399381207Z time="2021-12-31T06:28:24Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=traefik
2021-12-31T06:28:24.399508696Z time="2021-12-31T06:28:24Z" level=debug msg="No default certificate, generating one" tlsStoreName=default
2021-12-31T06:28:24.654373924Z time="2021-12-31T06:28:24Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
2021-12-31T06:28:24.654425158Z time="2021-12-31T06:28:24Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder
2021-12-31T06:28:24.654434980Z time="2021-12-31T06:28:24Z" level=debug msg="Creating middleware" middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal
2021-12-31T06:28:24.654465777Z time="2021-12-31T06:28:24Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
2021-12-31T06:28:24.654474907Z time="2021-12-31T06:28:24Z" level=debug msg="Creating middleware" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal
2021-12-31T06:28:24.654484074Z time="2021-12-31T06:28:24Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
2021-12-31T06:28:24.654530143Z time="2021-12-31T06:28:24Z" level=debug msg="Adding tracing to middleware" routerName=dashboard@internal middlewareName=dashboard_redirect@internal entryPointName=traefik
2021-12-31T06:28:24.654554976Z time="2021-12-31T06:28:24Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=traefik middlewareName=traefik-internal-recovery
2021-12-31T06:28:24.654673078Z time="2021-12-31T06:28:24Z" level=debug msg="Creating middleware" middlewareType=Pipelining serviceName=whoami-docker entryPointName=websecure routerName=whoami@docker middlewareName=pipelining
2021-12-31T06:28:24.654686343Z time="2021-12-31T06:28:24Z" level=debug msg="Creating load-balancer" serviceName=whoami-docker entryPointName=websecure routerName=whoami@docker
2021-12-31T06:28:24.654707459Z time="2021-12-31T06:28:24Z" level=debug msg="Creating server 0 http://172.23.0.3:80" entryPointName=websecure routerName=whoami@docker serviceName=whoami-docker serverName=0
2021-12-31T06:28:24.654719774Z time="2021-12-31T06:28:24Z" level=debug msg="child http://172.23.0.3:80 now UP"
2021-12-31T06:28:24.654741230Z time="2021-12-31T06:28:24Z" level=debug msg="Propagating new UP status"
2021-12-31T06:28:24.654799866Z time="2021-12-31T06:28:24Z" level=debug msg="Added outgoing tracing middleware whoami-docker" middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure routerName=whoami@docker
2021-12-31T06:28:24.654812681Z time="2021-12-31T06:28:24Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=websecure middlewareName=traefik-internal-recovery
2021-12-31T06:28:24.654922927Z time="2021-12-31T06:28:24Z" level=debug msg="Adding route for whoami.[DOMAIN_REDACTED].com with TLS options default" entryPointName=websecure
2021-12-31T06:28:24.655031119Z time="2021-12-31T06:28:24Z" level=debug msg="Try to challenge certificate for domain [whoami.[DOMAIN_REDACTED].com] found in HostSNI rule" routerName=whoami@docker rule="Host(`whoami.[DOMAIN_REDACTED].com`)" providerName=myresolver.acme
2021-12-31T06:28:24.655114575Z time="2021-12-31T06:28:24Z" level=debug msg="Looking for provided certificate(s) to validate [\"whoami.[DOMAIN_REDACTED].com\"]..." providerName=myresolver.acme routerName=whoami@docker rule="Host(`whoami.[DOMAIN_REDACTED].com`)"
2021-12-31T06:28:24.655195198Z time="2021-12-31T06:28:24Z" level=debug msg="Domains [\"whoami.[DOMAIN_REDACTED].com\"] need ACME certificates generation for domains \"whoami.[DOMAIN_REDACTED].com\"." routerName=whoami@docker rule="Host(`whoami.[DOMAIN_REDACTED].com`)" providerName=myresolver.acme
2021-12-31T06:28:24.655206857Z time="2021-12-31T06:28:24Z" level=debug msg="Loading ACME certificates [whoami.[DOMAIN_REDACTED].com]..." providerName=myresolver.acme routerName=whoami@docker rule="Host(`whoami.[DOMAIN_REDACTED].com`)"
2021-12-31T06:28:33.172845203Z time="2021-12-31T06:28:33Z" level=debug msg="Building ACME client..." providerName=myresolver.acme
2021-12-31T06:28:33.172911142Z time="2021-12-31T06:28:33Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=myresolver.acme
2021-12-31T06:28:33.442011652Z time="2021-12-31T06:28:33Z" level=info msg=Register... providerName=myresolver.acme
2021-12-31T06:28:33.442169228Z time="2021-12-31T06:28:33Z" level=debug msg="legolog: [INFO] acme: Registering account for [EMAIL_REDACTED]"
2021-12-31T06:28:33.622395325Z time="2021-12-31T06:28:33Z" level=debug msg="Using DNS Challenge provider: cloudflare" providerName=myresolver.acme
2021-12-31T06:28:33.622443949Z time="2021-12-31T06:28:33Z" level=debug msg="legolog: [INFO] [whoami.[DOMAIN_REDACTED].com] acme: Obtaining bundled SAN certificate"
2021-12-31T06:28:33.894457497Z time="2021-12-31T06:28:33Z" level=debug msg="legolog: [INFO] [whoami.[DOMAIN_REDACTED].com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1305171798"
2021-12-31T06:28:33.894505341Z time="2021-12-31T06:28:33Z" level=debug msg="legolog: [INFO] [whoami.[DOMAIN_REDACTED].com] acme: Could not find solver for: tls-alpn-01"
2021-12-31T06:28:33.894514838Z time="2021-12-31T06:28:33Z" level=debug msg="legolog: [INFO] [whoami.[DOMAIN_REDACTED].com] acme: Could not find solver for: http-01"
2021-12-31T06:28:33.894522134Z time="2021-12-31T06:28:33Z" level=debug msg="legolog: [INFO] [whoami.[DOMAIN_REDACTED].com] acme: use dns-01 solver"
2021-12-31T06:28:33.894534711Z time="2021-12-31T06:28:33Z" level=debug msg="legolog: [INFO] [whoami.[DOMAIN_REDACTED].com] acme: Preparing to solve DNS-01"
2021-12-31T06:28:34.191297664Z time="2021-12-31T06:28:34Z" level=debug msg="legolog: [INFO] [whoami.[DOMAIN_REDACTED].com] acme: Cleaning DNS-01 challenge"
2021-12-31T06:28:34.381849162Z time="2021-12-31T06:28:34Z" level=debug msg="legolog: [WARN] [whoami.[DOMAIN_REDACTED].com] acme: cleaning up failed: cloudflare: failed to find zone [DOMAIN_REDACTED].com.: ListZonesContext command failed: HTTP status 400: Invalid request headers (6003) "
2021-12-31T06:28:34.481586404Z time="2021-12-31T06:28:34Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1305171798"
2021-12-31T06:28:34.584399746Z time="2021-12-31T06:28:34Z" level=error msg="Unable to obtain ACME certificate for domains \"whoami.[DOMAIN_REDACTED].com\": unable to generate a certificate for the domains [whoami.[DOMAIN_REDACTED].com]: error: one or more domains had a problem:\n[whoami.[DOMAIN_REDACTED].com] [whoami.[DOMAIN_REDACTED].com] acme: error presenting token: cloudflare: failed to find zone [DOMAIN_REDACTED].com.: ListZonesContext command failed: HTTP status 400: Invalid request headers (6003)\n" providerName=myresolver.acme routerName=whoami@docker rule="Host(`whoami.[DOMAIN_REDACTED].com`)"

Both of my API tokens on Cloudflare are correctly configured, with the right DNS Edit and Zone Read permissions:

Cloudflare DNS2080×572 104 KB

Cloudflare API Tokens2152×744 96 KB

I've also tried the method with the "Global API Key", and it gives me the same error.

I have also tested the "Zone" token with curl directly on the NAS through SSH, and I get a good response:

curl -X GET "https://api.cloudflare.com/client/v4/zones?name=[DOMAIN_REDACTED].com" /
-H "Content-Type: application/json" /
-H "X-Auth-Email: [EMAIL_REDACTED]" /
-H "Authorization: Bearer [CF_ZONE_API_TOKEN]"

{"result":[REDACTED],"result_info":{"page":1,"per_page":20,"total_pages":1,"count":1,"total_count":1},"success":true,"errors":[],"messages":[]}

From the api response above, I am able to correctly get the Zone ID from the domain name (zone name), juste like the dns-challenge tries to do.

Also, when I try to reach the Traefik dashboard on my local (LAN) IP on port 8080, I get a white/blank page with the error message "404 page not found".

On my router, ports 80 and 443 are correctly forwared to the NAS IP (the default nginx reverse-proxy by Synology was, and still is, working correctly).

In my production docker-compose file, I've also added the following entrypoints, with no luck in getting rid of the rrror:

- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22 ,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32

I've also added the following DNS resolvers, to bypass my internal ones:

- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53

I've been troubleshooting this for a really long time and have no idea what I did wrong...if anything.

I think that the Traefik image uses https://github.com/go-acme/lego project, which itself uses the https://github.com/cloudflare/cloudflare-go library to acess the Cloudflare API.

Maybe an update to the API could have broken something recently?
However if that was the case there would surely be many more people having this problem?

My next step is to perform the same actions directly with the Lego CLI tool: https://go-acme.github.io/lego/usage/cli/

Thank you all for your help!

hello,

A little sad about the lack of replies here, don't you think? From what I've been reading, this issue is fairly common. And i've yet to find anything to fix it.

I know it's been a while since this post, however, I'm wondering if by chance you had found a solution to this one... I've done the exact same steps of troubleshooting as you and have come up empty.

Hi,
I had a similar problem. I end up using a cloud flare API key instead of an API token using the traefik environment variable CF_API_EMAIL and CF_API_KEY.
Also, you can use the traefik docker image traefik:v2.3 for debugging purpose. On this version, you will have the full error logged instead of the error

cloudflare: failed to find zone [DOMAIN_REDACTED].com.: ListZonesContext command failed: HTTP status 400: Invalid request headers (6003)

Make sure you are providing the correct environment variable, I had this problem trying to use a scoped variable as a global one.

Anyone stumbling upon this later:

It looks to be like you're using CF_DNS_API_TOKEN which expects a direct value, and you're passing it a secret path.

You need to instead use CF_DNS_API_TOKEN_PATH which expects a path to a secret instead.

Edit: Although not documented it seems like only the new names for environment variables have the _FILE option. In this particular case CF_DNS_API_TOKEN_PATH has been replaced with CLOUDFLARE_DNS_API_TOKEN.

For all the new names you can see the lego cloudflare docs page.

See the docker compose secrets documentation for more details.