Failed to find zone it.com

jemanoth · August 15, 2025, 2:59pm

Hey all,

I am new to traefik and I am having an issue with my configuration. I have spent the past day reading through forum posts where similar issues with acme certificates were brought up but nothing seems to quite match my troubles. My domain is on a .it.com tld, it seems that traefik or lets encrypt is incorrectly thinking that my domain is it.com instead of domain.it.com. I am assuming this is just something I have straight up configured wrong that’s causing it.

The Error:

2025-08-15T14:40:39Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] [portainer.DOMAIN.it.com] acme: Could not find solver for: tls-alpn-01 lib=lego



2025-08-15T14:40:39Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] [portainer.DOMAIN.it.com] acme: Could not find solver for: http-01 lib=lego



2025-08-15T14:40:39Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] [portainer.DOMAIN.it.com] acme: use dns-01 solver lib=lego



2025-08-15T14:40:39Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] [portainer.DOMAIN.it.com] acme: Preparing to solve DNS-01 lib=lego



2025-08-15T14:40:40Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] [portainer.DOMAIN.it.com] acme: Cleaning DNS-01 challenge lib=lego



2025-08-15T14:40:41Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [WARN] [portainer.DOMAIN.it.com] acme: cleaning up failed: cloudflare: failed to find zone it.com.: zone could not be found  lib=lego



2025-08-15T14:40:41Z DBG github.com/go-acme/lego/v4@v4.23.1/log/logger.go:48 > [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/2596210556/569319205776 lib=lego



2025-08-15T14:40:42Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:495 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [portainer.DOMAIN.it.com]: error: one or more domains had a problem:\n[portainer.DOMAIN.it.com] [portainer.DOMAIN.it.com] acme: error presenting token: cloudflare: failed to find zone it.com.: zone could not be found\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["portainer.DOMAIN.it.com"] providerName=cloudflare.acme routerName=portainer-https@docker rule=Host(`portainer.DOMAIN.it.com`)

My setup is as follows.

Docker running on Truenas Scale v25. Portainer installed via Truenas apps. Traefik installed via Portainer using a docker-compose.yaml stored in github.

Traefiks docker-compose.yaml: traefik docker-compose.yaml - Pastebin.com

Traefik.yaml: traefik.yaml - Pastebin.com

Stack.env just has the following two lines

CF_DNS_API_TOKEN =TOKEN
CF_API_KEY = TOKEN

The labels on Portainer for traefik are

traefik.enable:"true",

traefik.http.routers.portainer-http.entrypoints:"http",

traefik.http.routers.portainer-http.rule:"Host(`portainer.DOMAIN.it.com`)",

traefik.http.routers.portainer-https.entrypoints:"https",

traefik.http.routers.portainer-https.rule:"Host(`portainer.DOMAIN.it.com`)",

traefik.http.routers.portainer-https.service:"portainer-https",

traefik.http.routers.portainer-https.tls:"true",

traefik.http.routers.portainer-https.tls.certresolver:"cloudflare",

traefik.http.services.portainer-https.loadbalancer.server.port:"31015"

bluepuma77 · August 15, 2025, 3:15pm

PLEASE use 3 backticks before and after code/config, or select it and press </>.

Maybe check simple Traefik example for best practice. You need no http routers and no redirect middleware, if you globally redirect to https on entrypoint. Why would you use Google Public DNS 8.8.8.8 when using dnsChallenge with Cloudflare?

So I assume you have a Cloudflare accound and are owner of it.com? I think with Cloudflare you need to create additional "zones" for such additional DOMAIN sub-domain level.

jemanoth · August 15, 2025, 3:33pm

Hey there @bluepuma77, thank you for the formatting tip.

This has mostly been cobbled together by following various guides so there are definitely a few things that I have included here that might not be best practice. Good call on the redirect. I didn’t have that originally but added it a little earlier today when I was troubleshooting.

As far as Cloudflare goes, yes I have a Cloudflare account. No I do not own it.com. I own a domain under it.com, “``foobar.it.com``”. That domain is in my Cloudflare account and configured as an accessible zone for the Cloudflare API. The issue seems to be that somewhere along the line, the domain is being read as it.com instead of foobar.it.com

bluepuma77 · August 15, 2025, 4:19pm

Docs state:

CF_API_EMAIL , CF_API_KEY or CF_DNS_API_TOKEN , [CF_ZONE_API_TOKEN]

Maybe you need to add CF_ZONE_API_TOKEN

Wobak974 · August 21, 2025, 5:16pm

I think you're right that the domain you own is understood as "it.com" and therefore it's not appearing as a zone you manage.

What's preventing you from using http challenge instead ?

Topic		Replies	Views
Acme: error presenting token: cloudflare: could not find zone for domain but zone exists Traefik v3 (latest) docker , letsencrypt-acme	0	482	July 26, 2024
Acme: error presenting token: cloudflare: failed to find zone net.: Zone could not be found Traefik v2 docker , letsencrypt-acme	1	3575	October 21, 2021
Traefik Config Error - acme: error presenting token: cloudflare: failed to find zone com.: zone could not be found Traefik letsencrypt-acme	7	202	January 12, 2026
Cloudflare: failed to find zone com.: Zone could not be found Traefik v2 docker , letsencrypt-acme	8	16793	November 11, 2020
Cloudflare: failed to find zone DOMAIN Traefik v2 docker , letsencrypt-acme	10	13206	September 23, 2023

Failed to find zone it.com

Related topics