Failed to find zone <REDACTED>.xyz in DNSChallenge for Let’s Encrypt Certificates

Traefik Traefik v2
,
1

Hello!

For the past 4 days I'm receiving an error.
I only want to perform DNS Challenge for Let's Encrypt Wildcard Certificates without exposing any home service website
From TechnoTim tutorial - Traefik 3 and FREE Wildcard Certificates with Docker

traefik-swarm_reverse-proxy.0.0kovc3uq3vbf@swarm3    | time="2024-05-27T11:15:54+02:00" level=error msg="Unable to obtain ACME certificate for domains \"home.<REDACTED>.xyz,*
.home.<REDACTED>.xyz\"" error="unable to generate a certificate for the domains [home.<REDACTED>.xyz *.home.<REDACTED>.xyz]: error: one or more domains had a problem:\n[*.home.<REDACTED>.xyz] [*.home.<REDACTED>.xyz] acme: error presenting token: cloudflare: failed to find zone <REDACTED>.xyz.: ListZonesContext command failed: Invalid request headers (600
3)\n[home.<REDACTED>.xyz] [home.<REDACTED>.xyz] acme: error presenting token: cloudflare: failed to find zone <REDACTED>.xyz.: ListZonesContext command failed: Invalid request he
aders (6003)\n" providerName=cloudflare.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=traefik-secure@docker rule="Host(`traefik.home.<REDACTED>.xyz`)"

What I already additionally:

  1. Deleting all of my firewall rules from the router
  2. Used multiple environment variables for the dnsChallenge:
    • CLOUDFLARE_API_KEY=<REDACTED>
    • CLOUDFLARE_EMAIL=<REDACTED>
    • CF_API_KEY=<REDACTED>
    • CF_API_EMAIL=<REDACTED>

3.Adding two resolver IP (both Cloudflare 1.1.1.1 and Google 8.8.8.8)

  1. Deleting quotes around my environment variables

  2. Trying out Cloudflare API for "ALL ZONES" (I switched now again to a
    specific Zone)

  3. Deleted all settings in dnsmasq.d and all records pointing to .home in PiHole, and later added a CNAME and DNS pointing to this CNAME (Exactly as in the Tutorial)

  4. I've tried having a domain one level lower (Without .home), and just traefik.<REDACTED>.xyz

  5. Adding delayBeforeCheck and disablePropagationCheck parameters

  6. Giving delayBeforeCheck a value of 600s instead of 60s

  7. Added additional A records .home.<REDACTED>.xyz in Cloudflare

  8. Changing the API Key settings to the default/provided by Cloudflare - as in Cloudflare Forum Discussion:

    • Account - Account Settings - Read
    • Zone - DNS - Edit
    • Zone - Zone - Edit

    Token works when I use curl

traefik-stack.yml:

version: '3.5'

services:
  reverse-proxy:
    image: traefik:2.11.2
    ports:
      - "80:80"
      - "8080:8080"  # For Traefik dashboard
      - "443:443"
    #  - "222:222"
    volumes:
      - /home/swarm/traefik/traefik-conf.yml:/etc/traefik/traefik.yml:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/swarm/traefik/configuration/:/configuration/
      - /etc/localtime:/etc/localtime:ro # To get timezones
      - /home/swarm/traefik/acme.json:/acme.json
    environment:
      - TZ=Europe/Warsaw
      - CLOUDFLARE_API_KEY={{}}
      - CLOUDFLARE_EMAIL=<REDACTED>
      - CF_API_KEY=<REDACTED>
      - CF_API_EMAIL=<REDACTED>
      - CF_ZONE_API_TOKEN=<REDACTED>
    networks:
      - web

    deploy:
      labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`traefik.home.<REDACTED>.xyz`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.home.<REDACTED>.xyz`)"
      - "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$Bsvmb9NZ$$eW3Ss7.hKqfiZNUG/0zfd/"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=home.<REDACTED>.xyz"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.home.<REDACTED>.xyz"
      - "traefik.http.routers.traefik-secure.service=api@internal"
            # Dummy service for Swarm port detection. The port can be any valid integer value.
      - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"

      mode: global
      placement:
        constraints: [node.role == manager]

networks:
  web:
    driver: overlay
    attachable: true
    name: web

traefik-conf.yml

api:
  dashboard: true
  debug: true
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    swarmMode: true
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  # file:
  #   filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: <REDACTED>
      storage: acme.json
      # caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait fo
r the propagation of the TXT record to all authoritative name servers.
        delayBeforeCheck: 600s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted
        resolvers:
          - 1.1.1.1:53
          - 8.8.8.8:53

  acmeLogging: true

image
image695×272 37.1 KB

image

2

Have you tried without this?

Maybe disabling the check also disabled the delay and the request is too fast.

The error seems that your credentials are working. But it’s an additional question if they are the right credentials (for the domain) and if the have the required permissions.

You should use the DNS IP of the DNS service you use for TLS, as that will work the fastest.

Note your domain is still visible in the error message.

PS: Where did you find acmeLogging? That doesn’t seem to be valid config.

3

Thanks @bluepuma for the response,

I tried with two parameters commented out, and also acmeLogging: true (I think I got it from StackOverflow answer - now I see it was only valid in Traefik v1)

However it doesn't still work

The permissions are made only for this one specific domain I bought.

Do you mean that I should use a 1.0.0.1 (Cloudflare's second DNS) as a second resolver? I also tried doing that

4

I CANNOT BELIEVE I'VE ACTUALLY MADE SUCH A GOOFY MISTAKE.

I've used

When clearly, from the LEGO Documentation, I should have passed CF_DNS_API_TOKEN :

image
image1029×179 14.1 KB

5

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.