I’m trying to issue a Let’s Encrypt certificate using Traefik with the Cloudflare DNS-01 challenge. But I keep getting this error:
ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [<subdomain.example.com>]: error: one or more domains had a problem:
[<subdomain.example.com>] propagation: time limit exceeded: last error: authoritative nameservers: NS <nsX>.ns.cloudflare.com.:53 returned REFUSED for _acme-challenge.<subdomain.example.com>.
" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["<subdomain.example.com>"] providerName=cloudflare.acme routerName=traefik-secure@docker
What I’ve checked
-
Domain is on Cloudflare
-
API token has Zone.DNS Read/Edit permissions
-
I am running Traefik on a local network setup (not a public VPS)
-
TXT record visible in Cloudflare dashboard
Question to the community
Why would Cloudflare’s authoritative nameservers return REFUSED for the _acme-challenge record even though the TXT record exists in the dashboard?
Is this a zone configuration issue, API permission issue, or something else I might be missing?