Traefik and Cloudflare unable to obtain certificate

macmattias · February 16, 2022, 9:58pm

Setting up a new Traefik instance, getting an error I have never seen and I am a bit confused.

time="2022-02-16T21:48:20Z" level=error msg="Unable to obtain ACME certificate for domains \"cloud.grillgeek.se\": unable to generate a certificate for the domains [cloud.grillgeek.se]: error: one or more domains had a problem:\n[cloud.grillgeek.se] [cloud.grillgeek.se] acme: error presenting token: cloudflare: failed to create TXT record: HTTP status 403: Authentication error (10000)\n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=cloudflare.acme routerName=nextcloud-https@docker rule="Host(`cloud.grillgeek.se`)"
time="2022-02-16T21:48:21Z" level=error msg="Unable to obtain ACME certificate for domains \"start.grillgeek.se\": unable to generate a certificate for the domains [start.grillgeek.se]: error: one or more domains had a problem:\n[start.grillgeek.se] [start.grillgeek.se] acme: error presenting token: cloudflare: failed to create TXT record: HTTP status 403: Authentication error (10000)\n" routerName=heimdall-https@docker rule="Host(`start.grillgeek.se`)" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=cloudflare.acme time="2022-02-16T21:48:20Z" level=error msg="Unable to obtain ACME certificate for domains \"cloud.domain.io\": unable to generate a certificate for the domains [cloud.domain.io]: error: one or more domains had a problem:\n[cloud.domain.io] [cloud.domain.io] acme: error presenting token: cloudflare: failed to create TXT record: HTTP status 403: Authentication error (10000)\n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=cloudflare.acme routerName=nextcloud-https@docker rule="Host(`cloud.domain.io`)"

time="2022-02-16T21:48:21Z" level=error msg="Unable to obtain ACME certificate for domains \"start.domain.io\": unable to generate a certificate for the domains [start.domain.io]: error: one or more domains had a problem:\n[start.domain.io] [start.domain.io] acme: error presenting token: cloudflare: failed to create TXT record: HTTP status 403: Authentication error (10000)\n" routerName=heimdall-https@docker rule="Host(`start.domain.io`)" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=cloudflare.acme

I have double and tripple checked and tested the cloudflare token, and it works.
Here is my setup:

gist.github.com

https://gist.github.com/ratnose/ef5ffa360da6e01b1666238c1ed17aa4

All configs

docker-compose:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:

This file has been truncated. show original

Things is, even with these errors in the docker logs, I can visit start (heimdall docker), traefikdash and cloud (nextcloud docker).
I have tried so many different angels and solutions I guess I have gone blind.
So please tell me what I have missed.

tommoulard · February 17, 2022, 8:15am

Hello @macmattias,

It seems that traefik cannot connect to Cloudflare. Did you have any issue in setting the corresponding configuration (e.g. CF_API_EMAIL, CF_API_KEY or CF_DNS_API_TOKEN, [CF_ZONE_API_TOKEN])?

macmattias · February 17, 2022, 9:32am

No, when you create a token you get a curl-string to test it, and I did and it worked.
I got no issues with the internet or anything the only thing that might be an issue but still not is that my internal DNS is using Unbound.

tommoulard · February 17, 2022, 9:46am

Then, this might be a Cloudflare token issue. Check out this documentation of lego that can help you with Cloudflare token : Cloudflare :: Let’s Encrypt client and ACME library written in Go.

jakubhajek · February 17, 2022, 9:58am

Does the CloudFlare token that has been created have permission to add DNS entries to the zone? As a workaround, you can try to use GlobalToken and see if the issue still exists. Then you can create the token with appropriate permission to add DNS entries to your domains.

macmattias · February 17, 2022, 10:25am

I checked my docker-compose and it seems I have used my Global API Token.
I get the same errors using a token setup to be able to edit my dns.

jakubhajek · February 17, 2022, 2:01pm

I did some research and I found that if you use API keys ( CF_API_EMAIL and CF_API_KEY ), the Global API Key needs to be used, not the Origin CA Key. however, there are also some limitations regarding the DDNS update for some TLD's. Maybe that will help to explain that specific behavior:

https://go-acme.github.io/lego/dns/cloudflare/

github.com/go-acme/lego

Cloudflare DNS provider cannot add TXT record

opened 10:03PM - 02 May 20 UTC

closed 09:29PM - 12 May 20 UTC

ajnikitins

question

Hello! I can't seem to be able to create a Let's Encrypt certificate for my w…ebsite because lego/cloudflaire fails at creating a TXT record. I initially had the configuration in Traefik, but I think that it's a lego issue. When I run: ``` docker run -i -e CLOUDFLARE_EMAIL=my@email.com -e CLOUDFLARE_API_KEY=mykey goacme/lego --server=https://acme-staging-v02.api.letsencrypt.org/directory --dns cloudflare --domains mysite.com --email my@email.com run ``` I get: ``` 2020/05/02 21:38:40 No key found for account my@email.com. Generating a P384 key. 2020/05/02 21:38:40 Saved key to /.lego/accounts/acme-staging-v02.api.letsencrypt.org/my@email.com/keys/my@email.com.key 2020/05/02 21:38:41 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf Do you accept the TOS? Y/n 2020/05/02 21:38:43 [INFO] acme: Registering account for my@email.com !!!! HEADS UP !!!! Your account credentials have been saved in your Let's Encrypt configuration directory at "/.lego/accounts". You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained from Let's Encrypt so making regular backups of this folder is ideal.2020/05/02 21:38:43 [INFO] [mysite.com] acme: Obtaining bundled SAN certificate 2020/05/02 21:38:44 [INFO] [mysite.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/53391423 2020/05/02 21:38:44 [INFO] [mysite.com] acme: Could not find solver for: tls-alpn-01 2020/05/02 21:38:44 [INFO] [mysite.com] acme: Could not find solver for: http-01 2020/05/02 21:38:44 [INFO] [mysite.com] acme: use dns-01 solver 2020/05/02 21:38:44 [INFO] [mysite.com] acme: Preparing to solve DNS-01 2020/05/02 21:38:45 [INFO] [mysite.com] acme: Cleaning DNS-01 challenge 2020/05/02 21:38:45 [WARN] [mysite.com] acme: cleaning up failed: cloudflare: unknown record ID for '_acme-challenge.mysite.com.' 2020/05/02 21:38:45 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/53391423 2020/05/02 21:38:45 Could not obtain certificates: error: one or more domains had a problem: [mysite.com] [mysite.com] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 401: invalid credentials ``` I have tried to reset the API key, make joint and split API tokens, and also the non-staging server with no success. Inputting actually invalid credentials gives a 403, which hopefully is expected behaviour. At least one other case of this is mentioned in [this SO question](https://stackoverflow.com/questions/61564020/traefik-not-generating-tls-certificate-error-401).

macmattias · February 17, 2022, 3:46pm

This worked without any issues like this before the server hosting all this crashed and I am rebuilding everything from scratch. (Backups? I was a victim of the Proxmox 7 backup bug...)
The only thing that has changed is that I have removed a ddns docker image and let pfSense take care of that instead.
I did use the Global API token. Just now I tried to set static ip and added 1.1.1.1 and 1.1.1.2 as DNS servers, no different same error still.

macmattias · February 17, 2022, 3:49pm

Now I created a new token, tested it with success added it to Traefik, after a down and up no errors.

jakubhajek · February 18, 2022, 7:54am

Congrats! So the root cause of the issue was an invalid CF token.

Thanks for you update

system · February 21, 2022, 7:55am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to obtain ACME certificate for domains - credentials are missing Traefik v2 (latest) docker , letsencrypt-acme	6	139	March 24, 2024
"Unable to obtain ACME certificate for domains..." Traefik v2 (latest) docker	4	1142	January 27, 2023
Cannot obtain ACME certificate possibly due to inability to perform SOA DNS query Traefik v2 (latest) docker	7	1072	September 26, 2022
Unable to obtain ACME certificates timeout Traefik v2 (latest) docker	8	4878	December 8, 2020
Traefik not getting certificates from cloudflare Traefik v2 (latest) kubernetes-ingress , letsencrypt-acme	1	868	August 2, 2021

Traefik and Cloudflare unable to obtain certificate

Related Topics