Traefik cannot issue certificate for CNAMEd wildcard domain

All IPs and domains are anonymized.
In a nutshell:

I have a domain in Cloudflare called
I have a kubernetes cluster with a cloudprovider
This cloudprovider handles my LoadBalancer and provides a DNS name for it
The DNS name is

I created a wildcard CNAME record: * CNAME
I created a deployment called 'whoami' with a hostname of
I request a certificate using Traefik with the Cloudflare ACME integration.

I get an error message:

time="2023-07-20T13:11:35Z" level=error msg="Unable to obtain ACME certificate for domains \"\": unable to generate a certificate for the domains []:
 error: one or more domains had a problem:
[] [] acme:
 error presenting token: cloudflare: failed to find zone
 zone could not be found"
 routerName=whoami-ingressroutetls-634c5674f9b4d48261f8@kubernetescrd providerName=cloudflare.acme ACME CA="" rule="Host(``) && PathPrefix(`/tls`)"

So for some reason, the Traefik ACME is looking for a zone called instead of the zone.
The problem disappears if I use an A record instead of a CNAME. I suspect it has something to do with the lookup of SOA records. When using a CNAME, a SOA record lookup returns the zone instead of the zone.

Is this a bug? Am I doing something wrong? Is it not possible to use a wildcard CNAME to redirect all traffic to my cluster?


CNAME has to follow some rules to be used for getting Let's Encrypt certificates, wildcard CNAME doesn't allow to handle those requirements.

You have to disable the support of CNAME inside lego by setting the env var LEGO_DISABLE_CNAME_SUPPORT=true

Right. But, typically, Kubernetes clusters are hosted by large cloud provider who handle the loadbalancing issue and give you an IP address and hostname that you can use as public IP. So I feel like I cannot avoid using a CNAME to redirect my own domain names to my cluster? Because my cloud provider could change the actual IP address without informing me.

You don't have to disable your CNAME wildcard, you just have to say to lego to not follow CNAME (LEGO_DISABLE_CNAME_SUPPORT=true).

You will be able to use lego and get certificates even if lego doesn't follow CNAME, it's just an option.

1 Like