All IPs and domains are anonymized.
In a nutshell:
I have a domain in Cloudflare called
I have a kubernetes cluster with a cloudprovider
This cloudprovider handles my LoadBalancer and provides a DNS name for it
The DNS name is
I created a wildcard CNAME record:
*.example.com CNAME 22.214.171.124.haip.cloudprovider.net
I created a deployment called 'whoami' with a hostname of
I request a certificate using Traefik with the Cloudflare ACME integration.
I get an error message:
time="2023-07-20T13:11:35Z" level=error msg="Unable to obtain ACME certificate for domains \"whoami.example.com\": unable to generate a certificate for the domains [whoami.example.com]: error: one or more domains had a problem: [whoami.example.com] [whoami.example.com] acme: error presenting token: cloudflare: failed to find zone haip.cloudprovider.net.: zone could not be found" routerName=whoami-ingressroutetls-634c5674f9b4d48261f8@kubernetescrd providerName=cloudflare.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" rule="Host(`whoami.example.com`) && PathPrefix(`/tls`)"
So for some reason, the Traefik ACME is looking for a zone called
haip.cloudprovider.net instead of the
The problem disappears if I use an A record instead of a CNAME. I suspect it has something to do with the lookup of SOA records. When using a CNAME, a SOA record lookup returns the
haip.cloudprovider.net zone instead of the
Is this a bug? Am I doing something wrong? Is it not possible to use a wildcard CNAME to redirect all traffic to my cluster?