Traefik cannot issue certificate for CNAMEd wildcard domain

haribo112 · July 20, 2023, 1:33pm

All IPs and domains are anonymized.
In a nutshell:

I have a domain in Cloudflare called example.com
I have a kubernetes cluster with a cloudprovider
This cloudprovider handles my LoadBalancer and provides a DNS name for it
The DNS name is 1.2.3.4.haip.cloudprovider.net

I created a wildcard CNAME record: *.example.com CNAME 1.2.3.4.haip.cloudprovider.net
I created a deployment called 'whoami' with a hostname of whoami.example.com
I request a certificate using Traefik with the Cloudflare ACME integration.

I get an error message:

time="2023-07-20T13:11:35Z" level=error msg="Unable to obtain ACME certificate for domains \"whoami.example.com\": unable to generate a certificate for the domains [whoami.example.com]:
 error: one or more domains had a problem:
[whoami.example.com] [whoami.example.com] acme:
 error presenting token: cloudflare: failed to find zone haip.cloudprovider.net.:
 zone could not be found"
 routerName=whoami-ingressroutetls-634c5674f9b4d48261f8@kubernetescrd providerName=cloudflare.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" rule="Host(`whoami.example.com`) && PathPrefix(`/tls`)"

So for some reason, the Traefik ACME is looking for a zone called haip.cloudprovider.net instead of the example.com zone.
The problem disappears if I use an A record instead of a CNAME. I suspect it has something to do with the lookup of SOA records. When using a CNAME, a SOA record lookup returns the haip.cloudprovider.net zone instead of the example.com zone.

Is this a bug? Am I doing something wrong? Is it not possible to use a wildcard CNAME to redirect all traffic to my cluster?

ldez · July 20, 2023, 1:44pm

hello,

CNAME has to follow some rules to be used for getting Let's Encrypt certificates, wildcard CNAME doesn't allow to handle those requirements.

You have to disable the support of CNAME inside lego by setting the env var LEGO_DISABLE_CNAME_SUPPORT=true

haribo112 · July 20, 2023, 2:57pm

Right. But, typically, Kubernetes clusters are hosted by large cloud provider who handle the loadbalancing issue and give you an IP address and hostname that you can use as public IP. So I feel like I cannot avoid using a CNAME to redirect my own domain names to my cluster? Because my cloud provider could change the actual IP address without informing me.

ldez · July 20, 2023, 3:03pm

You don't have to disable your CNAME wildcard, you just have to say to lego to not follow CNAME (LEGO_DISABLE_CNAME_SUPPORT=true).

You will be able to use lego and get certificates even if lego doesn't follow CNAME, it's just an option.

Topic		Replies	Views
I/o timeout while trying to obtain certificate Traefik v3 (latest) letsencrypt-acme	3	38	April 3, 2025
Wildcard Letsencrypt certificate for subdomain doesn't works with Dynu (domain provider) Traefik v2 letsencrypt-acme	10	727	January 5, 2024
Traefik fails to obtain wildcard from cloudflare // ACME error Traefik v2 docker , letsencrypt-acme	7	951	November 24, 2022
Wildcard Certificates from Let's Encrypt with Cloudlflare: Cannot negotiate ALPN protocol acme-tls/1 for tls-alpn-01 challenge Traefik v2 letsencrypt-acme	2	4387	December 5, 2022
ACME dnsChallenge - multiple domains hosted on different cloudflare accounts Traefik v2 letsencrypt-acme	1	516	April 7, 2025

Traefik cannot issue certificate for CNAMEd wildcard domain

Related topics