Traefik not getting certificates from cloudflare

Traefik Traefik v2
,
1

Friends, I have a question regarding traefik in Kubernetes - I followed the guide from https://traefik.io/blog/install-and-configure-traefik-with-helm/ and I have deployed it successfully, it works - but the certificate bit config is not, meaning, traefik is unable to request/generate/produce certificates using Cloudflare as provider.. all I receive is:

time="2021-07-27T08:09:11Z" level=error msg="Unable to obtain ACME certificate for domains \"domain.dom,*.domain.dom\" : unable to generate a certificate for the domains [domain.dom *.domain.dom]: error: one or more domains had a problem:\n[*.domain.dom] [*.domain.dom] acme: error presenting token: cloudflare: could not find the start of authority for _acme-challenge.domain.dom.: read udp 172.19.7.15:35627->1.1.1.1:53: i/o timeout\n[domain.dom] [domain.dom] acme: error presenting token: cloudflare: could not find the start of authority for _acme-challenge.domain.dom.: read udp 172.19.7.15:39094->1.1.1.1:53: i/o timeout\n" providerName=cloudflare.acme

If I exec into traefik I can do lookup correctly, receive DNS info correctly, also provided key for auth is working if I test it with curl
Can you please give me some insight as to where should I focus on diagnosing this issue?
thank you!!

btw the relevant config bit:

additionalArguments:
  - --providers.file.filename=/data/traefik-config.yaml
  - --entrypoints.websecure.http.tls.certresolver=cloudflare
  - --entrypoints.websecure.http.tls.domains[0].main=domain.systems
  - --entrypoints.websecure.http.tls.domains[0].sans=*.domain.systems
  - --entrypoints.websecure.http.tls.domains[1].main=domain.app
  - --entrypoints.websecure.http.tls.domains[1].sans=*.domain.app
  - --entrypoints.websecure.http.tls.domains[2].main=domain.site
  - --entrypoints.websecure.http.tls.domains[2].sans=*.domain.site 
  #- --certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
  - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
  - --certificatesresolvers.cloudflare.acme.email=my.email
  - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53
  - --certificatesresolvers.cloudflare.acme.storage=/certs/acme.json
  - --serversTransport.insecureSkipVerify=true
  - --providers.kubernetesingress.ingressclass=traefik-external
2

Anyone, at all? Any ideas or pointers? Am I missing something obvious? Thanks in advance!