Unable to generate a certificate for the domains

hi all

so I set up traefik on my server and was using porkbun as thats where my DNS is registered on but was having too many problems with it and lego acme. So I switched the NS on PorkBun to Cloudflare and updated traefik.yaml to use cloudflare instead.

it correctly updates CF with txt records but I get below error and its still using the old porkbun NS servers.
if i do nslookup after it creates txt records it returns them fine on nslookup but traefik fails.

time="2024-01-26T22:08:23Z" level=error msg="Unable to obtain ACME certificate for domains \"xxx.xyz,*xxx.xyz\"" rule="Host(`nextcloud.xxx.xyz`)" error="unable to generate a certificate for the domains [xxx.xyz *.xxx.xyz]: error: one or more domains had a problem:\n[*.xxx.xyz] propagation: time limit exceeded: last error: NS fortaleza.ns.porkbun.com. returned REFUSED for xxxx.xyz.\n[xxxx.xyz] propagation: time limit exceeded: last error: NS curitiba.ns.porkbun.com. returned REFUSED for xxxx.xyz.\n" providerName=zerossl.acme ACME CA="https://acme.zerossl.com/v2/DV90" routerName=https-app@docker

Below is my yaml file

      email: xxxxxxxxxx
      storage: /etc/traefik/acme.json
      # Use staging caServer for now to not get limited (comment out when in production)
      caServer: "https://acme.zerossl.com/v2/DV90"
        provider: cloudflare
          - ""
          - ""
      eab: xxxxx

The domain exists in your DNS?

Maybe try to use delayBeforeCheck:

By default, the provider verifies the TXT record before letting ACME verify. You can delay this operation by specifying a delay (in seconds) with delayBeforeCheck (value must be greater than zero). This option is useful when internal networks block external DNS queries.

Also eab looks different in doc:

      # ...
        kid: abc-keyID-xyz
        hmacEncoded: abc-hmac-xyz

Maybe related: Reddit post

PS: Note there are usually hard limits, if you try LE too often you will be blocked for a week. Use staging server during test phase, if zerossl provides one.

yes zone exists in CF.
tried that delay command no difference.
You were correct about that post as I do have 3 cert limit on zerossl but the issue I am having is at DNS-101 challenge stage. Trafiek keeps not seeing the records even though you can see them via nslookup. I keep getting that refused error from porkbun NS but I switched my NS to CF from Porkbun

Have you thought about using httpChallenge? Maybe with LetsEncrypt? It’s so much easier to use.

You only really need dnsChallenge for wildcards.

these are for internal services that are not accessible from Internet.
I changed to LetsEncrypt but same error so its lego acme issue with my domain for some reason.
I dont see anyone else with this issue so must be a bug unique to me.

Traefik needs to create TXT with Cloudflare, will then validate it and then trigger zerossl which will validate it again.

Enable Traefik debug. Use the delay and check if the TXT exists in Cloudflare DNS. Did you set the env vars with CF credentials?

yes TXT records in CF exist.
Yes env vars are set so the entries exist.
its the validation that is failing.
keep getting refused

time="2024-01-27T18:47:06Z" level=error msg="Unable to obtain ACME certificate for domains \"nextcloud.x\": unable to generate a certificate for the domains [nextcloud.x]: error: one or more domains had a problem:\n[nextcloud.x] propagation: time limit exceeded: last error: NS dale.ns.cloudflare.com. returned REFUSED for x.\n" providerName=letsencrypt.acme routerName=nextcloud@docker rule="Host(`nextcloudx`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"

close this
I fixed it by disabling pre check.
its only solution I found to the problem