[WORKED AROUND] Issues with Cloudflare ACME DNS challenge for subdomains

Hi all,

I've got an issue configuring Traefik ACME with Cloudflare DNS challenge + subdomains. In Cloudflare, I have a domain.me zone, with *.internal.domain.me delegated to an internal DNS server. I've successfully set-up Traefik to use Cloudflare DNS challenge for domain.me:

traefik:
    command:
        - --certificatesResolvers.letsencrypt.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
        - --certificatesResolvers.letsencrypt.acme.email=postmaster@domain.me
        - --certificatesResolvers.letsencrypt.acme.storage=/acme.json
        - --certificatesResolvers.letsencrypt.acme.dnschallenge=true
        - --certificatesResolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
    environment:
        - CLOUDFLARE_EMAIL
        - CLOUDFLARE_DNS_API_TOKEN

This works fine, and successfully requests certificates for service1.domain.me (or service1.server.domain.me) configured as such:

service1:
    labels:
      traefik.enable: "true"
      traefik.http.routers.service1.rule: "Host(`service1.domain.me`)"
      traefik.http.routers.service1.entrypoints: "websecure"

However, for my internal services, it doesn't:

service2:
    labels:
      traefik.enable: "true"
      traefik.http.routers.service2.rule: "Host(`service2.server.internal.domain.me`)"
      traefik.http.routers.service2.entrypoints: "websecure"

Using DNS Challenge provider: cloudflare" providerName=letsencrypt.acm
legolog: [INFO] [service2.server.internal.domain.me] acme: Obtaining bundled SAN certificate
legolog: [INFO] [service2.server.internal.domain.me] acme: Could not find solver for: tls-alpn-01
legolog: [INFO] [service2.server.internal.domain.me] acme: Could not find solver for: http-01
legolog: [INFO] [service2.server.internal.domain.me] acme: use dns-01 solver
legolog: [INFO] [service2.server.internal.domain.me] acme: Preparing to solve DNS-01
legolog: [INFO] Found CNAME entry for \"_acme-challenge.service2.server.internal.domain.me.\": \"server.internal.domain.me.\"
legolog: [INFO] [service2.server.internal.domain.me] acme: Cleaning DNS-01 challenge
legolog: [INFO] Found CNAME entry for \"_acme-challenge.service2.server.internal.domain.me.\": \"server.internal.domain.me.\"
legolog: [WARN] [service2.server.internal.domain.me] acme: cleaning up failed: cloudflare: failed to find zone internal.domain.me.: zone could not be found 

internal.domain.me is indeed not a valid zone in my Cloudflare account. Is it possible to configure Traefik or lego which zone to use?

Alternatively, I considered using a wildcard certificate, but can't get that to work either. I adjusted my Traefik configuration as such:

traefik:
    command:
      - --entrypoints.websecure.http.tls.domains[0].main=domain.me
      - --entrypoints.websecure.http.tls.domains[0].sans=*.domain.me

Although this successfully requested a wildcard cert, it isn't used for my container:

Adding certificate for domain(s) *.domain.me,domain.me
No default certificate, fallback to the internal generated certificate
Serving default certificate for request: "service2.server.internal.domain.me"

This looked a lot like Traefik requests specific certificate instead wildcard certificate · Issue #9682 · traefik/traefik · GitHub / docker - Traefik requests sub-domain specific certificate instead of wildcard? - Stack Overflow, but updating my container configuration (which I'd prefer not to) doesn't help either:

service2:
    labels:
      'traefik.http.routers.whoami.tls.domains[0].main': 'domain.me'
      'traefik.http.routers.whoami.tls.domains[0].sans': '*.domain.me'

It prints the same debug message, No default certificate, and continues serving the self-signed one.

Any help on how to get either of these approaches to work would be much appreciated!

A wildcard cert is only for one level, so *.example.com will not work for a.b.example.com.

Ah, I see. Updating the wildcard rules to server.internal.domain.me and *.server.internal.domain.me then breaks with the same error as I encounter when not using a wildcard certificate at all:

legolog: [INFO] [*.server.internal.domain.me] acme: use dns-01 solver
legolog: [INFO] [server.internal.domain.me] acme: Could not find solver for: tls-alpn-01
legolog: [INFO] [server.internal.domain.me] acme: Could not find solver for: http-01
legolog: [INFO] [server.internal.domain.me] acme: use dns-01 solver
legolog: [INFO] [*.server.internal.domain.me] acme: Preparing to solve DNS-01
legolog: [INFO] [server.internal.domain.me] acme: Preparing to solve DNS-01
legolog: [INFO] [*.server.internal.domain.me] acme: Cleaning DNS-01 challenge
legolog: [WARN] [*.server.internal.domain.me] acme: cleaning up failed: cloudflare: failed to find zone internal.domain.me.: zone could not be found 
legolog: [INFO] [server.internal.domain.me] acme: Cleaning DNS-01 challenge
legolog: [WARN] [server.internal.domain.me] acme: cleaning up failed: cloudflare: failed to find zone internal.domain.me.: zone could not be found 
legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/272183787816
legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/272183787826

Is it even possible to perform a DNS challenge for a subdomain (internal.domain.me) when only controlling the DNS records of the parent domain (domain.me)?

I got rid of the NS entry for my subdomain, instead adding all the DNS records to my main domain. That makes Cloudflare happy, allowing lego to set the necessary TXT records in the internal.domain.me subdomain. Not great, but at least it works.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.