Cname -> dynDNS - Traefik DNS challenge "failed to find zone <CNAME zone>"

Hello,

I am trying to setup following stack:

Cloudflare Cname pointing to my fritzbox dyndns entry:
Cname *.home.mydomain.com “XXXXX.myfritz.net” (Cloudflare proxy disabled)

Traefik running in a docker container in my local network with following config:

certificatesResolvers:
  production:
    acme:
      email: XXXX
      storage: acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

When starting traefik I see following logs:

{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","error":"unable to generate a certificate for the domains [*.home.xxx: error: one or more domains had a problem:\n[*.home.xxx] [*.home.xxx acme: error presenting token: cloudflare: failed to find zone myfritz.net.: zone could not be found\n","level":"error","msg":"Unable to obtain ACME certificate for domains \"*.home.xxx\"","providerName":"production.acme","routerName":"nginx@docker","rule":"Host(`nginx.home.xxx`)","time":"2024-03-29T21:47:45Z"}

What I found interesting is:
When I enable cloudflare proxy for the Cname I am able to get a certfiticate:

{"level":"debug","msg":"legolog: [INFO] [*.home.xxx acme: Validations succeeded; requesting certificates","time":"2024-03-29T21:53:53Z"}
{"level":"debug","msg":"legolog: [INFO] [*.home.xxx Server responded with a certificate.","time":"2024-03-29T21:53:55Z"}

But using this cert e.g. to forward traffic to a nginx server behind traefik results in:

An error occurred during a connection to nginx.home.xxx. Cannot communicate securely with peer: no common encryption algorithm(s).

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Any help or ideas is appreciated as I am running out of ideas.

This is the full logs of the dns challenge:

{"level":"debug","msg":"legolog: [INFO] Found CNAME entry for \"_acme-challenge.home.XXX.\": \"XXX.myfritz.net.\"","time":"2024-03-29T22:28:20Z"}
{"level":"debug","msg":"legolog: [INFO] [XXX] acme: Preparing to solve DNS-01","time":"2024-03-29T22:28:21Z"}
{"level":"debug","msg":"legolog: [INFO] cloudflare: new record for XXX, ID b3c5818ad182ada73cee981fc5c9e2e4","time":"2024-03-29T22:28:22Z"}
{"level":"debug","msg":"legolog: [INFO] [XXX] acme: Trying to solve DNS-01","time":"2024-03-29T22:28:22Z"}
{"level":"debug","msg":"legolog: [INFO] [XXX] acme: Checking DNS record propagation using [1.1.1.1:53 1.0.0.1:53]","time":"2024-03-29T22:28:22Z"}
{"level":"debug","msg":"legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]","time":"2024-03-29T22:28:24Z"}
{"level":"debug","msg":"legolog: [INFO] [XXX] The server validated our request","time":"2024-03-29T22:28:28Z"}
{"level":"debug","msg":"legolog: [INFO] [*.home.XXX] acme: Cleaning DNS-01 challenge","time":"2024-03-29T22:28:28Z"}
{"level":"debug","msg":"legolog: [INFO] Found CNAME entry for \"_acme-challenge.home.XXX.\": \"XXX.myfritz.net.\"","time":"2024-03-29T22:28:28Z"}
{"level":"debug","msg":"legolog: [WARN] [*.home.XXX] acme: cleaning up failed: cloudflare: failed to find zone myfritz.net.: zone could not be found ","time":"2024-03-29T22:28:29Z"}
{"level":"debug","msg":"legolog: [INFO] [XXX] acme: Cleaning DNS-01 challenge","time":"2024-03-29T22:28:29Z"}
{"level":"debug","msg":"legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/332253964767","time":"2024-03-29T22:28:30Z"}
{"level":"debug","msg":"legolog: [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/332253964777","time":"2024-03-29T22:28:30Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","error":"unable to generate a certificate for the domains [XXX *.home.XXX]: error: one or more domains had a problem:\n[*.home.XXX] [*.home.XXX] acme: error presenting token: cloudflare: failed to find zone myfritz.net.: zone could not be found\n","level":"error","msg":"Unable to obtain ACME certificate for domains \"XXX,*.home.XXX\"","providerName":"production.acme","routerName":"traefik-secure@docker","rule":"Host(`traefik-dashboard.home.XXX`)","time":"2024-03-29T22:28:30Z"}

This is a second level subdomain wildcard, the Universal SSL certificate only covers example.com and *.example.com. You will need to use the Advanced Certificate Manager to get an SSL certificate to cover *.home.example.com.

1 Like

That applies for the certs from Cloudflare.
But I acquire the cert from letsencrypt.

Another proof that it is related to Cname + Proxy:
When I add an A Record with my current public IP, I am able to get the certs from letsencrypt for multilevel subdomain and I am able to forward tls secured requests to traefik which is forwarding to nginx.

As I said, if you are running the request for *.home.example.com through the Cloudflare proxy, then you need the Cloudflare edge certificate to also be valid for this hostname. With Universal SSL it won’t be.

If you give the real hostnames then it will be easier to show.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.