Failed to find zone <REDACTED>.xyz in DNSChallenge for Let's Encrypt Certificates

Hello!

For the past 4 days I’m receiving an error.
I only want to perform DNS Challenge for Let’s Encrypt Wildcard Certificates without exposing any home service website
From TechnoTim tutorial - Traefik 3 and FREE Wildcard Certificates with Docker

traefik-swarm_reverse-proxy.0.0kovc3uq3vbf@swarm3    | time="2024-05-27T11:15:54+02:00" level=error msg="Unable to obtain ACME certificate for domains \"home.<REDACTED>.xyz,*
.home.<REDACTED>.xyz\"" error="unable to generate a certificate for the domains [home.<REDACTED>.xyz *.home.<REDACTED>.xyz]: error: one or more domains had a problem:\n[*.home.cl
oufish.xyz] [*.home.<REDACTED>.xyz] acme: error presenting token: cloudflare: failed to find zone <REDACTED>.xyz.: ListZonesContext command failed: Invalid request headers (600
3)\n[home.<REDACTED>.xyz] [home.<REDACTED>.xyz] acme: error presenting token: cloudflare: failed to find zone <REDACTED>.xyz.: ListZonesContext command failed: Invalid request he
aders (6003)\n" providerName=cloudflare.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=traefik-secure@docker rule="Host(`traefik.home.<REDACTED>.xyz`)"

What I already additionally:

  1. Deleting all of my firewall rules from the router
  2. Used multiple environment variables for the dnsChallenge:
    • CLOUDFLARE_API_KEY={{CF_DNS_API_TOKEN}}
    • CLOUDFLARE_EMAIL=
    • CF_API_KEY={{CF_DNS_API_TOKEN}}
    • CF_API_EMAIL=

3.Adding two resolver IP (both Cloudflare 1.1.1.1 and Google 8.8.8.8)

  1. Deleting quotes around my environment variables

  2. Trying out Cloudflare API for “ALL ZONES”

  3. Deleted all settings in dnsmasq.d and all records pointing to .home in PiHole, and later added a CNAME and DNS pointing to this CNAME (Exactly as in the Tutorial)

  4. I’ve tried having a domain one level lower (Without .home), and just traefik.<REDACTED>.xyz

  5. Adding delayBeforeCheck and disablePropagationCheck parameters

  6. Giving delayBeforeCheck a value of 600s instead of 60s

  7. Added additional A records .home.<REDACTED>.xyz in Cloudflare

traefik-stack.yml:

version: '3.5'

services:
  reverse-proxy:
    image: traefik:2.11.2
    ports:
      - "80:80"
      - "8080:8080"  # For Traefik dashboard
      - "443:443"
    #  - "222:222"
    volumes:
      - /home/swarm/traefik/traefik-conf.yml:/etc/traefik/traefik.yml:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/swarm/traefik/configuration/:/configuration/
      - /etc/localtime:/etc/localtime:ro # To get timezones
      - /home/swarm/traefik/acme.json:/acme.json
    environment:
      - TZ=Europe/Warsaw
      - CLOUDFLARE_API_KEY=N-KHRenkyZUJSA-Yw3r4UfE7_yzkMRVSdC-y7d3p
      - CLOUDFLARE_EMAIL=<REDACTED>
      - CF_API_KEY=N-KHRenkyZUJSA-Yw3r4UfE7_yzkMRVSdC-y7d3p
      - CF_API_EMAIL=<REDACTED>
      - CF_ZONE_API_TOKEN=N-KHRenkyZUJSA-Yw3r4UfE7_yzkMRVSdC-y7d3p
    networks:
      - web

    deploy:
      labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`traefik.home.<REDACTED>.xyz`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.home.<REDACTED>.xyz`)"
      - "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$Bsvmb9NZ$$eW3Ss7.hKqfiZNUG/0zfd/"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=home.<REDACTED>.xyz"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.home.<REDACTED>.xyz"
      - "traefik.http.routers.traefik-secure.service=api@internal"
            # Dummy service for Swarm port detection. The port can be any valid integer value.
      - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"

      mode: global
      placement:
        constraints: [node.role == manager]

networks:
  web:
    driver: overlay
    attachable: true
    name: web

traefik-conf.yml

api:
  dashboard: true
  debug: true
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    swarmMode: true
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  # file:
  #   filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: <REDACTED>
      storage: acme.json
      # caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait fo
r the propagation of the TXT record to all authoritative name servers.
        delayBeforeCheck: 600s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted
        resolvers:
          - 1.1.1.1:53
          - 8.8.8.8:53

  acmeLogging: true

There’s already a template for DNS token, and it should look like this:

1 Like

Unfortunately changing the API key settings didn’t helped

The issue still occurs

Problem is with this line:

  • CF_API_KEY={{CF_DNS_API_TOKEN}}

I should have name the variable name CF_DNS_API_TOKEN

Now it works

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.