Incorrect _acme-challenge hidden TXT record resolving to SPF TXT record

I currently have two domain that are using Wildcard certificates issued by LE via Traefik. Domain 1 is able to renew its certificate, Domain2 is returning an error (show at the end of this post). Any guidance on how to fix Domain2 would be DEEPLY APPRECIATED.

Domain 1
I can see on domain1 a _acme-challenge TXT entry with a token of some kind key. Running dig on that subdomain produces:

dig _acme-challenge.domain1.com TXT

; <<>> DiG 9.10.1-P2 <<>> _acme-challenge.domain1.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: *****
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.domain1.com. IN	TXT

;; ANSWER SECTION:
_acme-challenge.domain1.com. 5 IN	TXT	"Mo*********************GInU"

;; Query time: 13 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue Jun 07 21:51:25 EST 2022
;; MSG SIZE  rcvd: 116

Domain 2
I CANNOT see on domain2, a _acme-challenge TXT entry. Running dig on that subdomain produces:

dig _acme-challenge.domain2.com TXT

; <<>> DiG 9.10.1-P2 <<>> _acme-challenge.domain2.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: *****
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.domain2.com.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.domain2.com.	5 IN	TXT	"v=spf1 include:_spf.mx.cloudflare.net ~all"

;; Query time: 14 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue Jun 07 21:34:18 EST 2022
;; MSG SIZE  rcvd: 114

Error returned by Traefik

Error renewing certificate from LE: {domain2.com [.domain2.com]}, error: one or more domains had a problem:\n[.domain2.com] [*.domain2.com] acme: error presenting token: Cloudflare: could not find the start of authority for _acme-challenge.domain2.com.: dial udp: lookup 1.1.1.1:53,1.0.0.1:53: no such host\n[domain2.com] [domain2.com] acme: error presenting token: Cloudflare: could not find the start of authority for _acme-challenge.domain2.com.: dial udp: lookup 1.1.1.1:53,1.0.0.1:53: no such host\n" ACME CA=“https://acme-v02.api.letsencrypt.org/directory” providerName=Cloudflare.acme

This is the answer for domain 2 but appears to be an SPF record.

What is your traefik configuration? Are you using the Cloudflare DNS provider?

Thanks for the response, domain 1 is actually working from the same instance of traefik as domain 2.
Here is the config anyway to remove doubt.

global:
  checkNewVersion: true
  sendAnonymousUsage: false

pilot:
  token: ********

serversTransport:
  insecureSkipVerify: true
  maxIdleConnsPerHost: 0

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
        
  websecure:
    address: :443
    http:
      tls:
        certResolver: cloudflare
        domains:
          - main: domain2.com
            sans:
              - "*.domain2.com"
          - main: domain1.com
            sans:
              - "*.domain1.com"

providers:
  file:
    directory: /config/rules
    watch: true
  docker:
    endpoint: unix:///var/run/docker.sock
    watch: true
    exposedbydefault: false
    defaultRule: Host(`{{ index .Labels "com.docker.compose.service" }}.domain2.com`)
    network: proxy-network

api:
  dashboard: true
  insecure: true

log:
  level: ERROR
  filePath: /var/log/traefik/traefik.log

certificatesResolvers:
  cloudflare:
    acme:
      email: ***********
      storage: /config/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 90
        resolvers: 1.1.1.1:53,1.0.0.1:53

That looks right, what matches a working config for me. What is domain 2?

I can’t seem to private message you, perhaps because I am still a basic user. Can you PM me, perhaps then I can respond. I don’t want that domain plastered on forums.

For future reference. This required opening a ticket to get support to remove the entries.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.