Issue with Let’s Encrypt Wildcard Certificates on Cosmos Server Using Cloudflare DNS Challenge

Hello Cloudflare Community,

I am experiencing an issue with setting up Let’s Encrypt wildcard certificates on my Cosmos Server, particularly during the Cloudflare DNS challenge. I’ve encountered various errors and need guidance to resolve them. Here’s a detailed overview of my situation:

Domain & Server Details

  • Domain: nerdbox.win
  • Server: Cosmos Server 1, self-hosted on Ubuntu 20.04.
  • LEGO is used for Let’s Encrypt certificates.

Initial Problem

  • Error encountered: SERVFAIL response code and a message indicating an inability to find the zone for nerdbox.win.
  • LEGO version was initially unknown, installed on Ubuntu 22.04 using sudo aptitude -y install lego.

Attempts to Resolve

  • Created a post in the Let’s Encrypt Forum (LINK)
  • Upgraded LEGO to version 4.14.2 by downloading the binary directly (uninstalled the old version).
  • Received a new error:
There are errors with your Let's Encrypt configuration or one of your routes, please fix them as soon as possible:
- error: one or more domains had a problem: [*.nerdbox.win] [*.nerdbox.win] acme: error presenting token: cloudflare: could not find zone for domain "nerdbox.win" (_acme-challenge.nerdbox.win.): could not find the start of authority for _acme-challenge.nerdbox.win.: read udp 127.0.0.1:33986->127.0.0.11:53: i/o timeout [nerdbox.win] [nerdbox.win] acme: error presenting token: cloudflare: could not find zone for domain "nerdbox.win" (_acme-challenge.nerdbox.win.): could not find the start of authority for _acme-challenge.nerdbox.win.: read udp 127.0.0.1:51947->127.0.0.11:53: i/o timeout 

Current Status

  • Both Cloudflare Email and API Key are correctly configured.
  • No interference from Docker, firewalls, or other network elements identified.
  • Recent discovery: Cloudflare may have restricted the ability to update/create TXT DNS entries for some TLDs, including .win. I got people with .win tld saying that it works for them.

Seeking Help For

  • Understanding the ‘SERVFAIL’ response and the ‘start of authority’ error.
  • Clarification on whether .win TLD is restricted by Cloudflare for TXT DNS entries. it’s not
  • Any guidance or insights into resolving these issues for successful wildcard certificate setup.

I appreciate any help or suggestions from the community.

Thank you!

Do you have to use LEGO? I’ve never used it, I use certbot with the Cloudflare plugin and it’s as simple as running this…

certbot --dns-cloudflare --dns-cloudflare-credentials ./cloudflare-credentials.txt --preferred-challenges dns certonly -d example.com -d *.example.com

The credentials file is set up as here…
https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials

As for…

There is an SOA (see link), but this looks like a problem with the resolver on the server.
https://cf.sjr.org.uk/tools/check?0dbb769ce85b4383b859dafb89e94164

Sadly I do, as LEGO is part of Cosmos Server (I’ve added a link in the original description).

Here is the output of resolvectl systemctl status

resolvectl
Global
           Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 1.1.1.1
         DNS Servers: 1.1.1.1 2606:4700:4700::1111
Fallback DNS Servers: 1.0.0.1

Link 2 (enp85s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 1.1.1.1
       DNS Servers: 1.1.1.1 1.0.0.1

Link 3 (wlo1)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 4 (br-33ad183ed719)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 5 (br-f53ba8cc187b)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 6 (br-1e6fa8a29038)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 7 (br-8511d1ec6fb2)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 8 (br-b4f116b03ad2)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 9 (docker0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 10 (br-d50a8b0f0392)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 12 (br-fa1f81d865d0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 13 (br-fe4b7cebe6b9)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 14 (br-0dd1054c303b)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 15 (br-291b68471952)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 16 (br-793d7bffc0bd)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 18 (br-9f353bd0f1a2)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 19 (br-cb9255fa00bc)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 20 (br-15a1e5a4acb6)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 22 (br-96cc77517885)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 23 (br-b2c1913688e6)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 24 (br-17a24c28be9e)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 25 (br-37c52ffedd3a)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 26 (br-602588c0cdf6)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 27 (br-99884deca42c)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 28 (br-a3abad7c9946)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 29 (br-2def14d792e5)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 30 (br-895c94b9ef9b)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 32 (br-b000a24e184a)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 33 (br-cc640dc55189)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 34 (br-333617ca6eda)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 35 (br-abec7192980d)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 36 (br-b46714b1613a)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 37 (br-b577f4085fcc)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 38 (br-c74fcd58327c)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1351 (br-9758f7831564)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1550 (br-3fad06deeffb)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1572 (br-36619c1d5e63)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1842 (veth13350ed)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1844 (veth8eee547)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1846 (veth3868bae)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1848 (veth50df819)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1850 (vethdd67c99)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1852 (veth8428915)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1854 (veth188d867)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1856 (veth0443f65)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1858 (vethe518fab)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1860 (vethaed2afa)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1862 (veth8397c6e)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1864 (veth3fd6914)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1866 (veth78097ec)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1868 (veth4cee7a1)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1870 (vethad01c50)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1872 (vethf268eee)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1874 (veth66b4b5a)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1876 (veth83c11db)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1878 (vethbe142d9)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1880 (veth072a3f5)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1882 (vethb2f0bc8)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1884 (vethfb3c268)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1886 (vethd308061)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1888 (veth2bf8489)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1890 (veth04ed723)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1892 (veth35fabba)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1894 (vethdddc24d)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1896 (veth37429d6)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1898 (veth742d9cb)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1900 (vethcd3ba15)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1902 (vetheb58b85)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1904 (veth3355791)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1906 (vethbb6dc3b)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1908 (veth3afc191)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1910 (veth71127c8)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1912 (vethaabad49)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1914 (veth205c46d)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1916 (veth9c3c992)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1918 (vetheb431df)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1920 (veth6bc1be6)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1922 (vethc51f2a0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1924 (veth947466c)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1926 (vethfa1d4a9)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1928 (vethe8e467a)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1930 (veth4150c28)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1932 (vethddfff9f)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1934 (veth22ce4b6)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1936 (veth8df85a7)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1938 (veth6293eac)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1940 (veth60881d9)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1942 (vethc0ec60b)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1944 (veth05bff85)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1946 (veth8924a09)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1948 (vethc7c1664)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1950 (vethf163837)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1952 (veth53e5152)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1954 (veth888e344)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1956 (vethb92a7db)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1958 (veth2f15321)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1960 (vethf289126)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1962 (veth60635c0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1964 (vethf5759da)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1966 (veth8ab9c64)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1968 (veth0c8fd62)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1970 (vethb35ce1c)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1972 (veth8b6f730)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1974 (vethed1809f)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1976 (veth4406599)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1978 (vethde0db25)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1980 (veth549d625)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1982 (vetha2241c6)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1984 (veth5af98af)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1986 (veth9c47cc6)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1988 (veth749bcd4)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1990 (veth882e477)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1992 (vethc7dc2a1)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1994 (vetha8f1332)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1996 (vethc1103e6)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 1998 (vethd51dab1)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 2000 (vethd06f093)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported

Link 2002 (veth8c6a822)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
systemctl status systemd-resolved.service
● systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/lib/systemd/system/systemd-resolved.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-12-12 18:30:03 CET; 3min 21s ago
       Docs: man:systemd-resolved.service(8)
             man:org.freedesktop.resolve1(5)
             https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
             https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
   Main PID: 3219866 (systemd-resolve)
     Status: "Processing requests..."
      Tasks: 1 (limit: 37813)
     Memory: 5.1M
        CPU: 162ms
     CGroup: /system.slice/systemd-resolved.service
             └─3219866 /lib/systemd/systemd-resolved

Dec 12 18:30:03 {{username}} systemd[1]: Starting Network Name Resolution...
Dec 12 18:30:03 {{username}} systemd-resolved[3219866]: Positive Trust Anchors:
Dec 12 18:30:03 {{username}} systemd-resolved[3219866]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Dec 12 18:30:03 {{username}} systemd-resolved[3219866]: Negative trust anchors: home.arpa 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.a>
Dec 12 18:30:03 {{username}} systemd-resolved[3219866]: Using system hostname '{{username}}'.
Dec 12 18:30:03 {{username}} systemd[1]: Started Network Name Resolution.

As it’s complaining it can’t find _acme-challenge.nerdbox.win then just be sure you have your API credentials set correctly and if using tokens ensure they have the correct permission.

Have a look in the audit log to see if you can see it creating then deleting the TXT records…
https://dash.cloudflare.com/?to=/:account/audit-log
(or quickly refresh your DNS page while it is running).

Again, I’m not familiar with LEGO, but with certbot I also found that on my free accounts, it took longer than for my enterprise account for the TXT records to become live. A 10 second timeout was plenty on the latter, but gave intermittent errors as the TXT records weren’t always available in time on the free account, so I increased to 60 seconds. Not sure if that’s something you can do.

I have checked again (and did so many times already), both the CLOUDFLARE_EMAIL and the CLOUDFLARE_API_KEY (would change this to a token later if I get it working) values are correct.

I cannot see it creating then deleting the record. When I tried to do so manually with certbox it worked, and I still have those entries there. I used the same credentials for certbot, but as I already said, I need to get this working in Cosmos Server/LEGO. By now I have contacted all three possible sources of support (Cosmos/LEGO/Cloudflare) with this.

If the TXT records aren’t being created on Cloudflare, then it’s back to the Cosmos/LEGO people then. Must be some issue with their use of the Cloudflare API, particularly as you managed to get it to work when you added the records manually.

Is there any log file on the server that records the Cloudflare API query being made and the response?

here is the log from the Cosmos docker. I only exchanged a few IPs and Ports.

2023-12-12 18:05:32
 2023/12/12 18:05:32 [ERROR] Metrics - Error fetching Temperature: : Number of warnings: 1
2023-12-12 18:05:50
 2023/12/12 18:05:50 [WARN] [nerdbox.win] acme: cleaning up failed: cloudflare: could not find zone for domain "nerdbox.win" (_acme-challenge.nerdbox.win.): could not find the start of authority for _acme-challenge.nerdbox.win.: read udp 127.0.0.1:48341->127.0.0.11:53: i/o timeout 
2023-12-12 18:05:50
 2023/12/12 18:05:50 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/292994460546
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/292994460556
2023-12-12 18:05:51
 2023/12/12 18:05:51 [ERROR] LETSENCRYPT_OBTAIN : error: one or more domains had a problem:
2023-12-12 18:05:51
 [*.nerdbox.win] [*.nerdbox.win] acme: error presenting token: cloudflare: could not find zone for domain "nerdbox.win" (_acme-challenge.nerdbox.win.): could not find the start of authority for _acme-challenge.nerdbox.win.: read udp 127.0.0.1:55005->127.0.0.11:53: i/o timeout
2023-12-12 18:05:51
 [nerdbox.win] [nerdbox.win] acme: error presenting token: cloudflare: could not find zone for domain "nerdbox.win" (_acme-challenge.nerdbox.win.): could not find the start of authority for _acme-challenge.nerdbox.win.: read udp 127.0.0.1:54635->127.0.0.11:53: i/o timeout
2023-12-12 18:05:51
 
2023-12-12 18:05:51
 2023/12/12 18:05:51 [ERROR] Getting TLS certificate. Fallback to previous certificate : 
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Initialising HTTP(S) Router and all routes
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Starting in /app
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] containers.nerdbox.win to https://nextcloud-aio-mastercontainer:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] downloads.nerdbox.win to http://sabnzbd:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] subtitles.nerdbox.win to http://Bazarr:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] movies.nerdbox.win to http://Radarr:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] tv.nerdbox.win to http://Sonarr:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] music.nerdbox.win to http://Lidarr:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [PROXY] nas.nerdbox.win to {{NASIP}}:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] recipes.nerdbox.win to http://Tandoor:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] documents.nerdbox.win to http://Paperless-ngx:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] sync.nerdbox.win to http://syncthing:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] cine.nerdbox.win to http://Plex:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] cloud.nerdbox.win to http://nextcloud-aio-apache:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] moviematch.nerdbox.win to http://moviematch:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] photos.nerdbox.win to http://Immich:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] polls.nerdbox.win to http://app:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] polls.nerdbox.win to http://rallly:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] epg.nerdbox.win to http://Threadfin:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] actual.nerdbox.win to http://Actual:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Added route: [SERVAPP] jellyfin.nerdbox.win to http://Jellyfin:{{PORT}}
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] TLS certificate exist, starting HTTPS servers and redirecting HTTP to HTTPS
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Listening to HTTP on :80
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Listening to HTTPS on :443
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Setup: Checking Docker port mapping 
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Port mapping not changed.
2023-12-12 18:05:51
 2023/12/12 18:05:51 [INFO] Now listening to HTTPS on :443
2023-12-12 18:05:51
 2023/12/12 18:05:51 [WARN] Missing geolocation information to block IPs
2023-12-12 18:05:51
 2023/12/12 18:05:51 "GET https://cloud.nerdbox.win/apps/richdocuments/settings/fonts.json HTTP/1.1" from {{LAN_IP}}:{{PORT}} - 304 0B in 180.05934ms
2023-12-12 18:05:52
 2023/12/12 18:05:52 [INFO] API: Status
2023-12-12 18:05:52
 2023/12/12 18:05:52 "GET https://nerdbox.win/cosmos/api/status HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 1060B in 2.666928ms
2023-12-12 18:05:52
 2023/12/12 18:05:52 "GET https://nerdbox.win/cosmos-ui/config-general HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 630B in 716.607µs
2023-12-12 18:05:52
 2023/12/12 18:05:52 [INFO] API: Status
2023-12-12 18:05:52
 2023/12/12 18:05:52 "GET https://nerdbox.win/cosmos/api/status HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 1060B in 1.889006ms
2023-12-12 18:05:52
 2023/12/12 18:05:52 "GET https://nerdbox.win/cosmos/api/notifications HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 5634B in 2.505211ms
2023-12-12 18:05:52
 2023/12/12 18:05:52 "GET https://nerdbox.win/cosmos/api/me/ HTTP/2.0" from {{NC_IP}}:{{PORT}} - 301 49B in 1.297573ms
2023-12-12 18:05:52
 2023/12/12 18:05:52 [INFO] Using config file: /config/cosmos.config.json
2023-12-12 18:05:52
 2023/12/12 18:05:52 "GET https://nerdbox.win/cosmos/api/config HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 24941B in 2.797412ms
2023-12-12 18:05:52
 2023/12/12 18:05:52 "GET https://nerdbox.win/cosmos/api/me HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 317B in 1.863684ms
2023-12-12 18:05:52
 2023/12/12 18:05:52 [INFO] API: GetImage
2023-12-12 18:05:52
 2023/12/12 18:05:52 [ERROR] GetBackground: Error reading image - background.jpg : open /config//uploads/background.jpg: no such file or directory
2023-12-12 18:05:52
 2023/12/12 18:05:52 [ERROR] HTTP Request returned Error 500 : Error reading image : 
2023-12-12 18:05:52
 2023/12/12 18:05:52 "GET https://nerdbox.win/cosmos/api/image/background.jpg HTTP/2.0" from {{NC_IP}}:{{PORT}} - 500 68B in 1.298721ms
2023-12-12 18:05:52
 2023/12/12 18:05:52 "GET https://nerdbox.win/cosmos/api/image/background.jpg HTTP/2.0" from {{NC_IP}}:{{PORT}} - 500 68B in 1.158275ms
2023-12-12 18:05:52
 2023/12/12 18:05:52 [INFO] API: GetImage
2023-12-12 18:05:52
 2023/12/12 18:05:52 [ERROR] GetBackground: Error reading image - background.jpg : open /config//uploads/background.jpg: no such file or directory
2023-12-12 18:05:52
 2023/12/12 18:05:52 [ERROR] HTTP Request returned Error 500 : Error reading image : 
2023-12-12 18:05:55
 2023/12/12 18:05:55 http: TLS handshake error from {{LAN_IP}}:33480: EOF
2023-12-12 18:05:56
 2023/12/12 18:05:56 "POST https://music.nerdbox.win/signalr/messages/negotiate?access_token=dca867dd8fd4450e945761718657685e&negotiateVersion=1 HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 220B in 4.183205ms
2023-12-12 18:05:56
 2023/12/12 18:05:56 "GET https://music.nerdbox.win/api/v1/queue/status HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 117B in 3.72474ms
2023-12-12 18:05:56
 2023/12/12 18:05:56 "GET https://music.nerdbox.win/api/v1/health HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 188B in 3.217978ms
2023-12-12 18:05:56
 2023/12/12 18:05:56 "GET https://music.nerdbox.win/api/v1/command HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 1661B in 3.434924ms
2023-12-12 18:05:56
 2023/12/12 18:05:56 "GET https://music.nerdbox.win/api/v1/queue?page=1&pageSize=20&sortDirection=ascending&sortKey=timeleft&includeUnknownArtistItems=true HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 9931B in 5.58026ms
2023-12-12 18:05:57
 2023/12/12 18:05:57 "GET https://music.nerdbox.win/api/v1/artist HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 347141B in 1.410478373s
2023-12-12 18:05:57
 2023/12/12 18:05:57 "GET https://music.nerdbox.win/api/v1/album?albumIds=40731&albumIds=15589&albumIds=15520&albumIds=21844&albumIds=4011&albumIds=15515&albumIds=15508&albumIds=6063&albumIds=15565&albumIds=8974&albumIds=15535&albumIds=30237&albumIds=15491&albumIds=15574 HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 24124B in 14.050951ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 [INFO] API: Status
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://nerdbox.win/cosmos/api/status HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 1060B in 1.791181ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 [INFO] Metrics: Agglomeration of metrics
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://nerdbox.win/cosmos/api/metrics?metrics=cosmos.system.cpu.0,cosmos.system.ram,cosmos.system.netTx,cosmos.system.netRx,cosmos.proxy.all.success,cosmos.proxy.all.error HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 173447B in 4.094703ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 [INFO] Using config file: /config/cosmos.config.json
2023-12-12 18:05:58
 2023/12/12 18:05:58 [INFO] API: Status
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://nerdbox.win/cosmos/api/status HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 1060B in 2.540903ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://nerdbox.win/cosmos/api/config HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 24941B in 3.012025ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 [INFO] API: GetImage
2023-12-12 18:05:58
 2023/12/12 18:05:58 [ERROR] GetBackground: Error reading image - background.jpg : open /config//uploads/background.jpg: no such file or directory
2023-12-12 18:05:58
 2023/12/12 18:05:58 [ERROR] HTTP Request returned Error 500 : Error reading image : 
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://nerdbox.win/cosmos/api/image/background.jpg HTTP/2.0" from {{NC_IP}}:{{PORT}} - 500 68B in 848.327µs
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://nerdbox.win/cosmos/api/me HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 317B in 1.356738ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://nerdbox.win/cosmos/api/servapps HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 92393B in 40.100641ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 [INFO] Metrics: Agglomeration of metrics
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://nerdbox.win/cosmos/api/metrics?metrics=cosmos.system.netTx,cosmos.system.netRx HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 63127B in 4.633355ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 [INFO] Metrics: Agglomeration of metrics
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://nerdbox.win/cosmos/api/metrics?metrics=cosmos.proxy.all.success,cosmos.proxy.all.error HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 47397B in 2.239848ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 [INFO] Metrics: Agglomeration of metrics
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://nerdbox.win/cosmos/api/metrics?metrics=cosmos.system.netTx,cosmos.system.netRx HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 63127B in 2.704097ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 [INFO] Metrics: Agglomeration of metrics
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://nerdbox.win/cosmos/api/metrics?metrics=cosmos.proxy.all.success,cosmos.proxy.all.error HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 47397B in 2.668126ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 [INFO] Fetch favicon for http://rallly:3000
2023-12-12 18:05:58
 2023/12/12 18:05:58 [ERROR] FaviconFetch : Get "http://rallly:3000": dial tcp: lookup rallly on 127.0.0.11:53: no such host
2023-12-12 18:05:58
 2023/12/12 18:05:58 [INFO] Favicon final fallback
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://nerdbox.win/cosmos/api/favicon?q=http%3A%2F%2Frallly%3A3000 HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 144765B in 174.263329ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 [INFO] Fetch favicon for http://app:4000
2023-12-12 18:05:58
 2023/12/12 18:05:58 [ERROR] FaviconFetch : Get "http://app:4000": dial tcp: lookup app on 127.0.0.11:53: no such host
2023-12-12 18:05:58
 2023/12/12 18:05:58 [INFO] Favicon final fallback
2023-12-12 18:05:58
 2023/12/12 18:05:58 [INFO] Fetch favicon for http://nextcloud-aio-apache:11000
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://nerdbox.win/cosmos/api/favicon?q=http%3A%2F%2Fapp%3A4000 HTTP/2.0" from {{NC_IP}}:{{PORT}} - 200 144765B in 212.163683ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 [WARN] Missing geolocation information to block IPs
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://cloud.nerdbox.win/login HTTP/2.0" from {{LAN_IP}}:34648 - 200 7137B in 60.652415ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 [WARN] Missing geolocation information to block IPs
2023-12-12 18:05:58
 2023/12/12 18:05:58 "GET https://cloud.nerdbox.win/login HTTP/2.0" from {{LAN_IP}}:34648 - 200 7142B in 60.792842ms
2023-12-12 18:05:58
 2023/12/12 18:05:58 

Any logs from LEGO itself? Can you make them very verbose to see if the Cloudflare API query and response are in there?

Sadly no :confused: . Anything else I can provide you with?

I think that’s all I can do. If the TXT records aren’t being created, and there’s no way to check what calls are made to the Cloudflare API to try and make them happen, not sure what else can be done to debug it.

Maybe someone who has actually used Lego might be able to shed more light.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.