Problem receiving tls certificates via dnschallenge

Hey folks!

I’m in the middle of setting up my docker stack with tls certificates via traefik (wildcard dns). Unfornatley i came accross a problem receiving certificates (via dnschallgenge).

I already asked the friendly guys over at the traefik community forum and they gave me the hint that my problem lays in the api configuration of my Cloudflare record. This is my traefik log file:

time="2022-03-21T08:32:39Z" level=error msg="Unable to obtain ACME certificate for domains \"smokeping.internal.foo.bar\": unable to generate a certificate for the domains [smokeping.internal.foo.bar]: error: one or more domains had a problem:\n[smokeping.internal.foo.bar] [smokeping.internal.foo.bar] acme: error presenting token: cloudflare: failed to find zone foo.bar.: ListZonesContext command failed: HTTP status 400: Invalid request headers (6003)\n" [email protected] rule="Host(`smokeping.internal.foo.bar`)" providerName=primary.acme

This is my traefik docker-compose file with the env variables for Cloudflare:

version: "3.3"    

services:    

  traefik:    
    image: "traefik:v2.5"    
    container_name: "traefik"    
    command:    
      - "--log.level=DEBUG"    
      - "--api.insecure=true"    
      - "--providers.docker=true"    
      - "--providers.docker.exposedbydefault=false"    
      - "--entrypoints.web.address=:80"    
      - "--entryPoints.web-secure.address=:443"    
      - "[email protected]"    
      - "--certificatesResolvers.primary.acme.storage=acme.json"    
      - "--certificatesResolvers.primary.acme.dnsChallenge=true"    
      - "--certificatesResolvers.primary.acme.dnsChallenge.provider=cloudflare"    
      - "--certificatesResolvers.primary.acme.dnsChallenge.delayBeforeCheck=0"    
      - "--certificatesResolvers.primary.acme.dnsChallenge.resolvers=1.1.1.1:53"    
    environment:    
      - [email protected]    
      - CF_API_KEY=thisismyapikey    
    ports:    
      - "80:80"    
      - "443:443"    
        #      - "8080:8080"    
    volumes:    
      - "/var/run/docker.sock:/var/run/docker.sock:ro"    
      - "/app/traefik/acme.json:/acme.json"    

    restart: unless-stopped    
    labels:    
      - "traefik.enable=true"    
      - "traefik.http.routers.api.rule=Host(`traefik.internal.foo.bar`)"    
      - "[email protected]"    
      - "traefik.http.routers.api.entrypoints=web"    
      # wildcard certs    
      - "traefik.http.routers.api.tls.domains[0].main=internal.foo.bar"    
      - "traefik.http.routers.api.tls.domains[0].sans=*.internal.foo.bar"    
    networks:    
      - web    
networks:    
  web:    
    external: true

These are my API-token settings:

Within my traefik container I can resolve the domain pointing to my local lan server (e.g. smokeping.internal.foo.bar)

Please bear with me I’m relatively unexperienced regarding dns hacks :slight_smile:

Thank you for your help!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.