Proxying TXT-records

Is there a way to have Cloudflare query our server for the current value of a TXT-record and return that?

In a nutshell: LetsEncrypt refuses to publish a list of IP’s/hostnames it uses for domain validation. Our machine is firewall’d off, only Cloudflare can connect - and as we can’t allowlist LetsEncrypt: we hit a roadblock there. There is one record that bypasses CF, which is used for a couple of non-HTTP(S) services. Unfortunately, one of the services there requires an SSL certificate which are issued by LE. We cannot proxy this entry, it bypasses CF for various reasons. So the only alternative: use DNS validation. But, LE will query Cloudflare rather than our server. Hence we’re wondering if there’s a way to “bypass” a TXT-record for _acme-challenge. Whenever Cloudflare receives a request for this TXT-record: it should query our underlying nameservers (known to Cloudflare) and pass the resulting _acme-challenge response on to LE. There’s another option on the command line but that doesn’t seem to be really cPanel compatible. (Or better said: cPanel isn’t compatible with it.)

I can’t find any option to make this work so figure it isn’t possible, but was wondering if Cloudflare supports this in some way that I’ve missed. Essentially it’d operate a bit like a DYNDNS service for TXT-records.

Welcome to the Cloudflare Community. :logodrop:

Your situation is extremely common. You won’t be able to update your TXT record in the way you have described, but there are other ways. Having your ACME client update your _acme-challenge TXT record using the Cloudflare API is an easy way to handle that situation.

There are other methods that you could use, such as acme-dns, but the Cloudflare API is likely to be the best method. It is exactly like a

You will need an appropriately scoped API token.

The Let’s Encrypt Community is a great place to get help with the non-Cloudflare parts of the process.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.