2.9.1 Caddy can't get cloudflare wildcard cert

1. The problem I’m having:

I cannot get caddy to obtain a wildcard certificate using the ACME DNS challenge.

2. Error messages and/or full log output:

{"level":"info","ts":1738008148.2597888,"logger":"tls.obtain","msg":"acquiring lock","identifier":"localdomain.ca"}
{"level":"info","ts":1738008148.2741358,"logger":"tls.obtain","msg":"lock acquired","identifier":"localdomain.ca"}
{"level":"info","ts":1738008148.2743206,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"localdomain.ca"}
{"level":"info","ts":1738008148.2759595,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["localdomain.ca"],"ca":"https://acme.zerossl.com/v2/DV90","account":"tschetter.victor@gmail.com"}
{"level":"info","ts":1738008148.2760203,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["localdomain.ca"],"ca":"https://acme.zerossl.com/v2/DV90","account":"tschetter.victor@gmail.com"}
{"level":"info","ts":1738008148.2760744,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme.zerossl.com/v2/DV90/account/DWwSaejlvFI36ET3_6GKOQ","account_contact":["mailto:tschetter.victor@gmail.com"]}
{"level":"info","ts":1738008159.626765,"msg":"trying to solve challenge","identifier":"localdomain.ca","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1738008159.6354272,"msg":"cleaning up solver","identifier":"localdomain.ca","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.localdomain.ca\" (usually OK if presenting also failed)","stacktrace":"github.com/mholt/acmez/v3.(*Client).solveChallenges.func1\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:318\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:363\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.0.0/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:477\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.21.6/acmeissuer.go:371\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.9.1/modules/caddytls/acmeissuer.go:249\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.21.6/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.21.6/async.go:73"}
{"level":"error","ts":1738008163.1593637,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"localdomain.ca","issuer":"acme.zerossl.com-v2-DV90","error":"[localdomain.ca] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.localdomain.ca\": unexpected response code 'REFUSED' for _acme-challenge.localdomain.ca. (order=https://acme.zerossl.com/v2/DV90/order/7DHWBHxp_77oCkJ3WF7VVQ) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1738008163.1595397,"logger":"tls.obtain","msg":"will retry","error":"[localdomain.ca] Obtain: [localdomain.ca] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.localdomain.ca\": unexpected response code 'REFUSED' for _acme-challenge.localdomain.ca. (order=https://acme.zerossl.com/v2/DV90/order/7DHWBHxp_77oCkJ3WF7VVQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":14.885354397,"max_duration":2592000}

3. Caddy version:

2.9.1

4. How I installed and ran Caddy:

xcaddy build --output /usr/local/bin/caddy --with github.com/caddy-dns/cloudflare

a. System environment:

FreeBSD 14.1

b. Command:

service caddy start

d. My complete Caddy config:

localdomain.ca {
	tls {
		dns cloudflare validkey
                resolvers 1.1.1.1
	}

	log {
		output file /var/log/localdomain.ca.log
	}
}

I’ve redacted the domain only because it is not accessible from the outside world. If needed, I will share.

dig returns just fine with both TXT and SOA.

API token is scoped correctly. I’m using it on a pfsense system and it is working there.

You DNS provider refuses resolutions. Check your DNS configuration. Unfortunately, because you redacted the domain, we cannot do the sanity checks. Check the SOA and NS.

Turns out that it was DNS (it always is) and because my pfsense box had the domain as its own name, it would just not resolve out. Changing the local domain solved it.