Issuing a cert with the dns_challenge_override_domain directive is not working while possible to issue a cert for the alias-domain itself

1. Output of caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy:

docker run --name caddy-proxy-cloudflare -d \
  -p 80:80 \
  -p 443:443 \
  -v /home/dattl/caddy/site:/srv \
  -v /home/dattl/caddy/data:/data \
  -v /home/dattl/caddy/config:/config \
  -v /home/dattl/caddy/config/Caddyfile:/etc/caddy/Caddyfile \
  -e CLOUDFLARE_API_TOKEN=123456 \
  -e ACME_AGREE=true \
  dadattl/caddy-proxy-cloudflare:latest

a. System environment:

Raspberry Pi and Docker image built with:

FROM caddy:builder AS builder

RUN caddy-builder \
    github.com/caddy-dns/cloudflare

FROM caddy:latest
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

DNS:

_acme-challenge.othersdomain.com canonical name = cloudflaredomain.com

b. Command:

docker run --name caddy-proxy-cloudflare -d \
  -p 80:80 \
  -p 443:443 \
  -v /home/dattl/caddy/site:/srv \
  -v /home/dattl/caddy/data:/data \
  -v /home/dattl/caddy/config:/config \
  -v /home/dattl/caddy/config/Caddyfile:/etc/caddy/Caddyfile \
  -e CLOUDFLARE_API_TOKEN=123456 \
  -e ACME_AGREE=true \
  dadattl/caddy-proxy-cloudflare:latest

c. Service/unit/compose file:

d. My complete Caddy config:

{
        acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
        email caddyproxy@othersdomain.com
}

test.cloudflaredomain.com {
        tls {
                dns cloudflare {env.CLOUDFLARE_API_TOKEN}
                resolvers 1.1.1.1
        }
}

othersdomain.com {
        tls {
                dns cloudflare {env.CLOUDFLARE_API_TOKEN}
                dns_challenge_override_domain cloudflaredomain.com
                resolvers 1.1.1.1
        }
}

3. The problem I’m having:

The directive

dns_challenge_override_domain cloudflaredomain.com 

seems not to work for me.
Maybe it is a typo or a missunderstanding of useage or I didn`t install an other needed plugin. Can you please help with that.

4. Error messages and/or full log output:

INF ts=1673520516.2876968 msg=using provided configuration config_file=/etc/caddy/Caddyfile config_adapter=caddyfile
WRN ts=1673520516.2940102 msg=Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies adapter=caddyfile file=/etc/caddy/Caddyfile line=2
INF ts=1673520516.2982595 logger=admin msg=admin endpoint started address=localhost:2019 enforce_origin=false origins=["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]
INF ts=1673520516.2992725 logger=tls.cache.maintenance msg=started background certificate maintenance cache=0x2eaa050
INF ts=1673520516.3004131 logger=http msg=server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS server_name=srv0 https_port=443
INF ts=1673520516.3005054 logger=http msg=enabling automatic HTTP->HTTPS redirects server_name=srv0
INF ts=1673520516.3012848 logger=tls msg=cleaning storage unit description=FileStorage:/data/caddy
INF ts=1673520516.3013701 logger=http msg=enabling HTTP/3 listener addr=:443
INF ts=1673520516.3021991 msg=failed to sufficiently increase receive buffer size (was: 176 kiB, wanted: 2048 kiB, got: 352 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.
INF ts=1673520516.3027244 logger=http.log msg=server running name=srv0 protocols=["h1","h2","h3"]
INF ts=1673520516.3030784 logger=http.log msg=server running name=remaining_auto_https_redirects protocols=["h1","h2","h3"]
INF ts=1673520516.303131 logger=http msg=enabling automatic TLS certificate management domains=["test.cloudflaredomain.com","othersdomain.com"]
INF ts=1673520516.3045309 msg=autosaved config (load with --resume flag) file=/config/caddy/autosave.json
INF ts=1673520516.3046143 msg=serving initial configuration
INF ts=1673520516.3055155 logger=tls.obtain msg=acquiring lock identifier=othersdomain.com
INF ts=1673520516.3055158 logger=tls.obtain msg=acquiring lock identifier=test.cloudflaredomain.com
INF ts=1673520516.3109312 logger=tls msg=finished cleaning storage units
INF ts=1673520516.3666565 logger=tls.obtain msg=lock acquired identifier=test.cloudflaredomain.com
INF ts=1673520516.3675992 logger=tls.obtain msg=obtaining certificate identifier=test.cloudflaredomain.com
INF ts=1673520516.371758 logger=tls.obtain msg=lock acquired identifier=othersdomain.com
INF ts=1673520516.3729155 logger=tls.obtain msg=obtaining certificate identifier=othersdomain.com
INF ts=1673520516.4146311 logger=http msg=waiting on internal rate limiter identifiers=["test.cloudflaredomain.com"] ca=https://acme-staging-v02.api.letsencrypt.org/directory account=caddyproxy@othersdomain.com
INF ts=1673520516.4147203 logger=http msg=done waiting on internal rate limiter identifiers=["test.cloudflaredomain.com"] ca=https://acme-staging-v02.api.letsencrypt.org/directory account=caddyproxy@othersdomain.com
INF ts=1673520516.414927 logger=http msg=waiting on internal rate limiter identifiers=["othersdomain.com"] ca=https://acme-staging-v02.api.letsencrypt.org/directory account=caddyproxy@othersdomain.com
INF ts=1673520516.4151387 logger=http msg=done waiting on internal rate limiter identifiers=["othersdomain.com"] ca=https://acme-staging-v02.api.letsencrypt.org/directory account=caddyproxy@othersdomain.com
INF ts=1673520517.7052374 logger=http.acme_client msg=trying to solve challenge identifier=test.cloudflaredomain.com challenge_type=dns-01 ca=https://acme-staging-v02.api.letsencrypt.org/directory
INF ts=1673520518.055583 logger=http.acme_client msg=trying to solve challenge identifier=othersdomain.com challenge_type=dns-01 ca=https://acme-staging-v02.api.letsencrypt.org/directory
ERR ts=1673520519.7041817 logger=http.acme_client msg=cleaning up solver identifier=othersdomain.com challenge_type=dns-01 error=no memory of presenting a DNS record for "cloudflaredomain.com" (usually OK if presenting also failed)
ERR ts=1673520519.887109 logger=tls.obtain msg=could not get certificate from issuer identifier=othersdomain.com issuer=acme-staging-v02.api.letsencrypt.org-directory error=[othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone "cloudflaredomain.com.": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6476905703) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)
INF ts=1673520519.8953173 logger=http msg=waiting on internal rate limiter identifiers=["othersdomain.com"] ca=https://acme-staging-v02.api.letsencrypt.org/directory account=caddyproxy@othersdomain.com
INF ts=1673520519.8954923 logger=http msg=done waiting on internal rate limiter identifiers=["othersdomain.com"] ca=https://acme-staging-v02.api.letsencrypt.org/directory account=caddyproxy@othersdomain.com
INF ts=1673520520.8169153 logger=http.acme_client msg=trying to solve challenge identifier=othersdomain.com challenge_type=dns-01 ca=https://acme-staging-v02.api.letsencrypt.org/directory
ERR ts=1673520522.4676528 logger=http.acme_client msg=cleaning up solver identifier=othersdomain.com challenge_type=dns-01 error=no memory of presenting a DNS record for "cloudflaredomain.com" (usually OK if presenting also failed)
ERR ts=1673520522.6518908 logger=tls.obtain msg=could not get certificate from issuer identifier=othersdomain.com issuer=acme-staging-v02.api.letsencrypt.org-directory error=[othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone "cloudflaredomain.com.": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6476906303) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)
ERR ts=1673520522.6522403 logger=tls.obtain msg=will retry error=[othersdomain.com] Obtain: [othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone "cloudflaredomain.com.": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6476906303) (ca=https://acme-staging-v02.api.letsencrypt.org/directory) attempt=1 retrying_in=60 elapsed=6.280232596 max_duration=2592000
INF ts=1673520525.7208114 logger=http.acme_client msg=authorization finalized identifier=test.cloudflaredomain.com authz_status=valid
INF ts=1673520525.720933 logger=http.acme_client msg=validations succeeded; finalizing order order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6476905553
INF ts=1673520526.3540008 logger=http.acme_client msg=successfully downloaded available certificate chains count=1 first_url=https://acme-staging-v02.api.letsencrypt.org/acme/cert/faf3ff5189a46c67fcccc1352d9b9a7f77a6
INF ts=1673520526.3564303 logger=tls.obtain msg=certificate obtained successfully identifier=test.cloudflaredomain.com
INF ts=1673520526.3567116 logger=tls.obtain msg=releasing lock identifier=test.cloudflaredomain.com
INF ts=1673520582.6544812 logger=tls.obtain msg=obtaining certificate identifier=othersdomain.com
INF ts=1673520583.2111979 logger=http.acme_client msg=trying to solve challenge identifier=othersdomain.com challenge_type=dns-01 ca=https://acme-staging-v02.api.letsencrypt.org/directory
ERR ts=1673520584.1435366 logger=http.acme_client msg=cleaning up solver identifier=othersdomain.com challenge_type=dns-01 error=no memory of presenting a DNS record for "cloudflaredomain.com" (usually OK if presenting also failed)
ERR ts=1673520584.3202338 logger=tls.obtain msg=could not get certificate from issuer identifier=othersdomain.com issuer=acme-staging-v02.api.letsencrypt.org-directory error=[othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone "cloudflaredomain.com.": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6476924223) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)
INF ts=1673520584.914232 logger=http.acme_client msg=trying to solve challenge identifier=othersdomain.com challenge_type=dns-01 ca=https://acme-staging-v02.api.letsencrypt.org/directory
ERR ts=1673520585.702544 logger=http.acme_client msg=cleaning up solver identifier=othersdomain.com challenge_type=dns-01 error=no memory of presenting a DNS record for "cloudflaredomain.com" (usually OK if presenting also failed)
ERR ts=1673520585.8847485 logger=tls.obtain msg=could not get certificate from issuer identifier=othersdomain.com issuer=acme-staging-v02.api.letsencrypt.org-directory error=[othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone "cloudflaredomain.com.": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6476924683) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)
ERR ts=1673520585.885634 logger=tls.obtain msg=will retry error=[othersdomain.com] Obtain: [othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone "cloudflaredomain.com.": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6476924683) (ca=https://acme-staging-v02.api.letsencrypt.org/directory) attempt=2 retrying_in=120 elapsed=69.513625021 max_duration=2592000
INF ts=1673520705.8875592 logger=tls.obtain msg=obtaining certificate identifier=othersdomain.com
INF ts=1673520706.4480875 logger=http.acme_client msg=trying to solve challenge identifier=othersdomain.com challenge_type=dns-01 ca=https://acme-staging-v02.api.letsencrypt.org/directory
ERR ts=1673520707.4295528 logger=http.acme_client msg=cleaning up solver identifier=othersdomain.com challenge_type=dns-01 error=no memory of presenting a DNS record for "cloudflaredomain.com" (usually OK if presenting also failed)
ERR ts=1673520707.6135654 logger=tls.obtain msg=could not get certificate from issuer identifier=othersdomain.com issuer=acme-staging-v02.api.letsencrypt.org-directory error=[othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone "cloudflaredomain.com.": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6476961913) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)
INF ts=1673520708.1642392 logger=http.acme_client msg=trying to solve challenge identifier=othersdomain.com challenge_type=dns-01 ca=https://acme-staging-v02.api.letsencrypt.org/directory
ERR ts=1673520709.1022384 logger=http.acme_client msg=cleaning up solver identifier=othersdomain.com challenge_type=dns-01 error=no memory of presenting a DNS record for "cloudflaredomain.com" (usually OK if presenting also failed)
ERR ts=1673520709.2853715 logger=tls.obtain msg=could not get certificate from issuer identifier=othersdomain.com issuer=acme-staging-v02.api.letsencrypt.org-directory error=[othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone "cloudflaredomain.com.": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6476962413) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)
ERR ts=1673520709.2857375 logger=tls.obtain msg=will retry error=[othersdomain.com] Obtain: [othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone "cloudflaredomain.com.": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6476962413) (ca=https://acme-staging-v02.api.letsencrypt.org/directory) attempt=3 retrying_in=120 elapsed=192.913730254 max_duration=2592000
INF ts=1673520829.2888951 logger=tls.obtain msg=obtaining certificate identifier=othersdomain.com
INF ts=1673520829.846228 logger=http.acme_client msg=trying to solve challenge identifier=othersdomain.com challenge_type=dns-01 ca=https://acme-staging-v02.api.letsencrypt.org/directory
ERR ts=1673520831.0011332 logger=http.acme_client msg=cleaning up solver identifier=othersdomain.com challenge_type=dns-01 error=no memory of presenting a DNS record for "cloudflaredomain.com" (usually OK if presenting also failed)
ERR ts=1673520831.182298 logger=tls.obtain msg=could not get certificate from issuer identifier=othersdomain.com issuer=acme-staging-v02.api.letsencrypt.org-directory error=[othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone "cloudflaredomain.com.": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6476994323) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)
INF ts=1673520831.7413588 logger=http.acme_client msg=trying to solve challenge identifier=othersdomain.com challenge_type=dns-01 ca=https://acme-staging-v02.api.letsencrypt.org/directory
ERR ts=1673520832.5800455 logger=http.acme_client msg=cleaning up solver identifier=othersdomain.com challenge_type=dns-01 error=no memory of presenting a DNS record for "cloudflaredomain.com" (usually OK if presenting also failed)
ERR ts=1673520832.7607863 logger=tls.obtain msg=could not get certificate from issuer identifier=othersdomain.com issuer=acme-staging-v02.api.letsencrypt.org-directory error=[othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone "cloudflaredomain.com.": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6476994643) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)
ERR ts=1673520832.7611282 logger=tls.obtain msg=will retry error=[othersdomain.com] Obtain: [othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone "cloudflaredomain.com.": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6476994643) (ca=https://acme-staging-v02.api.letsencrypt.org/directory) attempt=4 retrying_in=300 elapsed=316.389121564 max_duration=2592000
INF ts=1673521132.76364 logger=tls.obtain msg=obtaining certificate identifier=othersdomain.com
INF ts=1673521133.708751 logger=http.acme_client msg=trying to solve challenge identifier=othersdomain.com challenge_type=dns-01 ca=https://acme-staging-v02.api.letsencrypt.org/directory
ERR ts=1673521134.7269125 logger=http.acme_client msg=cleaning up solver identifier=othersdomain.com challenge_type=dns-01 error=no memory of presenting a DNS record for "cloudflaredomain.com" (usually OK if presenting also failed)
ERR ts=1673521134.90331 logger=tls.obtain msg=could not get certificate from issuer identifier=othersdomain.com issuer=acme-staging-v02.api.letsencrypt.org-directory error=[othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone "cloudflaredomain.com.": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6477069653) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)
INF ts=1673521135.8306231 logger=http.acme_client msg=trying to solve challenge identifier=othersdomain.com challenge_type=dns-01 ca=https://acme-staging-v02.api.letsencrypt.org/directory
ERR ts=1673521136.615386 logger=http.acme_client msg=cleaning up solver identifier=othersdomain.com challenge_type=dns-01 error=no memory of presenting a DNS record for "cloudflaredomain.com" (usually OK if presenting also failed)
ERR ts=1673521136.7933054 logger=tls.obtain msg=could not get certificate from issuer identifier=othersdomain.com issuer=acme-staging-v02.api.letsencrypt.org-directory error=[othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone "cloudflaredomain.com.": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6477070123) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)

{"level":"error","ts":1673521136.794149,"logger":"tls.obtain","msg":"will retry","error":"[othersdomain.com] Obtain: [othersdomain.com] solving challenges: presenting for challenge: adding temporary record for zone \"cloudflaredomain.com.\": got error status: HTTP 400: [{Code:1004 Message:DNS Validation Error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/82662763/6477070123) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":5,"retrying_in":600,"elapsed":620.422141136,"max_duration":2592000}

5. What I already tried:

I was debugging the Caddyfile for a while before trying to issue a cert for “test.cloudflaredomain.com” directly.
So my Cloudflare-config seems to be fine and working as i can issue a cert for the actual cloudflare-domain.

But I am not able to use it as an alias-domain for issuing a cert for the servername “othersdomain.com

6. Links to relevant resources:

Hmm, I think you might need to do this:

dns_challenge_override_domain _acme-challenge.validate.at

I think the domain override is done after _acme-challenge. is prepended to the domain, so not including it means it’s missing when it’s passed to the DNS plugin. I think you might need to add it explicitly for it to work.

This isn’t a feature used very often (although I love it and I think it’s a great solution for some usecases), so it’s a bit messy. It’s a bit unfortunate but I think it needs to be this way because there’s no technical reason that the domain you CNAME to also has _acme-challenge. on it. So really, dns_challenge_override_domain should be the exact name where the TXT record should appear to fulfill your CNAME setup, I think. I hope I’m remembering this right.

If that doesn’t fix it, then uh, it’s probably some issue with the Cloudflare plugin or how it interacts with the API.

FWIW, the DuckDNS plugin has built-in support for challenge delegation, it had the functionality before the we added dns_challenge_override_domain to Caddy itself. You could use that as another option by CNAME-ing your other domain to a free DuckDNS domain. Keep in mind though, DuckDNS has a limitation that it can only have one TXT record per subdomain, so two challenges at the same time would not work, but that should be a rare situation.

You don’t need this anymore btw, that was only needed in Caddy v1, and v2 doesn’t read this env var at all anymore.

I think you probably want to add - 443:443/udp as well so that HTTP/3 will work.

We don’t delete threads. The point of the forum is to publicly discuss the solutions to problems, so that others who may have the same problem can find the answers.

Please explain what you did to fix it, otherwise if someone find this thread they’ll just find a void of information and get disappointed or frustrated.

1 Like

I have hidden the revisions of your edits.
Only you (and mods/admins) can see them now.

You can check it yourself by opening this topic in an incognito tab or similar.

1 Like

Thank you!

The solution was a very stupid dot

nslookup _acme-challenge.othersdomain.com 1.1.1.1
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
_acme-challenge.othersdomain.com	canonical name = cloudflaredomain.com.

So i tried to add the last dot from the end of the cname in my Caddyfile and it worked.
To be cleare this last dot is not added by myself in the cname - its just there because thats how DNS works :slight_smile:
Anyway I never needed to add it in any other alias-domain-setup.

The working Caddyfileentry looks like this:

othersdomain.com {
        tls {
                dns cloudflare {env.CLOUDFLARE_API_TOKEN}
                dns_challenge_override_domain cloudflaredomain.com.
                resolvers 1.1.1.1
        }
}

And just to be sure everybody understands the difference:
instead of:

dns_challenge_override_domain cloudflaredomain.com

Use:

dns_challenge_override_domain cloudflaredomain.com.

You have to respect the Dot!
Hope that helps anybody in future to skip looking for hours for a solution.

  • Andreas
2 Likes

Wow, okay. Thanks for showing that.

I think that this is an edgecase bug with the Cloudflare plugin or with Certmagic. It shouldn’t be necessary for users to have to put the dot at the end themselves, it should be handled for you.

@matt maybe something you could take a look at when you find some time.

Hmm, good to know. Thanks, I’ll look into it!

So I’m not sure what’s happening there, exactly. Caddy (CertMagic) does add a trailing dot to the zone when presenting for a certificate; if someone has time to try it, I’d be interested to know if this is Cloudflare-specific, or if it is also required for other DNS providers.