Problems obtaining LE wildcard cert with Cloudflare DNS provider

fbjerggaard · April 20, 2018, 4:04pm

I am trying to setup Caddy to obtain a wildcard cert from LE using Cloudflare as my DNS provider.

Here is an excerpt of my Caddyfile:

(wildcard_cert) {
    tls {
        dns cloudflare
        wildcard
    }
}

sub.example.net {
        import wildcard_cert
        proxy / 192.168.1.2:8080 {
                transparent
        }
}

This is the relevant log output:

2018/04/20 17:56:05 [INFO] acme: Registering account for email@example.com
2018/04/20 17:56:05 [INFO][*.example.net] acme: Obtaining bundled SAN certificate
2018/04/20 17:56:06 [INFO][*.example.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxxxxxxxxx
2018/04/20 17:56:06 [INFO][example.net] acme: Trying to solve DNS-01
2018/04/20 17:56:07 [example.net] failed to get certificate: Error presenting token: Zone net. not found in CloudFlare for domain _acme-challenge.example.net.

I have the same error when running Caddy either directly under the root user or using systemd.

I am running on Debian 9 with the newest Caddy binary available as of today.

I have tried creating the TXT record manually (with gibberish in the content) in Cloudflare and verified that it was seen on multiple DNS servers around the world but still get the same error.

What have I forgot? Any help is highly appreciated.

fbjerggaard · April 23, 2018, 8:23am

Okay, some new observations:

It works fine with a .dk domain, but fails with my .net domain.

Is this possibly a lego issue and not a caddy one?

Whitestrake · April 26, 2018, 12:21am

I don’t think so. More likely a domain-specific issue; I wasn’t able to replicate with my domains.

Caddy version 0.10.14 on Macos:

Caddyfile

(wildcard_cert) {
  tls {
    dns cloudflare
    wildcard
  }
}

apollo.whitestrake.net {
  import wildcard_cert
  status 200 /
}

caddy -conf ~/Projects/test/Caddyfile -email letsencrypt@whitestrake.net -agree -http-port 8080 -https-port 8443 -log stdout

Activating privacy features... 2018/04/26 10:14:51 [INFO] acme: Registering account for letsencrypt@whitestrake.net
2018/04/26 10:14:52 [INFO][*.whitestrake.net] acme: Obtaining bundled SAN certificate
2018/04/26 10:14:52 [INFO][*.whitestrake.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/Os6dpekcaTEh5mfL2TH9ay9d_Oo4Uwwyyrm2dqfLWQw
2018/04/26 10:14:52 [INFO][whitestrake.net] acme: Trying to solve DNS-01
2018/04/26 10:14:54 [INFO][whitestrake.net] Checking DNS record propagation using [1.1.1.1:53 1.0.0.1:53]
2018/04/26 10:15:03 [INFO][whitestrake.net] The server validated our request
2018/04/26 10:15:04 [INFO][*.whitestrake.net] acme: Validations succeeded; requesting certificates
2018/04/26 10:15:07 [INFO][*.whitestrake.net] Server responded with a certificate.
2018/04/26 10:15:07 [INFO][*.whitestrake.net] Certificate written to disk: /Users/whitestrake/.caddy/acme/acme-v02.api.letsencrypt.org/sites/wildcard_.whitestrake.net/wildcard_.whitestrake.net.crt
done.
http://apollo.whitestrake.net:8080
2018/04/26 10:15:07 http://apollo.whitestrake.net:8080
https://apollo.whitestrake.net:8443
2018/04/26 10:15:07 https://apollo.whitestrake.net:8443

fbjerggaard · April 26, 2018, 6:37am

Hmm, that’s weird…

Any idea on how I can debug this?

Whitestrake · April 26, 2018, 11:06pm

Wish I had a suggestion for you, but I’m stumped. It kinda looks like, based off that error, the Cloudflare plugin is trying to add the record to net. instead of example.net.?

You could try downloading xenolf/lego and see if you can replicate the issue (the DNS plugins all(?) import from there).

system · July 25, 2018, 11:06pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.