Unable to obtain certificates via Cloudflare DNS provider

1. Caddy version (caddy version):

v2.2.1 with Cloudflare module.

2. How I run Caddy:

a. System environment:

Docker

b. Command:

c. Service/unit/compose file:

Kubernetes

d. My complete Caddyfile or JSON config:

hbs.razonyang.com {
    tls {
        dns cloudflare myapitoken
    }
    reverse_proxy hugo-theme-bootstrap:80
}

3. The problem I’m having:

Unable to obtain certificates via Cloudflare DNS provider.

4. Error messages and/or full log output:

2020-11-26T13:14:03.973345959+08:00 {"level":"info","ts":1606367643.9732172,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
2020-11-26T13:14:04.071894179+08:00 {"level":"info","ts":1606367644.0693052,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
2020-11-26T13:14:04.073062536+08:00 {"level":"info","ts":1606367644.0729823,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0002bb0a0"}
2020-11-26T13:14:04.074768389+08:00 {"level":"info","ts":1606367644.074702,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
2020-11-26T13:14:04.074816426+08:00 {"level":"info","ts":1606367644.0747528,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2020-11-26T13:14:04.074838109+08:00 {"level":"info","ts":1606367644.0747786,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
2020-11-26T13:14:04.074878967+08:00 {"level":"warn","ts":1606367644.0748231,"logger":"http","msg":"user server is listening on same interface as automatic HTTP->HTTPS redirects; user-configured routes might override these redirects","server_name":"srv1","interface":"tcp/:80"}
2020-11-26T13:14:04.076567179+08:00 {"level":"info","ts":1606367644.0764973,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["pkg.clevergo.tech","lb.razonyang.com","www.clevergo.tech","razonyang.com","clevergo.tech","go-auth0.razonyang.com","yii2.razonyang.com","hbs.razonyang.com","admin.yii2.razonyang.com","gopkgs.net","hugo-theme-bootstrap.razonyang.com","forum.clevergo.tech","vpn.razonyang.com","hbs-cn.razonyang.com","www.razonyang.com","adminer.razonyang.com"]}
2020-11-26T13:14:04.323323975+08:00 {"level":"info","ts":1606367644.3231962,"logger":"tls.obtain","msg":"acquiring lock","identifier":"hbs.razonyang.com"}
2020-11-26T13:14:04.492302924+08:00 {"level":"info","ts":1606367644.4921844,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
2020-11-26T13:14:04.49234307+08:00 {"level":"info","ts":1606367644.492209,"msg":"serving initial configuration"}
2020-11-26T13:14:04.552302309+08:00 {"level":"info","ts":1606367644.5521924,"logger":"tls","msg":"cleaned up storage units"}
2020-11-26T13:14:07.385176644+08:00 {"level":"info","ts":1606367647.3847208,"logger":"tls.obtain","msg":"lock acquired","identifier":"hbs.razonyang.com"}
2020-11-26T13:14:07.394023965+08:00 {"level":"info","ts":1606367647.3938859,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["hbs.razonyang.com"]}
2020-11-26T13:14:07.394056752+08:00 {"level":"info","ts":1606367647.3939064,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["hbs.razonyang.com"]}
2020-11-26T13:14:09.258795791+08:00 {"level":"info","ts":1606367649.2585933,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"hbs.razonyang.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
2020-11-26T13:16:13.103425002+08:00 {"level":"error","ts":1606367773.1033022,"logger":"tls.obtain","msg":"will retry","error":"[hbs.razonyang.com] Obtain: [hbs.razonyang.com] solving challenges: waiting for solver *certmagic.DNS01Solver to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/103405975/6413649686) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":125.718556638,"max_duration":2592000}
2020-11-26T13:17:14.545097293+08:00 {"level":"info","ts":1606367834.544967,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"hbs.razonyang.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
2020-11-26T13:19:17.169413675+08:00 {"level":"error","ts":1606367957.1692805,"logger":"tls.obtain","msg":"will retry","error":"[hbs.razonyang.com] Obtain: [hbs.razonyang.com] solving challenges: waiting for solver *certmagic.DNS01Solver to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/16781170/191859969) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":309.784535468,"max_duration":2592000}
2020-11-26T13:21:18.392540475+08:00 {"level":"info","ts":1606368078.3924053,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"hbs.razonyang.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
2020-11-26T13:23:19.430323856+08:00 {"level":"error","ts":1606368199.4301891,"logger":"tls.obtain","msg":"will retry","error":"[hbs.razonyang.com] Obtain: [hbs.razonyang.com] solving challenges: waiting for solver *certmagic.DNS01Solver to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/16781170/191861783) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":3,"retrying_in":120,"elapsed":552.04544373,"max_duration":2592000}

5. What I already tried:

  1. API token permissions: All zones - Zone:Read, DNS:Edit
  2. I noticed that a TXT record called _acme-challenge.hbs was created.

6. Links to relevant resources:

The lego module works as expected.

I’m not sure… I use the Cloudflare plugin and it works fine for me. Would you be able to help troubleshoot why it is getting that error?

I tried to reproduce it last night, but failed. It doesn’t seem to be a problem of Cloudflare module.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.