New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Letsencrypt DNS Challenge not working for subdomain #1953
Comments
Diving deeper into lego it seems that it should return the correct domain on a SOA record response, but apperantly this goes wrong somehow. Am I doing something wrong here, do I need to change something from the default cloudflare setup? I'm currently forced to go back to self signed certs with my own CA which I would really like to avoid. |
It turns out our internal dns returns a SOA record for the subdomain. returning the name of the subdomain in stead of the root domain. |
@sjintas did you subdomain match you search/domain path of the server? because that is what i just ran into. so basically if search/domain is We have an own DNS server to, which traefik is using, so maybe its the same issue? |
I can't say I remember exactly but I do not think so. However it might still be the same issue. Just check out the SOA response manually. |
Well digging arround, its exactly the same, just in my case, not SOA is returned and @mmatur was explainting that the Since i run a unbound server that SOA record is not present ( its the default unbound in opnsense/pfsense ) and i am right now expecting this being an issue for every isolated network .. which would be the DNA scenario of DNS01 i guess. No idea how to proceed with that |
Just a note to anyone else who comes across this - when using the helm chart I was able to overcome the SOA problem by setting the below params: acme:
resolvers:
- abby.ns.cloudflare.com
- sid.ns.cloudflare.com |
Do you want to request a feature or report a bug?
Bug
What did you do?
Using:
dnsProvider = "cloudflare"
when I use a top level domain "example.com" the challenge works. However when using a domain like "sub.example.com" it does not.
What did you expect to see?
A certificate securing my app.
What did you see instead?
No certificate
Output of
traefik version
: (What version of Traefik are you using?)v1.3.5 / raclette docker image
What is your environment & configuration (arguments, toml, provider, platform, ...)?
Obviously I do not really use example.com
If applicable, please paste the log output in debug mode (
--debug
switch)The bug itself seems to be in the way Lego is used/Lego itself:
the function getHostedZoneID() tries to get a cloudflare zoneId (id for example.com) but in stead it uses sub1.example.com and fails on getting the zoneId.
The text was updated successfully, but these errors were encountered: