Acme delegation to cloudflare

I'm tryin to understand and configure (my first) dns delegation for _acme-challange to another domain.

Example: in our azure cloud zone. But I would like (if possible) to delegate to another domain called which is hosted on Cloudflare.

Now, I'm no sure should I create NS or CNAME records in zone.
And what to add in cloudflare in zone

Because when I tried to create wildcard cert * on cloudflare api, I got rejected from cloudflare that zone does not exist.

I'm missing one (or more) steps. Can anyone give example which records to add in which zone?

Thank you in advance

Welcome to the Let's Encrypt Community! :slightly_smiling_face:

In reading through your description, it sounds to me like you're trying to get a Cloudflare certificate (possibly an Origin CA cert) for domain1. Is that correct? What I'm confused about is how you think you're going to get Cloudflare to issue a certificate via ACME with their API since Cloudflare isn't an ACME CA. To my knowledge, Cloudflare only issues two types of certificates: publicly-trusted certs for domains for which they are proxying and non-publicly-trusted certs (aka Origin CA certs) for backend servers to which they are proxying. What exactly is the relationship you're trying to establish between these two domain names? Is it purely for certificate issuance purposes?


@griffin It's also common for people to use Cloudflare as their DNS provider as there are multiple ACME clients with Cloudflare DNS challenge integration.

@davorbettercare If you want to use the dns-01 challenge using Cloudflare, you need to add to your Cloudflare account. Cloudflare will present you two of their nameservers. Note that it isn't required to entirely change the DNS provider from Azure to Cloudflare with those 2 nameservers: it should be possible to simply add those two nameservers as NS RR to the _acme-challenge label only in your Azure DNS zone editor. There's no need to include in this.

What do you mean by this? Looks like we're kinda confused to what you're actually trying to achieve. Can you please elaborate on that?


Exactly. :wink:


At the time I wrote this topic, I did know exactly how to do it.

For some reason I wanted to delegate _acme-challenge txt records ( to another domain (
Since Azure has limits on principal service account, where secret is valid only 2 years, I wanted to use Cloudflare for delegation, because there is no limit on api access token.

Idea was delegate acme-challenge from my zone in Azure DNS to cloudflare zone.
But when I read the plugin more in details and had a look in a code of plugin, I realized this kind of delegation is possible only inside Azure DNS service.

I'm still looking to a solution with lower maintenance (no inbound access to VM) ssl renewal, because changing token every 2 years on multiple VMs is not a good idea.

EDIT: just found an option to use ssh key instead pf generated secret
EDIT2: ah, it's not ssh key, it's certificate and this has expirate date too...

You also have to watch out for cloudflare having their own hidden _acme-challenge DNS entry for your domain, which they use for their own certificate renewals against your domain.

In general though, you can create an CNAME record and point to (or even a differntly named record) and as long as your client has updated the target record TXT value it will work ok, as Let's Encrypt will follow the CNAME redirection if it can.

[Note: lots of exist acme clients cannot support this method due to limitations of their DNS providers as it often requires a substitution of the first domain with the second domain, due to the way zones are resolved by DNS integration code]


Another idea is to run your own instance of acme-dns and CNAME challenges to that: GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.

There is also Certify DNS which can be used in tandem with rfc8657


Idea with letting cloudflare to deal with _acme-challenge sounds very good, but not completely sure how to do that.

I assume I need to add NS cloudflare ns server

That will resolve TXT record on Cloudflare.
What about subdomains, do I need to add _acme-challenge NS record for every subdomain?

You need to use a CNAME for each _acme-challenge (which is one per domain/subdomain).

I'm pretty sure there is no way to delegate _acme-challenge.* in one zone to some other zone. NS is for delegating lookups for entire subdomains.


I believe that is possible, just as @davorbettercare suggested in the previous post.

1 Like

Thanks, every day is (potentially) a school day!

My interpretation (which could be wrong) is that would only redirect a specific _acme-challenge record to an entire zone and still only resolve to a single TXT record at the root of that target zone, but it wouldn't let you redirect both _acme-challenge.whatever.yourdomain and to an _acme-challenge record in your target zone without having an NS record for each variation.

I feel like if there was a way to cleanly delegate _acme-challenge.* to a different zone we'd have seen it used a lot already, instead of setting up individual CNAMEs.


I think these concepts prevent generalized delegation:
In DNS...

  • Only a single wildcard can be specified in a domain name
  • A wildcard must be the leftmost label (before the first dot) of a domain name
  • A wildcard only matches for a single label, not every sublabel
  • A wildcard in a source domain name is only used for matching (i.e. there isn't some kind of regex substitution going on from source to sink)
  • A DNAME provides a kind of exception to the above, but it operates en masse and is very rarely used (or useful)

Ah, I see what you mean now, I missed the * earlier.. Not sure if such a wildcard "in the middle" works. Not for certificates of course, but I'd say perhaps for DNS software it could work? I dunno, couldn't find a clear answer about BIND for example.


Perhaps in database driven DNS systems [like: PowerDNS], such a wildcard entry may within an SQL statement match multiple requests.
[just speculation on my part - I would never use a wildcard this way]

On second thought, it would take some tweaking; As "*" and "%" are unequal by default.


It would be a pretty cool feature especially for challenges and TXT records in general to save polluting the real zone with miscellaneous records, and it would make "sacrificial" zones for auth much easier.

1 Like

The canonical name doesn't need to match the alias. The important part is that the ACME client uses the correct alias in the challenge and updates the canonical name with challenge token. The ACME validator will follow the CNAME and find that token.


True, but if you imagine being the next person who has to maintain that you're going to hope they've followed some sort of standard, and I think some clients do require _acme-challenge specifically because that's what they're configured to update in the target zone.


I wouldn't start the canonical name with anything other than _acme-challenge. I was referring more to the next label. You can safely use the same canonical name with more than one alias. Obviously some quantity may eventually have a collision risk. My sample ratio is currently at 2:1 without complication.


Sure, yes I believe the limit is 4096 bytes, so it gets unpredictable as you reach about 90 entries against one TXT record, I think many services would fail to update before that.

1 Like

What limit are you referencing?