Challenge types when_acme_challange is in use by cloudflare

We run Kubernetes clusters in azure on a private network and have happily been using cert-bot to create in azure DNS our _acme-challenge txt files so that we have a local wildcard SSL cert on the clusters as a number of our services only route over the private network.

We also run run public ingress for public-facing services on these clusters and other non k8s services via cloudflare.

For the big picture, our parent domain has a catch DNS A record that points to a 3rd party hosting provided, because - hey marketing.....

A couple of months ago we were updated by cloudflare to use their new dcv service for automatic TLS edge certs, this requires setting a permanent _acme-challane cname to Cloudflare internals.

Scroll on to now and I'm starting to get warnings that Kubernetes certs are not renewing - the error being that cert-manager is unable to create the txt record because cloudflare needs the permanent cname _acme-challange

I could do with some ideas on how to get around this please........

We have looked at using http01-challenge on the cluster however as we then discovered our parent domain A record goes directly to a 3rd party site so we cant redirect the /.well-known/path

Help...

Hmm, I did have the problem but I use cloudflare for DNS anyway and can't remember how I solved it.

Can you create the CNAME or does it just not resolve to the correct value? Really they should dynamically give their own record priority just during their own domain validation but that's probably not what happens currently.

1 Like

with the dns option it throws up an error that it cant create the txt record as the name (Cloudflare) exists

For HTTP as the pinaccle record points to a thrid party we can't them post the well known token on that site

Hi @Marcus-James-Adams, and welcome to the LE community forum :slight_smile:

Sounds like you may need a separate subdomain.
[one that isn't managed by Cloudflare]

2 Likes

Or temporarily remove the CNAME and put it back later.

CF is correct in that CNAMEs are not allowed to exist next to other RRs (such as TXT RRs), except DNSSEC RRs.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.