Error when multiple servers request certs for same domain using cloudflare dns

Hi, I have problems creating certs for the same domain from multiple servers.

I’m running multiple traefik v2 instances in docker, each instance uses Lets Encrypt Cloudflare DNS for cert creation.
Each traefik instance creates certs for the same insanegenenius.net and *.insanegenius.net domains, and each traefik instance uses its own acme.json file.

The first traefik instance gets the certs fine, subsequent traefik instances fail to get certs.

A variety of errors, notably:

time="2020-07-03T11:43:34-07:00" level=error msg="Unable to obtain ACME certificate for domains \"insanegenius.net,*.insanegenius.net\" : unable to generate a certificate for the domains [insanegenius.net *.insanegenius.net]: error: one or more domains had a problem:\n[*.insanegenius.net] [*.insanegenius.net] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 400: content \"{\\\"result\\\":null,\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":81057,\\\"message\\\":\\\"The record already exists.\\\"}],\\\"messages\\\":[]}\"\n[insanegenius.net] [insanegenius.net] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 400: content \"{\\\"result\\\":null,\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":81057,\\\"message\\\":\\\"The record already exists.\\\"}],\\\"messages\\\":[]}\"\n" providerName=dns-cloudflare.acme,

Traefik config using Ansible, all servers use the same config, the docker containers and their networks per server instance is different:

- name: 'Install Traefik'
  docker_container:
    name: traefik
    image: traefik
    pull: true
    hostname: "traefik-{{ ansible_hostname }}"
    domainname: "{{ ansible_domain }}"
    restart_policy: unless-stopped
    command:
      - "--log.level=DEBUG"
      - "--api.dashboard=true"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network={{ docker_local_network }}"
      # SMTP port 25
      - "--entrypoints.smtp.address=:25"
      # HTTP port 80
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      # HTTPS port 443
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls.certresolver=dns-cloudflare"
      - "--entrypoints.websecure.http.tls.domains[0].main={{ ansible_fqdn }}"
      - "--entrypoints.websecure.http.tls.domains[0].sans=*.{{ ansible_domain }}"
      - "--entrypoints.websecure.http.tls.domains[1].main={{ external_domain }}"
      - "--entrypoints.websecure.http.tls.domains[1].sans=*.{{ external_domain }}"
      # SSL certs
      - "--certificatesresolvers.dns-cloudflare.acme.email={{ cloudflare_email }}"
      - "--certificatesresolvers.dns-cloudflare.acme.storage=/config/acme.json"
      - "--certificatesResolvers.dns-cloudflare.acme.dnschallenge.provider=cloudflare"
    env:
      TZ: "America/Los_Angeles"
      CF_DNS_API_TOKEN: "{{ cloudflare_dns_api_token }}"
    volumes:
      - "{{ appdata_dir }}/traefik/config:/config"
      - "/var/run/docker.sock:/var/run/docker.sock"
    networks_cli_compatible: yes
    purge_networks: yes
    networks:
      - name: "{{ docker_local_network }}"
    published_ports:
      - 80:80
      - 443:443
      - 8080:8080

Looking at the acme.json I can see that the different servers create different lets encrypt accounts and use different private keys.

Looking at CloudFlare DNS I can see two CNAME entries with unique values.

I suspect that the problem has something to do with how the CloudFlare DNS entries are mapped to the acme.json lets encrypt account.

How do I configure the traefik or certbot or cloudflare dns to allow multiple server instances to create certs for the same domain?

Btw, I noticed with all my testing I am now being rate limited, but the problems happened before rate limiting kicked in.

1 Like

My personal opinion is: don’t. I think you should find a solution where you get just one certificate en redistribute this cert and private key securely between the traefik instances.

1 Like

Ok, thx.
Btw I also asked here: https://community.containo.us/t/multiple-traefik-instances-using-same-letsencrypt-domain-fails-to-create-certs/6758

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.