Help Needed: Error with Let's Encrypt Wildcard Certificates on Cosmos Server/LEGO using Cloudflare DNS Challenge

Hello Let's Encrypt Community,

I am encountering a problem with setting up wildcard certificates on my Cosmos Server, particularly when trying to complete the Cloudflare DNS challenge. Below are the details as per the forum guidelines:

  • My domain is: nerdbox.win
  • I ran this command: Startup command for Cosmos Server. (Cosmos Server handles Let's Encrypt certificates automatically using LEGO.)
  • It produced this output:
- error: one or more domains had a problem: [*.nerdbox.win] [nerdbox.win] acme: error presenting token: cloudflare: could not find zone for domain "nerdbox.win" [_acme-challenge.nerdbox.win.] acme: error presenting token: cloudflare: could not find zone for domain "nerdbox.win" [_acme-challenge.nerdbox.win.]: unexpected response code 'SERVFAIL' for _acme-challenge.nerdbox.win. [nerdbox.win] acme: error presenting token: cloudflare: could not find zone for domain "nerdbox.win" [_acme-challenge.nerdbox.win.]: unexpected response code 'SERVFAIL' for _acme-challenge.nerdbox.win.
  1. My web server is: Built-in web server of Cosmos Server.
  2. The operating system my web server runs on is: Ubuntu 20.04.
  3. My hosting provider, if applicable, is: Self-hosted on a private server.
  4. I can login to a root shell on my machine: Yes.
  5. I'm using a control panel to manage my site: No.
  6. The version of my client is: N/A (Cosmos Server manages Let's Encrypt integration using LEGO).

I'm seeking assistance in understanding and resolving the 'SERVFAIL' response code issue and ensuring proper configuration for Cloudflare DNS challenge with wildcard certificates on Cosmos Server. Any help or guidance would be greatly appreciated.

Thank you in advance for your support.

A SERVFAIL with Cloudflare is very unusual. And, I cannot reproduce it now.

But, I would focus on the first error. Does it repeat if you retry it?

acme: error presenting token: cloudflare: could not find zone for domain "nerdbox.win" [_acme-challenge.nerdbox.win.]

This is saying lego got an error from the Cloudflare API and could not locate that zone. If the Cloudflare API cannot access that zone no one else would either :frowning:

Can you reproduce the problem using just lego? (not through Cosmos). If the access keys were wrong I'd think you'd get a different error. But, are you using the right kind of keys? You may need to ask about this on the Cloudflare community forum.

https://go-acme.github.io/lego/dns/cloudflare/

5 Likes

Thank you for your answer @MikeMcQ .

Following your suggestion, I installed Lego on bare Ubuntu 22.04. using sudo aptitude -y install lego. Using the following command (of course with my appropriate keys and mail)

CLOUDFLARE_EMAIL=you@example.com \
CLOUDFLARE_API_KEY=b9841238feb177a84330febba8a83208921177bffe733 \
lego --email you@example.com --dns cloudflare --domains *.nerdbox.win run

, I get the following response: unrecognized DNS provider: cloudflare.

This issue seems to be related to not up-to-date lego packages available on Ubuntu, see here and here.

I do not get much information concerning the current version of lego installed.

lego --version
lego version dev linux/amd64

I myself have no experience with building packages from scratch. What are my options here?

EDIT: I think I might have found the issue here. Could this be it?

1 Like

This is beyond my knowledge of lego. You might try the lego github. Or maybe a different volunteer here might happen to know about this.

3 Likes

You shouldn't need to build anything; lego is just a copy-and-execute kind of program. Just pick your system architecture (probably linux amd64 based on the version it shows as currently installed) from the binaries and put it somewhere on your system to run.

3 Likes

Thank you @MikeMcQ . I just downloaded the binary and used it to try and get a certificate (of course, I uninstalled the old version of lego).

I still get the same error, so it does not seem to be version-related.

lego --version
lego version 4.14.2 linux/amd64
2023/12/08 11:56:15 [INFO] [*.nerdbox.win] acme: Obtaining bundled SAN certificate
2023/12/08 11:56:15 [INFO] [*.nerdbox.win] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/291596891726
2023/12/08 11:56:15 [INFO] [*.nerdbox.win] acme: use dns-01 solver
2023/12/08 11:56:15 [INFO] [*.nerdbox.win] acme: Preparing to solve DNS-01
2023/12/08 11:56:45 [INFO] [*.nerdbox.win] acme: Cleaning DNS-01 challenge
2023/12/08 11:57:15 [WARN] [*.nerdbox.win] acme: cleaning up failed: cloudflare: could not find zone for domain "nerdbox.win" (_acme-challenge.nerdbox.win.): could not find the start of authority for _acme-challenge.nerdbox.win.: read udp 127.0.0.1:35936->127.0.0.53:53: i/o timeout
2023/12/08 11:57:15 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/291596891726
2023/12/08 11:57:16 Could not obtain certificates: error: one or more domains had a problem:[*.nerdbox.win] [*.nerdbox.win] acme: error presenting token: cloudflare: could not find zone for domain "nerdbox.win" (_acme-challenge.nerdbox.win.): could not find the start of authority for _acme-challenge. nerdbox.win.: read udp 127.0.0.1:40818->127.0.0.53:53: i/o timeout

Again, I am fully convinced that both my CF_MAIL as well as my CF global API key are correct. I used to use caddy as a reverse proxy before switching to cosmos cloud. Could this make a difference?

1 Like

Isn't that a different error than the one in your first message? That's looking like there's a problem with connecting to the DNS resolver on your system.

4 Likes

I have to admit I am a bit baffled. I repeated the command with deactivated ubuntu firewall, and the AP firewall too. I still get the same error. There is no docker network involved, and neither is cosmos cloud. I do not have any other possible thing interfering that I'd be aware of. Could it be related to my IPS?

I think I found the issue.

It seems that Cloudflare did remove the ability to update/create TXT DNS entries for certain TLDs: https://community.cloudflare.com/t/unable-to-update-ddns-using-api-for-some-tlds/167228/59 Me having a .win TLD seems to be the problem here. Hence Cosmos cannot use the API Key to create the needed acme_challenge TXT entry.

Yeah, they restrict some TLDs but you should get an error saying explicitly that. Your error message is different. I saw a more recent error saying only these TLD were affected. But, I don't speak for Cloudflare officially

Jul 13, 2022 — The DNS API cannot be used for domains with .cf, .ga, .gq, .ml, or .tk TLDs

You might try posting your error on their community forum.

3 Likes

.win is not mentioned anywhere in that linked thread. The ones listed were largely TLDs that were available for free from Freenom.

I can personally attest that Cloudflare isn't blocking API based DNS updates or standard DNS requests to .win domains as of a few seconds ago.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.