That's to be expected. I don't think I can otherwise help, but since * isn't a valid character in a DNS record, when you're getting a cert that covers both domain and *.domain, you'd expect to see two TXT records for _acme-challenge.domain.
4 Likes
Thanks all. Sorry for the duplicate and thank you for combining topics.
Here is some more information that tells me propagation is not the issue...but I could be wrong. Below screen shot shows that propagation is complete which I checked using the dig command
Here is the screen shot of errors, the time stamp in the right corner shows it's after the propagation:
Here is the last error for root domain and the wildcard which is also after the propagation is complete
I would appreciate your help. Thanks.
The SERVFAIL error code indicates Cloudflare authoritative nameservers might have some issues. I'd recommend open a support ticket and provide the details you pasted here.
2 Likes
That may not have a useful outcome, and won't even be an option on a free plan. Asking specific and relevant questions in the Cloudflare Community will likely be more effective, if it even is a Cloudflare issue.
It is hard to evaluate screenshots of text in forum posts while using mobile, so I haven't been able to see the SERVFAIL response. Using </> Preformatted text in Discourse forum posts tends to be easier to review on all platforms.
3 Likes
I"m copying text from my logs...hope this helps:
2025-03-05T21:02:06Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.nerdonthefairway.com] acme: Preparing to solve DNS-01 lib=lego
2025-03-05T21:02:07Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] cloudflare: new record for home.nerdonthefairway.com, ID d2005eeb28a69d84c42ad43adb632dc0 lib=lego
2025-03-05T21:02:07Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.home.nerdonthefairway.com] acme: Trying to solve DNS-01 lib=lego
2025-03-05T21:02:07Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.home.nerdonthefairway.com] acme: Checking DNS record propagation. [nameservers=1.1.1.1:53,1.0.0.1:53] lib=lego
2025-03-05T21:02:07Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] cloudflare: new record for nerdonthefairway.com, ID 948d6e11b881e6c517d7d54175cd3b4a lib=lego
2025-03-05T21:02:07Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [nerdonthefairway.com] acme: Preparing to solve DNS-01 lib=lego
2025-03-05T21:02:07Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] cloudflare: new record for nerdonthefairway.com, ID 2c5bddd6c11c25bc29cf8cc901b7f44b lib=lego
2025-03-05T21:02:07Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.nerdonthefairway.com] acme: Trying to solve DNS-01 lib=lego
2025-03-05T21:02:07Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.nerdonthefairway.com] acme: Checking DNS record propagation. [nameservers=1.1.1.1:53,1.0.0.1:53] lib=lego
2025-03-05T21:02:09Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] lib=lego
2025-03-05T21:02:09Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] lib=lego
2025-03-05T21:03:09Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.home.nerdonthefairway.com] acme: Waiting for DNS record propagation. lib=lego
2025-03-05T21:03:09Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.nerdonthefairway.com] acme: Waiting for DNS record propagation. lib=lego
2025-03-05T21:04:11Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.home.nerdonthefairway.com] acme: Waiting for DNS record propagation. lib=lego
2025-03-05T21:04:11Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.nerdonthefairway.com] acme: Waiting for DNS record propagation. lib=lego
2025-03-05T21:04:13Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.home.nerdonthefairway.com] acme: Cleaning DNS-01 challenge lib=lego
2025-03-05T21:04:13Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [nerdonthefairway.com] acme: Trying to solve DNS-01 lib=lego
2025-03-05T21:04:14Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [nerdonthefairway.com] acme: Checking DNS record propagation. [nameservers=1.1.1.1:53,1.0.0.1:53] lib=lego
2025-03-05T21:04:14Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz/188104234/16292611774 lib=lego
2025-03-05T21:04:14Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:553 > Unable to obtain ACME certificate for
domains error="unable to generate a certificate for the domains [*.home.nerdonthefairway.com]:
error: one or more domains had a problem:\n[*.home.nerdonthefairway.com] propagation: time limit exceeded:
last error: authoritative nameservers: NS ed.ns.cloudflare.com.:53 returned SERVFAIL for _acme-challenge.home.nerdonthefairway.com.\n"
ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory
acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["*.home.nerdonthefairway.com"] providerName=cloudflare.acme
routerName=traefik-secure@docker rule=Host(`dashboard.nerdonthefairway.com`)
2025-03-05T21:04:16Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] lib=lego
2025-03-05T21:05:16Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [nerdonthefairway.com] acme: Waiting for DNS record propagation. lib=lego
2025-03-05T21:06:18Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [nerdonthefairway.com] acme: Waiting for DNS record propagation. lib=lego
2025-03-05T21:06:20Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.nerdonthefairway.com] acme: Cleaning DNS-01 challenge lib=lego
2025-03-05T21:06:20Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [nerdonthefairway.com] acme: Cleaning DNS-01 challenge lib=lego
2025-03-05T21:06:20Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz/188104234/16292611874 lib=lego
2025-03-05T21:06:21Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz/188104234/16292611884 lib=lego
2025-03-05T21:06:21Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:553 > Unable to obtain ACME certificate for
domains error="unable to generate a certificate for the domains [nerdonthefairway.com *.nerdonthefairway.com]:
error: one or more domains had a problem:\n[*.nerdonthefairway.com] propagation: time limit exceeded:
last error: authoritative nameservers: NS ed.ns.cloudflare.com.:53 returned SERVFAIL for _acme-challenge.nerdonthefairway.com.\n
[nerdonthefairway.com] propagation: time limit exceeded: last error: authoritative nameservers: NS ed.ns.cloudflare.com.:53
returned SERVFAIL for _acme-challenge.nerdonthefairway.com.\n"
ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory
domains=["nerdonthefairway.com","*.nerdonthefairway.com"] providerName=cloudflare.acme routerName=traefik-secure@docker
I have verified that the DNS records have propagated. I verified this using the dig command.
2 Likes
This does seem an unusual response for cloudflare, their DNS is usually pretty strong:
ed.ns.cloudflare.com.:53 returned SERVFAIL for _acme-challenge.home.nerdonthefairway.com
Worth a support ticket with them, or at least with their support community.
3 Likes
Wanted to update everyone, this issue is fixed. I need to add the following lines in my static config.
dnsChallenge:
# ...
propagation:
# ...
disableChecks: true
The domain is validated and I get the correct certs. Thanks everyone.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.