Non-glue record that is beneath a delegated child zone

I’m trying to renew a let’s encrypt certificate that i’ve had no problem renewing before. using dns for authentication for a wildcard for *.sslip.smartcitiestransport.com. i set it up based on Welcome to sslip.io in august and have renewed twice no problem. I need to have sslip.io's name servers set for sslip.smartcitiestransport.com and cloudflare (who i have for smartcitiestransport.com) seems to no longer allow creating _acme-challenge.sslip.smartcitiestransport.com. Can I tell letsencrypt to use _acme-challenge.smartcitiestransport.com?

My domain is:

  • *.sslip.smartcitiestransport.com

I ran this command:

  • sudo certbot renew

It produced this output:

  • Encountered CloudFlareAPIError adding TXT record: 89018 Cannot create a non-glue record that is beneath a delegated child zone.

My web server is (include version):

  • N/A (DNS)

The operating system my web server runs on is (include version):

  • N/A (DNS)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

  • yes (not relevant)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

  • no (not relevant)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

  • certbot 1.12.0

Hi @jayenashar

that's expected. If you delegate a zone, it's not longer the job of the parent zone to manage TXT records.

Not "can", you must. Cloudflare is the wrong name server, you have to use your ns-aws.nono.io, ns-azure.nono.io, ns-gce.nono.io name servers.

But these name servers may not support an API (supported via Certbot), so you can't use automation.

thanks for your quick reply.

it's unexpected for me as it has been working for months.

i will try removing the delegation, renewing the certificate, and then re-add the delegation.

That's not really possible.

If it had worked, your delegation didn't work.

i understand it sounds crazy, but cloudflare must have been allowing me to add _acme-challenge.sslip.smartcitiestransport.com and returning the A record when queried, instead of returning the NS record. they must have been checking A records for an exact match before checking if any subdomain had an NS record.

i know for sure i didn't have this problem when i renewed the records before. it's possible i got the cert before i created the records, but i didn't touch the records again until today, and the renewal and NS records have been working.

To me, I have an NS record that points sub.example.com to my DNS server.
In the pass, I still can use certbot to acquire the cert of something.sub.example.com via Cloudflare DNS verification.
Now, it would return this error. I only have two options:

  1. Implement DNS verifier on my DNS server, not using Cloudflare anymore
  2. Remove the NS record and use Cloudflare to manage everything.

I chose option #2

In the end, I only renamed the record, renewed the cert, then renamed it back.

I was thinking about scripting it (I used a script before there was a cloudflare plugin) but I thought it's too much trouble considering the infrequency with which I need to renew.

@trinhpham you may also be interested in 89018 Cannot create a non-glue record that is beneath a delegated child zone - DNS & Network - Cloudflare Community

I have the same problem with 4th level domains wildcard certificates, and it's started in April 2021; there was no problems 3 month ago, when I renewed certificates last time, and before this everything was OK too.

Now I've tried certbot (via ansible cloudflare-certbot-role and pure certbot command line utility too), got the error "cloudflare api: cannot create a non-glue record that is beneath a delegated child zone".

Tried lego, it says: "[*.internal.example.com] acme: error presenting token: cloudflare: failed to find zone internal.example.com.: Zone could not be found".

I am absolutely sure that it worked during last 2 years, so cloudflare must have been changed something in their API now, or what?

I've got the certificates after all when I tried to rename all "internal" NS-records, pointing to my DNS-servers, then started the lego, got certificates and renamed NS-records back. Thanks a lot to jayenashar for the advice!

But it looks awful, I use 'internal' domains for monitoring tools and some other important things, so it's intolerably to use this method every time, cause it takes a lot of problems and false alarms. Dunno what to do now, well, I'll try to write to Cloudflare support now.

Well, nothing useful from support:

"If your subdomain is a delegated child zone then the records should be added in the Authoritative DNS for that zone.

I am reaching out to our Authoritative DNS team to check on any changes that could have affected this but I don't believe this behaviour is wrong as it is now.

I will update this ticket as on-hold now and we will reach out should we have any news on this"

Yes, they confirm changes:

" I am following up with an update from our Authoritative DNS team.

They informed us that there was indeed an update early in March to fix this behaviour, where you were allowed to add subdomains on a delegated subdomain. The basis for that is that these records would not be resolved in Cloudflare in any case. Basically, we chose to be more strict so that customers didn't fall into a trap thinking that those records were doing anything.

We apologise for any inconvenience this might have caused. I will go ahead and mark this as solved now"

The basis for that is that these records would not be resolved in Cloudflare in any case. Basically, we chose to be more strict so that customers didn't fall into a trap thinking that those records were doing anything.

The records were resolved in Cloudflare, and customers didn't fall into a trap because those records were doing something...

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.