This connection is not private warnings

I’m running docker for traefik, and pretty much all of my services. I restored my VM to a previous state and started getting browser warnings that my site was potentially being hijacked. I deleted acme.json, touched it and did a chmod 600. I then brought my stack down and up again and I’m getting the following errors in traefik. FWIW I deleted both the dns record for noakland.com and the cname for *.noakland.com.

time="2019-06-13T22:19:13Z" level=error msg="Unable to obtain ACME certificate for domains \"NOAKLAND.COM\" : unable to generate a certificate for the domains [noakland.com]: acme: Error -> One or more domains had a problem:\n[noakland.com] [noakland.com] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 400: content \"{\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":81057,\\\"message\\\":\\\"The record already exists.\\\"}],\\\"messages\\\":[],\\\"result\\\":null}\"\n",
time="2019-06-13T22:19:14Z" level=error msg="Unable to obtain ACME certificate for domains \"*.NOAKLAND.COM\" : unable to generate a certificate for the domains [*.noakland.com]: acme: Error -> One or more domains had a problem:\n[*.noakland.com] [*.noakland.com] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 400: content \"{\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":81057,\\\"message\\\":\\\"The record already exists.\\\"}],\\\"messages\\\":[],\\\"result\\\":null}\"\n"

J.F.C!

I deleted everything and ran it again, THEN recreated the CNAME manually and it started working. What happened?

I think that this is very probably because of the wildcard CNAME you have at your domain apex. In my experience, wildcard CNAMEs at the domain apex is a really bad idea. You aren’t the first person who has been bitten in exactly this way.

$ dig +noall +answer _acme-challenge.NOAKLAND.COM txt
_acme-challenge.NOAKLAND.COM. 594 IN    CNAME   NOAKLAND.COM.
NOAKLAND.COM.           594     IN      TXT     "ca3-2f2ec1d10f8c44a7a9120d69306f38dc"

I think maybe, when Traefik/Lego goes to add a second TXT record, it doesn’t understand how to group the RRSets and ends up calling the Cloudflare API wrong.

My suggestion would be to invent a new plan to organize your DNS. (For example, use a wildcard A record rather than a CNAME, so you don’t completely, and probably unintentionally clobber every other record type).

Second suggestion would be to file an issue at either the Traefik or Lego projects, but I’m not sure whether they’d accept a case like this.

I’m using this container for DDNS updating on CloudFlare and they suggested using CNAME. I just made a second copy of the container and used that as a wildcard, which seems to be working.

Many thanks