Time limit exceeded (Cloudflare)


I’ve had my Traefik/letsencrypt setup running for a couple of years without failure and have just noticed this error and that my certificate has expired:

time="2022-12-14T20:25:36Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ index .Labels \\\"com.docker.compose.service\\\" }}.paulmorabito.net`)\",\"network\":\"t2_proxy\",\"swarmModeRefreshSeconds\":\"15s\"}"
time="2022-12-14T20:25:36Z" level=info msg="Starting provider *acme.Provider {\"email\":\"[email@redacted]\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"},\"ResolverName\":\"dns-cloudflare\",\"store\":{},\"TLSChallengeProvider\":{\"Timeout\":4000000000},\"HTTPChallengeProvider\":{}}"
time="2022-12-14T20:25:36Z" level=info msg="Starting provider *acme.ChallengeTLSALPN {\"Timeout\":4000000000}"
time="2022-12-14T20:25:36Z" level=info msg="Testing certificate renew..." providerName=dns-cloudflare.acme
time="2022-12-14T20:25:37Z" level=info msg="Renewing certificate from LE : {Main:paulmorabito.net SANs:[*.paulmorabito.net]}" providerName=dns-cloudflare.acme
time="2022-12-14T20:53:53Z" level=error msg="Error renewing certificate from LE: {paulmorabito.net [*.paulmorabito.net]}" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=dns-cloudflare.acme error="error: one or more domains had a problem:\n[*.paulmorabito.net] time limit exceeded: last error: NS cleo.ns.cloudflare.com. did not return the expected TXT record [fqdn: paulmorabito.net., value: hPsKM9DTwZNpgjmpD4WSQaaO2ZcifOTfotM2jES2MJ0]: \n[paulmorabito.net] time limit exceeded: last error: NS cleo.ns.cloudflare.com. did not return the expected TXT record [fqdn: paulmorabito.net., value: vZbgQ1k8SOelokpgQq8SXHer02lVSyBXcjvusRtSM_4]: \n

I’m running a Debian server with Traefik 2.4.

Any ideas on how to resolve this would be very appreciated.


1 Like

It's not very simple to troubleshoot Traefik with CloudFlare DNS.
I would start by reviewing the inbound firewall policy.
To ensure that it isn't blocking

But I'm not exactly sure how that plays into a wildcard certificate request.

Is that their latest version?
Has there been any recent update to it?


Hi, thanks for the reply.

  • Port 80 and 443 are open. Should port 53 be open?
  • V2.4 is not the latest so I moved to the latest v2.9 and it gives the same error.

Edit: I did recently install Adguard home on my router and am pointing to a different dns upstream provider. I've disabled all blocklists and certificate renewal still times out. Could this be an issue and if so, can I specify a cloudfare DNS for renewing the certificate from within traefik?

Inbound? Not likely needed.
Outbound? Yes, likely needed.

I don't think so.

That is a question for Traefik support.

Have you checked the logs for any outbound connections from the Traefik router?


I can access traefik externally and the proxied sites (albeit with certificate errors now).

I can't see any calls to cloudfare being blocked but can see calls to cloudfare api succeeding (for my ddns). I can also see calls to Laura.ns.Cloudflare.com being passed through Adblock when it attempts to renew the certificate. I can also see calls for
_acme-challenge.paulmorabito.net being passed through. Lastly, whoami.cloudflare responds with a SERVFAIL.


Hard to tell by the error message but Cloudflare use DNS validation for their Universal SSL feature and this can conflict with your own attempts to do DNS validation because they already present a hidden _acme-challenge TXT record, you can try disabling the feature under SSL/TLS > Edge Certificates > Disable Universal SSL) but ideally they would only present their own TXT record when they are actually performing validation, instead of all the time. This may not be the cause of your issue.


Thanks for the reply. Toggling this didn’t make a difference :frowning:

1 Like

Have you reached out to them?


The suggested solution here is to set your preferred DNS resolvers, that may help: https://www.reddit.com/r/selfhosted/comments/ukztj2/issue_with_traefik_time_limit_exceeded_when/


Thanks. I gave this a try and also tried for the DNS and it was too unsuccessful. At this point, I removed fully Adguard Home that I have running on my router and it renewed without a problem!

So, long story short, there’s something with Adguard Home that is causing this (or perhaps the other DNS service I’m using in conjunction with it). I’ll have to look more into this and the settings here. I’m surprised that specifying the DNS for Traefik didn’t work.

Thanks @webprofusion & @rg305 for your help.


Thanks for the update.
Maybe you can put it back... one piece at a time.
[to see what breaks it]


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.