Im getting the same issue, but dnssec is setup correctly on my domain.
What is the full list of domain names you’re trying to issue a certificate for?
Icebal.com and monitor.icebal.com for now. Monitor as a cname to icebal.com gets servfail, changing it to an a name with the icebal.com ip works fine.
Edit: forgor to mention im able to resolve both ways on the host, and.even tried a delay and pointing to 8.8.8.8.
What's the exact error message?
I can't see anything wrong, and as far as I know Cloudflare doesn't have any relevant bugs. 
Edit: I just got staging certificates using Cloudflare and DNS-01 and HTTP-01.
Are you using DNS challenge or HTTP?
For HTTP challenge you must be listening on port 80, and those names are not listening on 80 currently.
Same as the parent issue, dnsChallenge
Awesome! Glad you got yours fixed 
mine is not sadly 
here are thr logs with the error
legolog: 2018/02/12 04:17:07 [INFO][icebal.com] AuthURL: https://acme-v01.api.letsencrypt.org/acme/authz/XN6cJ7kwZIosTKRtOCed9a9OPr4MWXN7NtECqj403dU
legolog: 2018/02/12 04:17:07 [INFO][radarr.icebal.com] AuthURL: https://acme-v01.api.letsencrypt.org/acme/authz/3Xh94A0Vn5JzJKkHOXneZkMJUPfwszAP5NzMyrD2xLU
legolog: 2018/02/12 04:17:07 [INFO][icebal.com] acme: Authorization already valid; skipping challenge
legolog: 2018/02/12 04:17:07 [INFO][radarr.icebal.com] acme: Could not find solver for: http-01
legolog: 2018/02/12 04:17:07 [INFO][radarr.icebal.com] acme: Trying to solve DNS-01
time=“2018-02-12T04:17:07Z” level=error msg="map[radarr.icebal.com:Error presenting token: Unexpected response code ‘SERVFAIL’ for radarr.icebal.com.]"
time=“2018-02-12T04:17:07Z” level=error msg=“Error getting ACME certificate for domain [icebal.com radarr.icebal.com]: cannot obtain certificates map[radarr.icebal.com:Error presenting token: Unexpected response code ‘SERVFAIL’ for radarr.icebal.com.]”
I have tried putting radarr as a sans, and icebal.com as a main even. Icebal.com always gets a cert, and so far getting certs for subdomains is the hardest thing i have encountered so far. Posting my config and traefik command in a sec to see if i have missed something…
That doesn't sound like an error from Let's Encrypt. A Let's Encrypt error message might have been, for example, "DNS problem: SERVFAIL looking up TXT for _acme-challenge.example.com".
The authz at https://acme-v01.api.letsencrypt.org/acme/authz/3Xh94A0Vn5JzJKkHOXneZkMJUPfwszAP5NzMyrD2xLU also reports that it's been deactivated by the client, not that there was an error and validation failed.
It sounds like the ACME client itself is making some sort of DNS query, and that's failing. Maybe the local DNS resolver is experiencing an issue?
1 Like
I have even specified --dns 8.8.8.8 to traefik to rule that bit out. Here is my traefik run command.
docker run --name=traefik -d --expose 8080 -p 443:443 -p 80:80 -v /home/icebal/traefik/config/acme.json:/acme.json -v /home/icebal/traefik/config/:/etc/traefik -e CLOUDFLARE_EMAIL=“REDACTED” -e CLOUDFLARE_API_KEY=“REDACTED” -v /var/run/docker.sock:/var/run/docker.sock -l traefik.frontend.rule=Host:monitor.icebal.com -l traefik.port=8080 --network traefik --dns 8.8.8.8 traefik
Here is my config
https://hastebin.com/unisugasuh.coffeescript
Edit:
another container i just brought up to test with, and this doesnt even pop up for a cert challenge 
docker create --name guacamole --link guacd:guacd --link postgres:postgres -e POSTGRES_DATABASE=guacamole_db -e POSTGRES_USER=guacamole_user -e POSTGRES_PASSWORD -p 8084:8080 --label traefik.enable=true --label traefik.frontend.rule=Host:guacamole.icebal.com --network traefik glyptodon/guacamole
Well, it isn't encountering a DNS error for the Let's Encrypt API server. So hostname lookups must be partly working.
Nonetheless that DNS error sounds like it's coming from the client somehow.
Can you tcpdump the DNS traffic it's doing or something?
I don't know much about debugging this ACME client.
For what it's worth, that contains an email address, and a hashed (probably poorly hashed) password for the web server. 
Eh...
1 Like
Totally missed that thanks, and both have been changed thankfully been working on this all day. If it helps, its the LEGO library used by traefik, but the logs are from lego that the issue is with.
I split this into a different thread, since the other one has been marked as solved, and this issue seems to be different.
I don’t use LEGO. I’m sorry. 
Its ok, ill keep working with the traefik guys and see if they can pinpoint the issue.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.