Weird issue with ACME and Cloudflare DNS

I use Cloudflare DNS for my ACME certs so I can have wildcards. Recently I started having issues with tulpa.dev:

May 17 12:27:47 lufta acme-tulpa.dev-start[1573294]: 2021/05/17 12:27:47 [WARN] [tulpa.dev] acme: cleaning up failed: cloudflare: unexpected response code 'FORMERR' for _acme-challenge.tulpa.dev.
May 17 12:27:48 lufta acme-tulpa.dev-start[1573294]: 2021/05/17 12:27:48 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13201581888
May 17 12:27:48 lufta acme-tulpa.dev-start[1573294]: 2021/05/17 12:27:48 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13201581889
May 17 12:27:48 lufta acme-tulpa.dev-start[1573294]: 2021/05/17 12:27:48 error: one or more domains had a problem:
May 17 12:27:48 lufta acme-tulpa.dev-start[1573294]: [lufta.tulpa.dev] [lufta.tulpa.dev] acme: error presenting token: cloudflare: unexpected response code 'FORMERR' for _acme-challenge.lufta.tulpa.dev.
May 17 12:27:48 lufta acme-tulpa.dev-start[1573294]: [tulpa.dev] [tulpa.dev] acme: error presenting token: cloudflare: unexpected response code 'FORMERR' for _acme-challenge.tulpa.dev.
May 17 12:27:48 lufta systemd[1]: acme-tulpa.dev.service: Main process exited, code=exited, status=1/FAILURE
May 17 12:27:48 lufta systemd[1]: acme-tulpa.dev.service: Failed with result 'exit-code'.
May 17 12:27:48 lufta systemd[1]: Failed to start Renew ACME certificate for tulpa.dev.
May 17 12:27:48 lufta systemd[1]: acme-tulpa.dev.service: Consumed 106ms CPU time, received 19.3K IP traffic, sent 8.6K IP traffic.

Here is the relevant part of my nixos configuration. What am I doing wrong?

1 Like

I read about a similar issue someone had with letsencrypt with Lego. Seems they were having issues with the systemd-resolved looking up those records.

If your issue is the same problem, you might be able to work around it by setting extraLogoFlags to specify different --dns.resolvers .

That seemed to do the trick, thanks!

1 Like