I'm trying to set-up a reverse proxy with wildcard SSL using Traefik, with a DNS challenge against a Cloudflare zone.
I have this config in k8s:
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-https
namespace: kube-system
data:
traefik.toml: |
# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "notmyrealemail@example.com"
storage = "/etc/traefik/acme.json"
entryPoint = "https"
caServer = "https://acme-v02.api.letsencrypt.org/directory"
[[acme.domains]]
main = "*.notmyrealsite.com"
sans = ["notmyrealsite.com"]
[acme.dnsChallenge]
provider = "cloudflare"
I'm passing the right CLOUDFLARE_API_KEY and CLOUDFLARE_EMAIL env vars in the upstream container, but I'm seeing this error in the console:
time="2018-06-13T09:47:39Z" level=error msg="Unable to obtain ACME certificate for domains \"*.notmyrealsite.com,notmyrealsite.com\" : cannot obtain certificates: acme: Error -> One or more domains had a problem:\n[notmyrealsite.com] acme: Error 403 - urn:ietf:params:acme:error:unauthorized - Incorrect TXT record \"HREckyrZXY7uCVLaUkoYzadxkHbwfFavNWS_v14yMzk\" found at _acme-challenge.notmyrealsite.com\n"
I'm not sure whether this means the CF login is successful and has been updated (but just with the wrong TXT record), or whether that's what it's expecting to see - and nothing is there.
Looking at the DNS entries in CF reveals no TXT records at all.
(I'm only on the free CF plan, so I don't get any raw logs to see what attempts were made against the DNS)
What could be causing the TXT mismatch?
