Closed psitem closed 2 years ago
I do something similar, domain.com is in Cloudflare, and my CERT_HOSTS
variable is set to something.something.domain.com
. It renews just fine which leads me to believe you have your Cloudflare API credentials setup improperly.
In Cloudflare, you should make sure your permissions look like this: domain.com - Zone:Read, DNS:Edit
and "include specific zone" for domain.com.
I figured this out. Lego determines the zone to use via DNS by removing the leftmost part until it finds an SOA record. Since my UDM-P is using my internal DNS, it finds an SOA for home.(mydomain).com and attempts to use that instead of (mydomain).com.
The solution was to set DNS_RESOLVERS to an external resolver.
@tbyehl failing to find the zone and all the crazy errors before that... who would have thought. You saved the day!
I saw some more people around having similar issues, I would recommend we add in the readme information to let people know that if you're using unbound for example (like me) should use the DNS_RESOLVERS (ie. 1.1.1.1)
It's only an issue if you point your udmp at an internal resolver, which can have side effects if you use conditional forwarding like mDNS storms.
Personally I point my udmp at Cloudflare, and point internal hosts to a pi-hole with conditional forwarding back to the udmp for dnsmasq'd hostnames.
Describe the bug When using the DNS challenge with an FQDN of the form 'hostname.subdomain.mydomain.com', the script attempts to update the zone 'subdomain.mydomain.com' in CloudFlare, which fails because the zone is 'mydomain.com'
Expected behavior Script updates the mydomain.com zone. CloudFlare does not allow the creation of a sub-zone.
Logs