Error with Cloudflare DNS "could not find the start of authority" (but works fine in lego cli)

[dvasdekis]

Firstly, thank you for making this awesome provider! I'm fairly certain something is going wrong within this provider, rather than lego, as lego works fine:

lego --email "my-email@REDACTED.com" --dns cloudflare -d '*.REDACTED.com' -d "REDACTED.com" --accept-tos --dns.resolvers="1.1.1.1" --server "https://acme-staging-v02.api.letsencrypt.org/directory" --pfx run

However with the below config,

provider "acme" {
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

resource "acme_certificate" "cert" {
  account_key_pem          = acme_registration.my-registration.account_key_pem
  common_name              = "${data.cloudflare_zone.zone.name}"
  subject_alternative_names = ["*.${data.cloudflare_zone.zone.name}"]
  recursive_nameservers = ["1.1.1.1:53"]  # Cloudflare nameserver
  certificate_p12_password = random_password.my-cert.result
  min_days_remaining = 88
  dns_challenge {
    provider = "cloudflare"
    config = {
      CLOUDFLARE_DNS_API_TOKEN=var.cloudflare_api_token
    }
  }
}

I get

  │ Error: error creating certificate: error: one or more domains had a problem:
  │ [*.REDACTED.com] [*.REDACTED.com] acme: error presenting token: 2 errors occurred:
  │     * rpc error: code = Unknown desc = cloudflare: could not find zone for domain "REDACTED.com": [fqdn=_acme-challenge.REDACTED.com.] could not find the start of authority for '_acme-challenge.REDACTED.com.': DNS call error: read udp 10.195.175.100:56056->1.1.1.1:53: i/o timeout [ns=1.1.1.1:53, question='au. IN  SOA']
  │     * error encountered while presenting token for DNS challenge: rpc error: code = Unknown desc = cloudflare: could not find zone for domain "REDACTED.com": [fqdn=_acme-challenge.REDACTED.com.] could not find the start of authority for '_acme-challenge.REDACTED.com.': DNS call error: read udp 10.195.175.100:56056->1.1.1.1:53: i/o timeout [ns=1.1.1.1:53, question='au. IN  SOA']

Further, when I check cloudflare with this same token using the CLI, I can see the _acme-challenge TXT records created. But during apply with the Terraform provider, there are no TXT records, and no DEBUG entries to show that Terraform is communicating with cloudflare.

It could be a duplicate of this issue, but I am very happy to hang around and help! However, rolling back to 2.8.0 doesn't solve the problem.

Versions:

lego cli: 4.20.2 Terraform: 1.9.8 (tried on windows_amd64 and linux_amd64) acme_provider: v2.28.0

[vancluever]

@dvasdekis sorry for the delay in replying to this one!

Unfortunately I don't have a Cloudflare account over here, so this one will be hard for me to reproduce, but this part is interesting to me:

DNS call error: read udp 10.195.175.100:56056->1.1.1.1:53: i/o timeout [ns=1.1.1.1:53, question='au. IN SOA']

Is there anything that could be affecting your ability to communicate with the Cloudflare DNS server?

[dvasdekis]

I've spent some time today trying a variety of DNS providers, and the DNS issue looks like a real problem, except for the base CLI client being able to happily use the 1.1.1.1 DNS resolver (whereas Terraform can't on the same machine). For this reason I don't think it's a DNS access issue.

Is there some way I can see, within Terraform logs, how this driver is interacting with Cloudflare?

[vancluever]

@dvasdekis not within logs unfortunately, but you can see how the plugin process on our side plumbs through to Present, which ends up on the lego plugin side here.

[dvasdekis]

Perhaps that could be the feature request then? It looks like the parameters are getting passed with no transformations or significant logic, so I don't know how to dig into this further without logs of the dns_challenge block. Would that be a big deal?