Description
When attempting a DNS-01 challenge for a domain using the .im TLD (Isle of Man), the Cloudflare DNS provider fails to identify the correct zone. It appears to "zone-walk" past the actual registered domain and attempts to find a zone for the TLD itself, resulting in a 403 error or a "zero zones found" error.
Environment
- Caddy Version: v2.11.2 h1:iOlpsSiSKqEW+SIXrcZsZ/NO74SzB/ycqqvAIEfIm64=
- Cloudflare Module Version: v0.2.4
- Domain TLD:
.im (Short 2-letter TLD)
Steps Taken to Troubleshoot
- Verified API Permissions: Confirmed the API Token has
Zone:Read, DNS:Edit, and Account:Read permissions.
- Manual API Test: Successfully created a TXT record via
curl using the same Token and Zone ID:
curl -X POST "https://api.cloudflare.com/client/v4/zones/[ZONE_ID]/dns_records" \
-H "Authorization: Bearer [TOKEN]" \
--data '{"type":"TXT","name":"caddy-test.example.im","content":"test"}'
# RESULT: Success (True)
- Varied Configurations: Tested global
acme_dns block, per-site tls blocks, and wildcard *.example.im blocks. All resulted in the same error.
- Environment Variables: Attempted to force
CLOUDFLARE_ZONE_ID and CLOUDFLARE_ACCOUNT_ID via environment variables; the provider still attempted to walk up to the im. TLD.
Sanitized Logs
{
"level": "info",
"ts": 1776167522.821539,
"msg": "trying to solve challenge",
"identifier": "*.example.im",
"challenge_type": "dns-01",
"ca": "https://acme-v02.api.letsencrypt.org/directory"
}
{
"level": "error",
"ts": 1776167523.3109906,
"logger": "tls.obtain",
"msg": "could not get certificate from issuer",
"identifier": "*.example.im",
"issuer": "acme-v02.api.letsencrypt.org-directory",
"error": "[*.example.im] solving challenges: presenting for challenge: adding temporary record for zone \"im.\": expected 1 zone, got 0 for im. (ca=https://acme-v02.api.letsencrypt.org/directory)"
}Expected Behavior
The provider should identify example.im as the base zone and stop stripping labels before reaching the TLD im..
Description
When attempting a DNS-01 challenge for a domain using the
.imTLD (Isle of Man), the Cloudflare DNS provider fails to identify the correct zone. It appears to "zone-walk" past the actual registered domain and attempts to find a zone for the TLD itself, resulting in a 403 error or a "zero zones found" error.Environment
.im(Short 2-letter TLD)Steps Taken to Troubleshoot
Zone:Read,DNS:Edit, andAccount:Readpermissions.curlusing the same Token and Zone ID:acme_dnsblock, per-sitetlsblocks, and wildcard*.example.imblocks. All resulted in the same error.CLOUDFLARE_ZONE_IDandCLOUDFLARE_ACCOUNT_IDvia environment variables; the provider still attempted to walk up to theim.TLD.Sanitized Logs
{ "level": "info", "ts": 1776167522.821539, "msg": "trying to solve challenge", "identifier": "*.example.im", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory" } { "level": "error", "ts": 1776167523.3109906, "logger": "tls.obtain", "msg": "could not get certificate from issuer", "identifier": "*.example.im", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[*.example.im] solving challenges: presenting for challenge: adding temporary record for zone \"im.\": expected 1 zone, got 0 for im. (ca=https://acme-v02.api.letsencrypt.org/directory)" }Expected Behavior
The provider should identify
example.imas the base zone and stop stripping labels before reaching the TLDim..