ACME Cloudflare DNS-01 Challenge HTTP 400 Error

[jmaurer1994]

Hello,

I'm attempting to configure HAProxy & DPAPI (v3.3) for automatic certificate renewals via native ACME support and ran into the following error:

/var/log/dataplaneapi.log:

level=error msg="events: acme deploy: DNS solver: adding temporary record for zone \"mydomain.com.\": got error status: HTTP 400: [{Code:9021 Message:TTL must be between 60 and 86400 seconds, or 1 for Automatic. ErrorChain:[]}]

I have HAProxy configured as follows:

haproxy.cfg:

acme letsencrypt-prod
  bits 2048
  challenge DNS-01
  contact myemail@example.org
  directory https://acme-v02.api.letsencrypt.org/directory
  keytype RSA
  map virt@acme
  provider-name cloudflare
  acme-vars api_token=mytoken

Is there a way to override the TTL with which the TXT record is created? It seems like DPAPI is using a default TTL of 30 seconds but I'm not 100% certain. The minimum for Cloudflare appears to be 60 for non-enterprise customers.

Thank you!

[mariokakoulli]

I have been meaning to raise an issue for this as i ran into this problem not long ago.

At the time I built Data Plane API locally changing the value you reference to '60 * time.Second' and that allowed the request to Cloudflare to go through, not sure if it's the best way to fix the issue without affecting other providers as i have only tried it with Cloudflare

[oliwer]

Hi, yes unfortunately the record's TTL is not configurable for now. The value of 30 seconds was chosen because that's usually the limit on major cloud platforms. I need to discuss with the HAProxy team how we can best address this. I'll get back to you shortly.

[oliwer]

Ok, so far the plan is to:

• increase the default to 60s
• allow to set a custom TTL by setting ttl=... in the acme-vars option

Hopefully this will be available for the next release.