[Mission Gen] cert-manager: Cloudflare - DNS Challenge Broken #339
Description
Generate Mission: cert-manager — Cloudflare - DNS Challenge Broken
Create a kc-mission-v1 troubleshooting mission file at solutions/cncf-generated/cert-manager/cert-manager-7540-cloudflare-dns-challenge-broken.json.
Source Issue
- Project: cert-manager (graduated)
- Source: Cloudflare - DNS Challenge Broken cert-manager/cert-manager#7540
- Reactions: 79 | Comments: 32
- Fix PR: Remove reference to deprecated zone id property cert-manager/cert-manager#7541
Problem Description
Describe the bug:
Cloudflare is no longer returning zone information in individual dns records. This is now breaking the interaction when cert-manager goes to delete the txt record here.
Of note, while the deprecation shows last November, I just noticed this breaking yesterday. So I imagine they just recently went through with the deprecation on their end.
Expected behaviour:
Deletion of the txt record should be successful, leading to a successful certificate generation.
Steps to reproduce the bug:
Attempt to generate a certificate using cloudflare as the dns challenge provider.
Anything else we need to know?:
As is, generating certificates using cloudflare as the dns challenge provider is broken.
Environment details:
- Kubernetes version: v1.31.1
- Cloud-provider/p
Solution / Resolution
Pull Request Motivation
Fixes this issue, where zone id is no longer being returned from the cloudflare api on dns records.
Kind
ZoneID` property
### Relevant Code/Config
Of note, we could keep cloudFlareRecord struct as is, and just patch the returned record with the zoneID from here.
I have noticed this as well on my end as well:
The certificate status is Issuing certificate as Secret does not exist
After November 30th, 2024, Cloudflare will stop including the zone_id and zone_name fields on individual DNS records in API responses. These fields are currently ignored when sent to the API as part of a request body, so no changes to request bodies are required.
It only took them 2 months after the date they gave to actually update their API. 😢
I've had the same issue in my testing environment.
I was able to at least get the certificate request working by logging in to cloudflare and manually modfiy the new txt record adding"" (so for example "recordadccd...").
It still doesn't delete the record but it's still possibile to generate a certificate if needed.
The DNS record is successfully created and verified using the Token or Global API key, but it cannot be deleted. Since the cleanup process cannot be completed, the certificate issuance has failed.
Environment details:
Kubernetes version: v1.24.3
**
A small workaround that worked for us yesterday was to manually delete the TXT Record _acme_challenge created in Cloudflare by the Cert Manager.
@dev-ago
A small workaround that worked for us yesterday was to manually delete the TXT Record _acme_challenge created in Cloudflare by the Cert Manager.
Also worked for us, good workaround for now
When you delete that txt record, how long should it take for the Kubernetes cluster to stop throwing the error? Do I need to force a refresh with a specific command? I tried resetting my cluster, but it just re-created the TXT entry in cloudflare.
Update it seems to have finally gone through. Thanks for the workaround!
Of note, we could keep
cloudFlareRecord structas is, and just patch the returned record with thezoneIDfrom [here](https://github.com/cert-manager/cert-manager/blo
### Key Changes from Fix PR
modified: pkg/issuer/acme/dns/cloudflare/cloudflare.go (+6/-2)
- zoneID, err := c.getHostedZoneID(ctx, fqdn)
- if err != nil {
-
return err - }
- _, err = c.makeRequest(ctx, "DELETE", fmt.Sprintf("/zones/%s/dns_records/%s", zoneID, record.ID), nil)
### Mission File Requirements
Create `solutions/cncf-generated/cert-manager/cert-manager-7540-cloudflare-dns-challenge-broken.json` with this exact JSON structure:
```json
{
"version": "kc-mission-v1",
"name": "cert-manager-7540-cloudflare-dns-challenge-broken",
"missionClass": "solution",
"author": "KubeStellar Bot",
"authorGithub": "kubestellar",
"mission": {
"title": "cert-manager: Cloudflare - DNS Challenge Broken",
"description": "1-3 sentences describing the problem with exact error message or symptom.",
"type": "troubleshoot",
"status": "completed",
"steps": [
{
"title": "Imperative verb phrase (e.g., Check pod resource limits)",
"description": "Detailed instructions with kubectl commands, YAML patches, etc."
}
],
"resolution": {
"summary": "2-4 sentences explaining WHY the fix works — the root cause.",
"codeSnippets": [
"Actual YAML/code from the fix"
]
}
},
"metadata": {
"tags": [
"cert-manager",
"graduated",
"security",
"troubleshoot"
],
"cncfProjects": [
"cert-manager"
],
"targetResourceKinds": [],
"difficulty": "intermediate",
"issueTypes": [
"troubleshoot"
],
"maturity": "graduated",
"sourceUrls": {
"issue": "https://github.com/cert-manager/cert-manager/issues/7540",
"repo": "https://github.com/cert-manager/cert-manager",
"pr": "https://github.com/cert-manager/cert-manager/pull/7541"
},
"reactions": 79,
"comments": 32,
"synthesizedBy": "copilot"
},
"prerequisites": {
"kubernetes": ">=1.24",
"tools": [
"kubectl"
],
"description": "A running Kubernetes cluster with cert-manager installed or the issue environment reproducible."
},
"security": {
"scannedAt": "2026-03-10T04:37:59.412Z",
"scannerVersion": "cncf-gen-3.0.0",
"sanitized": true,
"findings": []
}
}
Quality Requirements (MUST follow)
- Steps must be SPECIFIC and ACTIONABLE — each must contain kubectl commands, YAML blocks, file paths, or config snippets
- NEVER use generic titles: "Understand the problem", "Review the fix", "Verify the fix", "Apply the configuration"
- Description must include SYMPTOMS — exact error message, log line, or observable behavior
- Resolution must explain ROOT CAUSE — why the fix works, not just what to do
- Minimum 4 actionable steps with at least 2 containing commands or code blocks
- Strip all noise — no Codecov reports, CI status, bot comments, PR templates, git diffs
- targetResourceKinds should list Kubernetes resource types mentioned (Pod, Deployment, Service, etc.)
Auto-generated by CNCF Mission Generator