[Mission Gen] cert-manager: Cloudflare - DNS Challenge Broken #342
Description
Task: Create solutions/cncf-generated/cert-manager/cert-manager-7540-cloudflare-dns-challenge-broken.json
Write a kc-mission-v1 JSON file based on this cert-manager issue.
Source: cert-manager/cert-manager#7540 (79 reactions, 32 comments)
Fix PR: cert-manager/cert-manager#7541
Problem
Describe the bug:
Cloudflare is no longer returning zone information in individual dns records. This is now breaking the interaction when cert-manager goes to delete the txt record here.
Of note, while the deprecation shows last November, I just noticed this breaking yesterday. So I imagine they just recently went through with the deprecation on their end.
Expected behaviour:
Deletion of the txt record should be successful, leading to a successful certificate generation.
Steps to reproduce the bug:
Attempt to generate a certificate using cloudflare as the dns challenge provider.
Anything else we need to know?:
As is, generating certificates using cloudflare as the dns challenge provider is broken.
Environment details:
- Kubernetes version: v1.31.1
- Cloud-provider/p
Solution
Pull Request Motivation
Fixes this issue, where zone id is no longer being returned from the cloudflare api on dns records.
Kind
ZoneID` property
### Code
Of note, we could keep cloudFlareRecord struct as is, and just patch the returned record with the zoneID from here.
I have noticed this as well on my end as well:
The certificate status is Issuing certificate as Secret does not exist
After November 30th, 2024, Cloudflare will stop including the zone_id and zone_name fields on individual DNS records in API responses. These fields are currently ignored when sent to the API as part of a request body, so no changes to request bodies are required.
It only took them 2 months after the date they gave to actually update their API. 😢
I've had the same issue in my testing environment.
I was able to at least get the certificate request working by logging in to cloudflare and manually modfiy the new txt record adding"" (so for example "recordadccd...").
It still doesn't delete the record but it's still possibile to generate a certificate if needed.
The DNS record is successfully created and verified us
### Fix Diff
modified: pkg/issuer/acme/dns/cloudflare/cloudflare.go (+6/-2)
- zoneID, err := c.getHostedZoneID(ctx, fqdn)
- if err != nil {
-
return err - }
- _, err = c.makeRequest(ctx, "DELETE", fmt.Sprintf("/zones/%s/dns_records/%s", zoneID, record.ID), nil)
### Instructions
Create `solutions/cncf-generated/cert-manager/cert-manager-7540-cloudflare-dns-challenge-broken.json` with the JSON below. **Improve the steps and resolution** using the source issue context above. Each step MUST have specific kubectl commands, YAML, or config. The resolution MUST explain the root cause.
```json
{
"version": "kc-mission-v1",
"name": "cert-manager-7540-cloudflare-dns-challenge-broken",
"missionClass": "solution",
"author": "KubeStellar Bot",
"authorGithub": "kubestellar",
"mission": {
"title": "cert-manager: Cloudflare - DNS Challenge Broken",
"description": "Cloudflare - DNS Challenge Broken. This issue affects 79+ users.",
"type": "troubleshoot",
"status": "completed",
"steps": [
{
"title": "Identify the cert-manager troubleshoot symptoms",
"description": "Check for the error by running:\n```bash\nkubectl describe <resource> -n <namespace>\nkubectl logs -l app=cert-manager -n <namespace> --tail=50\n```\nLook for: \"Cloudflare - DNS Challenge Broken\""
},
{
"title": "REPLACE: Add specific diagnostic step from the source issue",
"description": "REPLACE with a specific kubectl/helm command to diagnose this particular problem"
},
{
"title": "REPLACE: Add the fix step with exact commands or YAML",
"description": "REPLACE with the actual fix — patch, config change, helm upgrade, etc."
},
{
"title": "REPLACE: Verify the fix is applied",
"description": "REPLACE with a specific verification command that proves the issue is resolved"
}
],
"resolution": {
"summary": "The root cause is: ### Pull Request Motivation\n\nFixes [this issue](https://github.com/cert-manager/cert-manager/issues/7540), where zone id is no longer being returned from the cloudflare api on dns records.\n\n### Kind\n\n/kind bug\n\n### Release Note\n\n```release-note\nRefactor usage of cloudflare api's now-deprecated `Zone This fixes the issue because it addresses the underlying problem directly.",
"codeSnippets": [
"Of note, we could keep `cloudFlareRecord struct` as is, and just patch [the returned record](https://github.com/cert-manager/cert-manager/blob/master/pkg/issuer/acme/dns/cloudflare/cloudflare.go#L236) with the `zoneID` from [here](https://github.com/cert-manager/cert-manager/blob/master/pkg/issuer/acme/dns/cloudflare/cloudflare.go#L213).\nI have noticed this as well on my end as well:",
"The certificate status is `Issuing certificate as Secret does not exist`\n> After November 30th, 2024, Cloudflare will stop including the zone_id and zone_name fields on individual DNS records in API responses. These fields are currently ignored when sent to the API as part of a request body, so no changes to request bodies are required.\n\nIt only took them 2 months after the date they gave to actually update their API. 😢 \nI've had the same issue in my testing environment.\n\nI was able to at least get the certificate request working by logging in to cloudflare and manually modfiy the new txt record adding\"\" (so for example \"recordadccd...\").\n\nIt still doesn't delete the record but it's still possibile to generate a certificate if needed.\nThe DNS record is successfully created and verified using the Token or Global API key, but it cannot be deleted. Since the cleanup process cannot be completed, the certificate issuance has failed.\n\nEnvironment details:\n\n**Kubernetes version: v1.24.3**\n**cert-manager version: v1.6.1**\n\n**Minikube version: v1.35.0**\n**cert-manager version: v1.16.3**\n\n\nBoth have the same Cleanup error:",
"A small workaround that worked for us yesterday was to manually delete the TXT Record _acme_challenge created in Cloudflare by the Cert Manager.\n@dev-ago \n> A small workaround that worked for us yesterday was to manually delete the TXT Record _acme_challenge created in Cloudflare by the Cert Manager.\n\nAlso worked for us, good workaround for now\nWhen you delete that txt record, how long should it take for the Kubernetes cluster to stop throwing the error? Do I need to force a refresh with a specific command? I tried resetting my cluster, but it just re-created the TXT entry in cloudflare.\n\n**Update** it seems to have finally gone through. Thanks for the workaround!\n> Of note, we could keep `cloudFlareRecord struct` as is, and just patch [the returned record](https://github.com/cert-manager/cert-manager/blob/master/pkg/issuer/acme/dns/cloudflare/cloudflare.go?rgh-link-date=2025-01-31T15%3A54%3A12.000Z#L236) with the `zoneID` from [here](https://github.com/cert-manager/cert-manager/blob/master/pkg/issuer/acme/dns/cloudflare/cloudflare.go?rgh-link-date=2025-01-31T15%3A54%3A12.000Z#L213).\n\nThis is the approach I took in #7549 :+1:\nI was in a rush and ended up writing a hacky script to delete the records:"
]
}
},
"metadata": {
"tags": [
"cert-manager",
"graduated",
"security",
"troubleshoot"
],
"cncfProjects": [
"cert-manager"
],
"targetResourceKinds": [],
"difficulty": "intermediate",
"issueTypes": [
"troubleshoot"
],
"maturity": "graduated",
"sourceUrls": {
"issue": "https://github.com/cert-manager/cert-manager/issues/7540",
"repo": "https://github.com/cert-manager/cert-manager",
"pr": "https://github.com/cert-manager/cert-manager/pull/7541"
},
"reactions": 79,
"comments": 32,
"synthesizedBy": "copilot"
},
"prerequisites": {
"kubernetes": ">=1.24",
"tools": [
"kubectl"
],
"description": "A running Kubernetes cluster with cert-manager installed or the issue environment reproducible."
},
"security": {
"scannedAt": "2026-03-10T04:56:39.778Z",
"scannerVersion": "cncf-gen-3.0.0",
"sanitized": true,
"findings": []
}
}
Rules: Min 4 steps, at least 2 with commands/code. No generic titles like "Understand the problem" or "Verify the fix". Include the exact error message in the description. Explain WHY the fix works in the resolution. Run node scripts/scanner.mjs to validate.