On Sun, Jan 23, 2022 at 10:44:23PM +0100, Joachim Lindenberg wrote:
> Thanks a lot! That´s the root cause. I added the CNAME to get LE to
> verify the certificate shared by the MX addresses - and I prefer
> CNAMEs to avoid double maintenance. I now exchanged CNAME with A and
> it worked (or failed because of misconfiguration of my mock server).
> Probably should report the issue to Cloudflare because usually they do
> very good checking of illegal situations.
There's nothing to "report" to Cloudflare. When you ask for both a
CNAME and other records for the same name, they obligingly do what you
ask, and try their best to return any explicitly configured records when
requested, or else the CNAME. But this works poorly under various
conditions.
That's why we'll soon have "HTTPS" and "SVCB" DNS records rather than
CNAME records, obviating the need for such hacks.
The solution to your problem is to NOT request simultaneous CNAME
and other records for your DNS names. When adding other records,
drop the CNAME first. When adding CNAMEs, drop all other records.
--
Viktor.
