Skip to content

Instantly share code, notes, and snippets.

@coltondick

coltondick/Porkbun-CF-ACME-Delegation.md

Last active September 11, 2025 00:47
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save coltondick/b231fae858b892d2d8baf95b94a41cff to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save coltondick/b231fae858b892d2d8baf95b94a41cff to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Porkbun-CF-ACME-Delegation.md

Using Porkbun + Cloudflare for Traefik ACME (Wildcard + Subdomain Certs)

This guide explains how to keep your main DNS in Porkbun but delegate the _acme-challenge subdomain to Cloudflare so Traefik can automatically obtain wildcard and subdomain certificates via Let’s Encrypt.

1. Create a Sub-Zone in Cloudflare

  1. Log into Cloudflare.
  2. Add a new site: example.com (replace with your domain).
  3. Cloudflare will give you two nameservers, e.g.: 
    aria.ns.cloudflare.com
gabe.ns.cloudflare.com

2. Delegate _acme-challenge to Cloudflare in Porkbun

In your Porkbun DNS settings for example.com, add NS records (Replace the NS records with the ones provided by CloudFlare):

Host Type Value
_acme-challenge NS aria.ns.cloudflare.com.
_acme-challenge NS gabe.ns.cloudflare.com.

The trailing dot may be required by Porkbun.

Now, everything under _acme-challenge.example.com will be managed by Cloudflare.

3. Configure Traefik with Cloudflare DNS Provider

Update Traefik’s static configuration (traefik.yml or traefik.toml):

certificatesResolvers:
  cf:
    acme:
      email: [email protected]
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 10s

Environment variables (for Traefik in Docker Compose):

environment:
  - CF_DNS_API_TOKEN=your_cloudflare_api_token
  • The API token should have Zone → DNS:Edit permission for _acme-challenge.example.com.
  • Restrict the token to this sub-zone only (least privilege).

4. Request Certificates

  • For a wildcard cert: *.example.com → TXT record at _acme-challenge.example.com
  • For a subdomain cert: foo.example.com → TXT record at _acme-challenge.foo.example.com

Both records live under the delegated _acme-challenge.example.com zone in Cloudflare, so Traefik can create them automatically.

5. Verify Setup

Run these to confirm delegation and TXT creation:

# Check NS delegation
dig NS _acme-challenge.example.com +short

# Check TXT after Traefik tries to issue
dig TXT _acme-challenge.example.com +short
dig TXT _acme-challenge.foo.example.com +short

6. Notes

  • Root domain certs (example.com) also work — Traefik will create the TXT at _acme-challenge.example.com, which is delegated to Cloudflare.
  • If you don’t need wildcards, you can skip this setup and just use HTTP-01.

Now Traefik will handle automatic renewal of both wildcard and subdomain certificates using Cloudflare, while you keep your primary DNS in Porkbun.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment