This is a preflight check performed by Traefik’s ACME library, lego. It’s not an error from the Let’s Encrypt CA.
The problem here appears to be that the preflight query is seeing the TXT records for cyclops.99bits.net
, rather than for _acme-challenge.duplicati.cyclops.99bits.net
.
I think it is happening because you’ve put a wildcard CNAME in your zone:
$ dig +noall +answer _acme-challenge.cyclops.99bits.net txt
_acme-challenge.cyclops.99bits.net. 599 IN CNAME cyclops.99bits.net.
cyclops.99bits.net. 599 IN CNAME unifi.99bits.net.
unifi.99bits.net. 599 IN TXT "v=spf1 include:spf.mailjet.com ?all"
The wildcard CNAME might be clobbering the record being created on the _acme-challenge
label, which is why you end up seeing the SPF record in the error instead.
Wildcard CNAMEs are pretty much always a mistake and lead to weird problems like these.