DNSSEC: RRSIGs Missing: validation failure

Hello,

My domain is: coolify.bxpn.eu

I ran this command: docker restart coolify-proxy

This is a Traefik container that generates a certificate using DNS-01 and the OVH provider (see below for the config).

It produced this output:

2025-02-14T17:21:46Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [coolify.bxpn.eu]: error: one or more domains had a problem:\n[coolify.bxpn.eu] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: looking up A for coolify.bxpn.eu: DNSSEC: RRSIGs Missing: validation failure <coolify.bxpn.eu. A IN>: no signatures from 87.98.168.13; DNS problem: looking up AAAA for coolify.bxpn.eu: DNSSEC: RRSIGs Missing: validation failure <coolify.bxpn.eu. AAAA IN>: no signatures from 2001:41d0:1:4a9e::1\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["coolify.bxpn.eu"] providerName=letsencrypt.acme routerName=coolify-https@file rule=Host(`coolify.bxpn.eu`)

Extracted error:

unable to generate a certificate for the domains [coolify.bxpn.eu]: error: one or more domains had a problem:
[coolify.bxpn.eu] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: looking up A for coolify.bxpn.eu: DNSSEC: RRSIGs Missing: validation failure <coolify.bxpn.eu. A IN>: no signatures from 87.98.168.13; DNS problem: looking up AAAA for coolify.bxpn.eu: DNSSEC: RRSIGs Missing: validation failure <coolify.bxpn.eu. AAAA IN>: no signatures from 2001:41d0:1:4a9e::1

This is the config I use in Traefik:

      - '--certificatesresolvers.letsencrypt.acme.dnschallenge=true'
      - '--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=ovh'
      - '--certificatesresolvers.letsencrypt.acme.email=my@email.here.com'
      - '--certificatesresolvers.letsencrypt.acme.delaybeforecheck=0'
      - '--certificatesresolvers.letsencrypt.acme.storage=/traefik/acme.json'

My web server is (include version): Traefik 3.1

The operating system my web server runs on is (include version): it runs in Docker, on an Linux Alpine image

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not applicable because Traefik uses Lego and not Certbot.

Hello,
I’ve been searching everywhere but I don’t understand how to fix this DNSSEC: RRSIGs Missing: validation failure. I’m not 100% sure how to interpret the results of Unboundtest but DNSViz doesn’t report errors, nor does Let's Debug.
Any idea how to fix this? I know I use Traefik but the issue is a response from Let's Encrypt.
Thanks in advance,

Hello @bfontaine,

Using the online tool Let's Debug yields these results https://letsdebug.net/coolify.bxpn.eu/2365576

image1016×573 28.9 KB

You need to use IP Addresses that are globally accessibly from the public Internet for HTTP-01 Challenge. Yet this is why I was checking with HTTP-01

However it seem you have been issued a certificate crt.sh | 16728760199 using the DNS-01 Challenge.

Edit

And to address the title, I am not seeing any DNSSEC issues here

• coolify.bxpn.eu | DNSViz
• DNSSEC Debugger - coolify.bxpn.eu
• Hardenize Report: coolify.bxpn.eu

And here is the unboundtest.com results https://unboundtest.com/m/TXT/coolify.bxpn.eu/QXUNW7EX

I am pretty sure that is not an error message from Let's Encrypt. That looks more like something issued by the ACME Client itself. A couple quick searches finds similar error messages related to Traefik.

Sometimes ACME Clients pre-check the cert request before sending it to LE. This looks like that kind of failure. Sorry but I don't know Traefik well enough to be specific.

The LE server would not look at the A or AAAA record for a DNS Challenge. Only a TXT record.

Thank you both for your quick responses! I’ll open an topic on Traefik’s forum then.

Apparently I can’t edit my message. Here is the link to the Traefik topic, if that can help someone from the future: DNSSEC: RRSIGs Missing: validation failure while generating a SSL certificate with DNS-01 - Traefik v3 (latest) - Traefik Labs Community Forum

Well, the urn:ietf:params:acme:error:dns part does look like an ACME error message. Perhaps Traefik just styles the different parts of the JSON response differently than e.g. Certbot does. I think it still might be an ACME server response in combination with an incorrectly configured Traefik trying to perform an http-01 challenge.

Another argument: 87.98.168.13 actually is the IP address of one of the OVH authorative nameservers for OPs domain.

That said, an argument against it, is that UnboundTest nor DNSViz show any DNSSEC errors.

Maybe so. The message in its entirety just didn't look like LE to me. And certainly not for a DNS Challenge. So, at minimum the client was misconfigured. Even an HTTP Challenge with private IP addresses gets a different error from LE than that (or usually has in the past).

The first suggestion at their new Traefik thread suggested disabling the pre-check. At least I'm not alone in thinking that

Well, I'd try that at first too Easy fix if that's it

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.