Lets encrypt unable to renew domain cert - subdomains working

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: haunwang.de

I ran this command:
lets enrypt DNS Challenge with traefik 2.10.4

It produced this output:
Error renewing certificate from LE: {haunwang.de [*.haunwang.de]} providerName=hetzner-lego-dns.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" error="error: one or more domains had a problem:\n[*.haunwang.de] [*.haunwang.de] acme: error presenting token: hetzner: could not get zone for domain ddns.net not found\n[haunwang.de] [haunwang.de] acme: error presenting token: hetzner: could not get zone for domain ddns.net not found\n"

My web server is (include version):
several different - doesn't matter

The operating system my web server runs on is (include version):
Raspbian GNU/Linux 11 (bullseye)

My hosting provider, if applicable, is:
my raspberry pi, hetzner dns, https://www.noip.com for dyn-dns

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): traefik-2.10.4

I have traefik running @home renewing certs with LE DNS-01 Challenges
My DNS:

  • wildcard DNS Entry for my Domain points to my traefik server
  • traefik points to DynDNS Entry that resolves to my changing public ip

I am using several subdomains with and without wildcard certs all are generated and renewed successfully only my base Domain cannot get some cert printing out the message above.

Anyone has a clue why its not working on base domain level ?
Or maybe some tipps how to debug this - i mean "one or more domains had a problem" is not the best error message to find this error i guess.

Maybe some DNS Problem (cause its always DNS) ?

Regards
Robert

I'll take a go ... First, there is only one domain involved haunwang.de so you can ignore the one or more part of the error.

I see you got a wildcard cert on May15 for that name. Was your DNS setup then like it is now with the CNAMEs to ddns.net?

I am fairly sure that error comes from the lego DNS Challenge plugin. Because of your CNAMEs, when you request a wildcard cert for haunwang.de the Let's Encrypt servers will follow the CNAMEs looking for a TXT record created by the lego client. That means it will be looking for a TXT record at _acme-challenge.ebenau.ddns.net.

But, it looks like the lego DNS plugin is not able to find the ddns.net zone allowing it to update that.

I don't know ddns.net well but I know it is a shared system. Do you have authority to add TXT records there? And, does the lego DNS plugin support that?

I am not expert in these last two so that's all I have to offer. Maybe someone else here will know more. Or, try the lego github (here) or even the Traefik forum

4 Likes

Was your DNS setup then like it is now with the CNAMEs to ddns.net?

yes, but i changed Nameserver for my domain from OVH to hetzner

Do you have authority to add TXT records there?

The ddns.net Zone belongs to no-ip.com which handles my dynamic IPs of my WAN Connection and gives me the dyndns domain "ebenau.ddns.net." - i don't have any access to that.

Maybe its because of the lego DNS following the CNAME to ddns.net Zone but this setup worked with only a different DNS Service Provider.

Maybe the lego DNS plug-in for OVH handled this situation better than the lego DNS plug-in for Hetzner?

4 Likes

it would surprise me - but i also thought of that

well i tried some things - and nothing hepled.

so i ended up creating DNS entries for every first level sudomain - and to get rid of that error message i removed the wildcard DNS entry - and surprise after a few minutes LEGO DNS created me a new wildcard DNS entry out of the blue.

so i think this one is solved - nevertheless thx to you

1 Like

I'm not sure if a wildcard CNAME is allowed to co-exist next to a TXT RR for a subdomain. Because in general, for a non-wildcard label, no other RRs may exist next to a CNAME RR. It might be this technical issue was giving the problem or just how legos Hetzner plugin works :man_shrugging:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.