Lets encrypt unable to renew domain cert - subdomains working

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: haunwang.de

I ran this command:
lets enrypt DNS Challenge with traefik 2.10.4

It produced this output:
Error renewing certificate from LE: {haunwang.de [*.haunwang.de]} providerName=hetzner-lego-dns.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" error="error: one or more domains had a problem:\n[*.haunwang.de] [*.haunwang.de] acme: error presenting token: hetzner: could not get zone for domain ddns.net not found\n[haunwang.de] [haunwang.de] acme: error presenting token: hetzner: could not get zone for domain ddns.net not found\n"

My web server is (include version):
several different - doesn't matter

The operating system my web server runs on is (include version):
Raspbian GNU/Linux 11 (bullseye)

My hosting provider, if applicable, is:
my raspberry pi, hetzner dns, https://www.noip.com for dyn-dns

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): traefik-2.10.4

I have traefik running @home renewing certs with LE DNS-01 Challenges

  • wildcard DNS Entry for my Domain points to my traefik server
  • traefik points to DynDNS Entry that resolves to my changing public ip

I am using several subdomains with and without wildcard certs all are generated and renewed successfully only my base Domain cannot get some cert printing out the message above.

Anyone has a clue why its not working on base domain level ?
Or maybe some tipps how to debug this - i mean "one or more domains had a problem" is not the best error message to find this error i guess.

Maybe some DNS Problem (cause its always DNS) ?


I'll take a go ... First, there is only one domain involved haunwang.de so you can ignore the one or more part of the error.

I see you got a wildcard cert on May15 for that name. Was your DNS setup then like it is now with the CNAMEs to ddns.net?

I am fairly sure that error comes from the lego DNS Challenge plugin. Because of your CNAMEs, when you request a wildcard cert for haunwang.de the Let's Encrypt servers will follow the CNAMEs looking for a TXT record created by the lego client. That means it will be looking for a TXT record at _acme-challenge.ebenau.ddns.net.

But, it looks like the lego DNS plugin is not able to find the ddns.net zone allowing it to update that.

I don't know ddns.net well but I know it is a shared system. Do you have authority to add TXT records there? And, does the lego DNS plugin support that?

I am not expert in these last two so that's all I have to offer. Maybe someone else here will know more. Or, try the lego github (here) or even the Traefik forum


Was your DNS setup then like it is now with the CNAMEs to ddns.net?

yes, but i changed Nameserver for my domain from OVH to hetzner

Do you have authority to add TXT records there?

The ddns.net Zone belongs to no-ip.com which handles my dynamic IPs of my WAN Connection and gives me the dyndns domain "ebenau.ddns.net." - i don't have any access to that.

Maybe its because of the lego DNS following the CNAME to ddns.net Zone but this setup worked with only a different DNS Service Provider.

Maybe the lego DNS plug-in for OVH handled this situation better than the lego DNS plug-in for Hetzner?


it would surprise me - but i also thought of that

well i tried some things - and nothing hepled.

so i ended up creating DNS entries for every first level sudomain - and to get rid of that error message i removed the wildcard DNS entry - and surprise after a few minutes LEGO DNS created me a new wildcard DNS entry out of the blue.

so i think this one is solved - nevertheless thx to you

1 Like

I'm not sure if a wildcard CNAME is allowed to co-exist next to a TXT RR for a subdomain. Because in general, for a non-wildcard label, no other RRs may exist next to a CNAME RR. It might be this technical issue was giving the problem or just how legos Hetzner plugin works :man_shrugging:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.