Not able to get certificate using CNAME and DDNS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: time4living.net

I ran this command: not directly. I’m using “traefik” and “acme-dns” as docker container running on a qnap nas. More details following later

It produced this output: TXT record not found

My web server is (include version): Apache, not sure about the version

The operating system my web server runs on is (include version): Linux, also version not known

My hosting provider, if applicable, is: United Domains

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): traefik 1.7.14

Hopefully anybody of you can help. I think the problem could be related to the configuration of DNS entries.
I have a qnap nas with running traefik docker, who is taking care of getting the certificates. traefik uses acme to get the certificates. I switched over to the dns challenge because I do not have a static IP address. As my provider United domains doesn’t have the possibility to update the TXT fields automatically I needed to create an own little name server. Therefore I have acme-dns running as docker.
Following the documentation I was able to get the things running, but only if I’m using A-records.

The following configuration with A-Records is working:
Configuration in United Domains, creating a subdomain for the acme-dns.
auth.time4living.net NS starXYZ.myqnapcloud.com
This entry is pointing to my nas. starXYZ.myqnapcloud.com is a DDNS

acme-dns was configured as following:
domain: auth.time4living.net
nsname: starXYZ.myqnapcloud.com
This leads to a soa record: auth.time4living.net. IN SOA starXYZ.myqnapcloud.com. hostmaster@time4living.net.
Beside that SOA I configured the following entries:
auth.time4living.net. IN NS starXYZ.myqnapcloud.com.
auth.time4living.net. IN A 79.x.y.z

So everything is working and I am able to get new certificates.

The a-record is needed as site is used as auth.time4living.net/register to get the relevant data for the TXT fields.
The recevied data, which i can see in the output of traefik is added to the United domains records.
This looks like:
_acme-challenge.traefik.time4living.net. IN CNAME GUID.auth.time4living.net (where guid is a generated guid given from acme-dns.
After this i restart traefik and once done I am able to get a certificate.

Because I do not have a static IP using a A-record is not a possibility for me.
For testing purposes I replaced the a record though
auth.time4living.net CNAME starXYZ.myqnapcloud.com

Once done I’m still able to receive a guid domain for new domains I want to have a certificate. Still I’m creating the DNS record in United domains and I am restarting traefik to do the validation.
In acme-dns I see that there are some requests, but compared to the A-record version there a less requests leading the the message, that the TXT-record couldn’t be received from ns.udag.de, which is one name server of United domains.
Therefore it looks like that for some reason LetsEncrypt is maybe falling back to the name server from United domains.

Is there anything wrong in the DNS records?
Is there anything missing?
Or is it not possible in the way I want to use the dns challenge and it is necessary to use an A-record.

I hope you could help. I don’t have any ideas what to do to solve that problem in my configuration with a qnap nas, United domains, traefik and acme-dns using the dns-challenge.
Thanks a lot.

Yes, the NS records telling the rest of the Internet to query auth.time4living.net (or perhaps ns.auth.time4living.net) for anything falling under that subdomain.

Meanwhile the problem is solved. It seems that it was not (directly) related to LetsEncrypt.
A dns server was the problem. Which one? No clue!
I changed the dns server for the acme process to 8.8.8.8 and everything was working, also with CNAME-records.
For all who are interested in that, maybe having the same problem, that extract of the traefik.toml solved it:

[acme.dnsChallenge]
provider = “acme-dns”
resolvers = [“8.8.8.8:53”]