Unable to obtain ACME certificate for domains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.circusuniverse.com

I ran this command: Using docker, not sure of exact command

It produced this output:
msg=“Unable to obtain ACME certificate for domains “traefik.circusuniverse.com”: unable to generate a certificate for the domains [traefik.circusuniverse.com]: error: one or more domains had a problem:\n[traefik.circusuniverse.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for traefik.circusuniverse.com - check that a DNS record exists for this domain, url: \n” providerName=primary.acme routerName=api@docker rule=“Host([traefik.circusuniverse.com](https://slack-redir.net/link?url=http%3A%2F%2Ftraefik.circusuniverse.com))”

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Microsoft Azure

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Not sure - All done through prebuilt Docker container

Hey, not entirely sure what I am doing wrong as I am new to all of this stuff, I am hoping it’s obvious. So I was looking at some similar problems and it was mentioned that the domain name might not be up and ready but it looks ok to me : https://check-your-website.server-daten.de/?q=circusuniverse.com

I am using a Docker container which which uses a .env to fill in Traefik information - In this case its asking for traefik domain which I have set as follows:
TRAEFIK_DOMAIN=circusuniverse.com

As I said I am new to this so maybe the above link is actually showing something wrong or the domain is set incorrectly and I do not realise. If so any help you could provide would be great, thank you :slight_smile:

2 Likes

It's pretty obvious, yes, if you read the error message in detail.

It seems if you specify your base domain name, this prebuild Docker container (WHICH?!?!? there are THOUSANDS of different Docker containers out there!) of yours wants to get a certificate for the traefik subdomain. (I.e., traefik.circusuniverse.com) However, you don't have that hostname specified in your DNS zone file. And without an IP address for that hostname, Let's Encrypt can't verify the hostname and can't issue a certificate for it.

1 Like

Hey, thanks for your response Osiris :The docker container I am using can be found here https://github.com/eveseat/seat

Now, stupid question time, How do I specify that particular subdomain in my DNS zone file? Or better yet, can I do a wildcard operation? The only thing I really done up until now, was buy this domain off GoDaddy and change nameservers to match Azure nameservers. I then added a DNS zone in azure for www.circusuniverse.com to match the IP of my Azure virtual machine. Sorry if this is basic stuff (Or completely unrelated), as mentioned, this is my first time looking into anything like this so my basics are missing :slight_smile:

Thanks!

1 Like

Nevermind, I found a good tutorial to show me how to do it : https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns for anyone else interested.

1 Like

I didn't look very long, but I didn't see a reference to Traefik in that container.

I don't have experience with the Azure DNS zone editor, but that's just for the www subdomain. But I see you managed to find that How-To, so I assume you've got it under control now. Although I'm not seeing an A record for the traefik subdomain yet. And I also still don't know where that subdomain comes from, as you didn't enter that subdomain into your .env right?

No, its all preconfigured, I just assumed that the traefik. subdomain was automatically added somewhere.

I have not looked into the actual codebase as I was just following their docker instructions to get it working. And yeah, I followed Tutorial: Create an Azure child DNS zone - Azure DNS | Microsoft Learn but I am getting an

 "Unable to obtain ACME certificate for domains \"traefik.circusuniverse.com\": unable to generate a certificate for the domains [traefik.circusuniverse.com]: error: one or more domains had a problem:\n[traefik.circusuniverse.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: No valid IP addresses found for traefik.circusuniverse.com, url: \n" routerName=api@docker rule="Host(`traefik.circusuniverse.com`)" providerName=primary.acme
" 

error now! So looking into why its not a proper subdomain yet. Still learning so I may take a lot longer than normal to do all this stuff correctly haha.

I'm assuming that too, but I can't find any reference to "traefik" in the code of the repository you linked above.

Not sure why you're following for creating a Child DNS zone? Shouldn't you be focussing on your primary DNS zone first?

It's still missing an A or AAAA record.

Not sure why you’re following for creating a Child DNS zone? Shouldn’t you be focussing on your primary DNS zone first?

I thought my primary DNS zone was up and running correctly as I can find it using the https://check-your-website.server-daten.de/?q=circusuniverse.com site to check everything is in order, as such I now need to get the child domain setup.

It’s still missing an A or AAAA record.

I thought if it was a child of the primary domain that would either not be necessary or automatic using Azure, guess not haha, looking into it now.

So when I run an nslookup on www.traefik.circusuniverse.com I get a “Non-authoritative answer” which contains the appropriate IP address. But the Letsencryt part looks like its trying to find traefik.circusuniverse.com (Without the www) and nslooking for that returns an error, any ideas on why this is/what I can do about it? Thanks.

That’s weird indeed. But I don’t think that has anything to do with child zones though. You should be able to just add subdomains and hostnames et cetera to your primary zone file. But without a look at it, I don’t know where it goes wrongly.

Thanks for the help dude, hopefully I can figure this stuff out soon lol.

Really not sure how this stuff works - I mean, looking at https://check-your-website.server-daten.de/?q=traefik.circusuniverse.com shows that www.traefic.circusuniverse.com works but without the www it does not - No idea why LetsEncrypt is not working with this.

I figured it out, for posterity’s sake I will post here. Basically what happened was in Azure when setting up a new record “Record set” the tutorials all tell you to add www in the name, but that will create a DNS entry for www.traefik… - Instead leave this blank and fill out everything else.

I am currently getting
“Cannot retrieve the ACME challenge for token check-your-website-dot-server-daten-dot-de: cannot find challenge for token check-your-website-dot-server-daten-dot-de” providerName=primary.acme
"

So I am looking into that now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.