Unable to obtain certificates in production mode (succesfull in staging)

My domain is: speag.com (was trying for test69.osparc.speag.com)
My web server is (include version): traefik V2

The operating system my web server runs on is (include version):
Ubuntu 20

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


I am using traefik in a docker swarm. I need to generate certificates in a Domain which is handled by my company DNS’s server, with bind9.

When I do it in the staging environment, I have absolutely no problems and get the certificate in 2 mns. But, when I try to obtain it with the production env, it fails almost every time. It fails when with the second server verification…here are the messages I have :

Unable to obtain ACME certificate for domains “test69.osparc.speag.com”: unable to generate a certificate for the domains [test69.osparc.speag.com]: error: one or more domains had a problem:\n[test69.osparc.speag.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.test69.osparc.speag.com - check that a DNS record exists for this domain, url: \n" providerName=myresolver.acme routerName=api@docker rule=“Host(test69.osparc.speag.com) && (PathPrefix(/dashboard) || PathPrefix(/api))”


During secondary validation: DNS problem: networking error looking up CAA for test69.osparc.speag.com

There is currently no CAA for this domain. I will add one to see if it changes something but logically it shouldn’t be that.

I asked traeffik to wait three hours to have some DNS propagation before checking. And still the same message… Does someones have an idea about what is wrong ? Why some traefik’s secondary server canno’t check the record ?

Also, does traefik use secondary servers for a renewal of the certificate ? Because it seems that this is working quite well…

1 Like

It seems that your authoritative name servers are not responding identically (even though they have the same SOA record = 2020081301).

Here is one example of their differences:

nslookup -q=ns osparc.speag.com ns1.speag.com
osparc.speag.com        nameserver = ns1.speag.com
ns1.speag.com   internet address =

nslookup -q=ns osparc.speag.com scsnms.switch.ch
Server:  scsnms.switch.ch
*** scsnms.switch.ch can't find osparc.speag.com: Non-existent domain

As well as this problem:



Thanks, adding the good NS delegation record did the work. The sub-domain is actually handled by only of of the two authoritative name servers, which was certainly causing the problem.


Glad to have helped :slight_smile:
Cheers from Miami :beers: