Wildcard Cert for subdomains including CName

I am using Traefik (2.4 docker image) to get a wildcard Cert for *.mpw.is
and I get the following Error:
error presenting token: googlecloud: could not find the start of authority for _acme-challenge.mpw.is

Does this mean that my Google service account is NOT setup correctly, or does it mean that my DNS is not setup correctly?
*.mpw.is has a cname pointing to a ddns entry, since its my home server.

I really appreciate any help.


version: "3.3"

    image: traefik:v2.4
    restart: unless-stopped
    container_name: traefik
      - "TZ=America/New_York"
      - "GCE_PROJECT=mpw-is-server" # https://console.cloud.google.com/iam-admin/serviceaccounts
      - "GOOGLE_APPLICATION_CREDENTIALS=/server-creds.json"
      - "80:80" # <== http
      - "443:443" # <== https
      - "8080:8080" # <== :8080 is where the dashboard runs on
      - web # <== Placing traefik on the network named web, to access containers on this network
      - "./.htpasswd:/auth/.htpasswd"
      - "./letsencrypt:/etc/traefik/letsencrypt" # <== Volume for certs (TLS)
      - "./letsencrypt/server-creds.json:/server-creds.json" # <== Volume for certs (TLS)
      - "./traefik.yml:/etc/traefik/traefik.yml" # <== Volume for static conf file
      - "./conf:/etc/traefik/conf" # <== Volume for dynamic conf files
      - "./logs:/etc/traefik/logs" # <== Volume for dynamic log files
      - "/var/run/docker.sock:/var/run/docker.sock:ro" # <== Volume for docker admin


      rule: "Host(`traefik.mpw.is`)" # <== Setting the domain for the dashboard
        - web
      service: "api@internal" # <== Enabling the api to be a service to access

      rule: "Host(`nas.mpw.is`)"
        - websecure
      service: nas
        certResolver: "gCloud"
          - main: "*.mpw.is"

@markuswells Welcome to the Lets Encrypt forum.

The message indicates there is not the expected DNS SOA (Start Of Authority) record. It is probably related to your setup that has DNS CNAME routing traefix.mpw.is to your lab.markuswells.com.

I am not sure what Lets Encrypt component would issue that error message.

This is more related to your Traefik configuration and I think the Traefik support groups are a better way to get this resolved:

They have a vibrant forum as well as a github

@MikeMcQ hit the nail on the head with:

Seems like you have a * CNAME entry.

nslookup this-should-not-CNAME.mpw.is

Name:    lab.markuswells.com
Aliases: this-should-not-CNAME.mpw.is
Name:    lab.markuswells.com
Aliases: _acme-challenge.mpw.is

I was thinking it was related to the CNAME. So how should the DNS be setup?
I need the *.mpw.is to point to lab.markuswells.com . This is setup with DDNS to point to the home server IP address. How should DNS be setup to have *.mpw.is point to the home IP address when its dynamic AND also still have a SOA record?

That is a DNS question that isn't really a topic covered in this forum.

I would try removing the * CNAME and then add all the individual names that need to be CNAMEd over.


Add an IP for _acme-challenge.mpw.is [that might be enough]


Explicitly add a CNAME for the _acme-challenge to point pack to an FQDN from that same domain.
Example: CNAME _acme-challenge = challenges.mpw.is
[then add an IP for challenges.mpw.is - so a record exists for it]


CNAME to some other domain that doesn't have this problem and update the DNS there.


Remove the CNAME (temporarily) to see if that is the only problem and get you a cert while you figure out how to fix it (you'll then have 90 days before the problem returns)


Also ask on a DNS related forum?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.