Cannot issue SSL certificate with DNS-01 challenge with internal DNS servers


I recently installed two new internal PowerDNS servers that resolve my public domain zone to private IP addresses, while (only) some of the records are publicly resolved to the NAT IP address on the firewall.
My problem is that with this setup, even tho the public zone exist in the DNS provider on Træfik, the plugin/middleware can't determine the zone (because it's also resolved internally) and does not issue SSL certs: no SSL cert on internal DNS server · GitHub

My theory was that since the zone is publicly hosted on Hetzner's DNS servers, Træfik would go to Hetzner to put the TXT records and let me get SSL certificates that are valid both publicly and privately, so that the services that are also publicly facing would be secured, while the services that are only internal (like the Heimdall dashboard) would also have an actual and real SSL certificate like if it was hosted on the internet with a public IP address.

Is this completely not possible? Would I resolve this issue by just changing the Træfik container DNS servers in resolv.conf to point to CloudFlare or Quad9 or whatever? Do you have any other solution in mind?

Thanks in advance!!

You need to add public DNS servers to your cert resolver configuration. This works in my environment with pihole and unbound internal DNS resolvers.

Sorry for formatting as I'm on mobile and can't get spacing correct

      caServer: ""
      #caServer: ""
      storage: /acme.json
      keyType: 'RSA4096'
        provider: cloudflare
        delayBeforeCheck: 0
          - ""
          - ""

Hey @Zanathoz
Thanks for the info, it sure worked like a charm...

Didn't know the resolvers option existed, nor that it was necessary since I did already specified an external provider (Hetzner in this case) that is simply not available under my private DNS servers.
I guess Træfik it's intelligent, but not that much smart.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.