Delay ACME TLS-ALPN-01 challenge

I use Traefik and External DNS together on Kubernetes. When I create a new Ingress, Traefik handles the ACME challenge, and External-DNS creates the A entry in the DNS. However, Traefik responds immediately, while External-DNS only updates once every minute. So it almost always happens that Traefik issues the TLS-ALPN-01 challenge before the DNS entries have been created.

Note: This is only the issue during the initial challenge for a new certificate, not for renewals, of course.

How do I resolve this? Can I configure Traefik to delay the challenge by a minute? Can I ensure Traefik retries once after a minute? Maybe there are other ways I am not aware of?

Hey I am still facing the same problem today with the http challenge. Did you find a solution you might share?

Sadly, no. Best of luck!

Did you try delayBeforeCheck (doc)?

By default, the provider verifies the TXT record before letting ACME verify. You can delay this operation by specifying a delay (in seconds) with delayBeforeCheck (value must be greater than zero). This option is useful when internal networks block external DNS queries.

In k8s, usually cert-manager is used for TLS (doc).

As far as I understood from the docs this option is just for the DNS challenge. I am using the HTTP-01.

Indeed this is the problem here.

And also indeed we switched to cert-manager to resolve our problems.