DNS Challenge not working with CNAMEd domains

I'm trying to use Traefik v2 dns challenge with duckdns along with a CNAMEd domain without success. If I use duckdns.org directly, say mydomain.duckdns.org in the static config it works:

    address: :443
        - secureHeaders@file
        certResolver: duckdns
          - main: "mydomain.duckdns.org"
              - "*.mydomain.duckdns.org"

      email: mail@mydomain.duckdns.org
      storage: acme.json
      keyType: EC384
        provider: duckdns

Now I'm trying to gen certs to my own domain, e.g. traefik.mydomain.com.br that is properly CNAMEd to mydomain.duckdns.org, and has another CNAME entry for _acme-challenge.traefik.mydomain.com.br that points to mydomain.duckdns.org. So I've changed my config to reflect this setup:

          - main: "traefik.mydomain.com.br"
              - "*.traefik.mydomain.com.br"

Problem is that the update request to duckdns is failing (url parameter domains has wrong value, see below). Is this a bug or am I forgetting something here?

 msg="Unable to obtain ACME certificate for domains \"traefik.mydomain.com.br\" : unable to generate a certificate for the domains [traefik.mydomain.com.br]: 
error: one or more domains had a problem:\n[traefik.mydomain.com.br] [traefik.mydomain.com.br]
acme: error presenting token: request to change TXT record for DuckDNS returned the following result (KO) this does not match expectation (OK) 
used url [https://www.duckdns.org/update?clear=false&domains=br&token=xxxxxxxxx-a0a5-4caa-a5a5-xxxxxxxx&txt=sR2pZSxxxxxxxxxvAp6jqdLmizIvWq7QCyYqk-8qySs]\n" providerName=duckdns.acme

If I manually submit the http request to duckdns, obviously exchanging the wrong (br) value in the domains parameter with the correct (CNAMEd) one then it results OK.

Any ideais? How can I instruct Traefik to use the correct domain? TIA.

Your TXT record has to be updated on the traefik.mydomain.com.br domain. So you should update your certificateProviders to the provider/account that traefik.mydomain.com.br is on.

A TXT record and CNAME are different records. CNAMEing _acme-challenge.traefik.mydomain.com.br won't result in a query of TXT following a CNAME.

1 Like

I thought that my TXT record could be updated/submited for the CNAMEd domain (mydomain.duckdns.org), like Caddy server does with the override_domain directive in the DNS challenge plugin, please see this link.

Also, this behavior is supported by Let’s Encrypt, let's see:

Since Let’s Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation, you can use CNAME records or NS records to delegate answering the challenge to other DNS zones. This can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone. It can also be used if your DNS provider is slow to update, and you want to delegate to a quicker-updating server.

In my case, I can't simply update or change the certificateProviders because my current DNS provider is unsupported (by Traefik).