Hello,
I’m trying to generate a SSL certificate using a DNS-01 challenge but every time I restart Traefik, its logs show this error:
2025-02-14T17:21:46Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [coolify.bxpn.eu]: error: one or more domains had a problem:\n[coolify.bxpn.eu] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: looking up A for coolify.bxpn.eu: DNSSEC: RRSIGs Missing: validation failure <coolify.bxpn.eu. A IN>: no signatures from 87.98.168.13; DNS problem: looking up AAAA for coolify.bxpn.eu: DNSSEC: RRSIGs Missing: validation failure <coolify.bxpn.eu. AAAA IN>: no signatures from 2001:41d0:1:4a9e::1\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["coolify.bxpn.eu"] providerName=letsencrypt.acme routerName=coolify-https@file rule=Host(`coolify.bxpn.eu`)
Better formatted:
unable to generate a certificate for the domains [coolify.bxpn.eu]: error: one or more domains had a problem:
[coolify.bxpn.eu] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: looking up A for coolify.bxpn.eu: DNSSEC: RRSIGs Missing: validation failure <coolify.bxpn.eu. A IN>: no signatures from 87.98.168.13; DNS problem: looking up AAAA for coolify.bxpn.eu: DNSSEC: RRSIGs Missing: validation failure <coolify.bxpn.eu. AAAA IN>: no signatures from 2001:41d0:1:4a9e::1
This error likely doesn’t come from Let’s Encrypt:
Sometimes ACME Clients pre-check the cert request before sending it to LE. This looks like that kind of failure. Sorry but I don't know Traefik well enough to be specific.
The LE server would not look at the A or AAAA record for a DNS Challenge. Only a TXT record.
This Traefik container is part of a Coolify install. See the full docker-compose.yml below:
docker-compose.yml
networks:
coolify:
external: true
services:
traefik:
container_name: coolify-proxy
image: 'traefik:v3.1'
restart: unless-stopped
extra_hosts:
- 'host.docker.internal:host-gateway'
networks:
- coolify
ports:
- '80:80'
- '443:443'
- '443:443/udp'
- '8080:8080'
healthcheck:
test: 'wget -qO- http://localhost:80/ping || exit 1'
interval: 4s
timeout: 2s
retries: 5
volumes:
- '/var/run/docker.sock:/var/run/docker.sock:ro'
- '/data/coolify/proxy:/traefik'
command:
- '--ping=true'
- '--ping.entrypoint=http'
- '--api.dashboard=true'
- '--entrypoints.http.address=:80'
- '--entrypoints.https.address=:443'
- '--entrypoints.http.http.encodequerysemicolons=true'
- '--entryPoints.http.http2.maxConcurrentStreams=50'
- '--entrypoints.https.http.encodequerysemicolons=true'
- '--entryPoints.https.http2.maxConcurrentStreams=50'
- '--entrypoints.https.http3'
- '--providers.file.directory=/traefik/dynamic/'
- '--providers.file.watch=true'
- '--certificatesresolvers.letsencrypt.acme.httpchallenge=false'
- '--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http'
- '--certificatesresolvers.letsencrypt.acme.dnschallenge=true'
- '--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=ovh'
- '--certificatesresolvers.letsencrypt.acme.email=my@email.com'
- '--certificatesresolvers.letsencrypt.acme.storage=/traefik/acme.json'
- '--api.insecure=false'
- '--providers.docker=true'
- '--providers.docker.exposedbydefault=false'
environment:
- "OVH_ENDPOINT=ovh-eu"
- "OVH_APPLICATION_KEY=..."
- "OVH_APPLICATION_SECRET=..."
- "OVH_CONSUMER_KEY=..."
labels:
- traefik.enable=true
- traefik.http.routers.traefik.entrypoints=http
- traefik.http.routers.traefik.service=api@internal
- traefik.http.services.traefik.loadbalancer.server.port=8080
- coolify.managed=true
- coolify.proxy=true
Do you have any idea about how to fix this issue? No external tool is able to find any DNSSEC issue with this domain and I searched everywhere about that with no result.
Thanks in advance,