DNSSEC: RRSIGs Missing: validation failure while generating a SSL certificate with DNS-01

Hello,

I’m trying to generate a SSL certificate using a DNS-01 challenge but every time I restart Traefik, its logs show this error:

2025-02-14T17:21:46Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [coolify.bxpn.eu]: error: one or more domains had a problem:\n[coolify.bxpn.eu] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: looking up A for coolify.bxpn.eu: DNSSEC: RRSIGs Missing: validation failure <coolify.bxpn.eu. A IN>: no signatures from 87.98.168.13; DNS problem: looking up AAAA for coolify.bxpn.eu: DNSSEC: RRSIGs Missing: validation failure <coolify.bxpn.eu. AAAA IN>: no signatures from 2001:41d0:1:4a9e::1\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["coolify.bxpn.eu"] providerName=letsencrypt.acme routerName=coolify-https@file rule=Host(`coolify.bxpn.eu`)

Better formatted:

unable to generate a certificate for the domains [coolify.bxpn.eu]: error: one or more domains had a problem:
[coolify.bxpn.eu] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: looking up A for coolify.bxpn.eu: DNSSEC: RRSIGs Missing: validation failure <coolify.bxpn.eu. A IN>: no signatures from 87.98.168.13; DNS problem: looking up AAAA for coolify.bxpn.eu: DNSSEC: RRSIGs Missing: validation failure <coolify.bxpn.eu. AAAA IN>: no signatures from 2001:41d0:1:4a9e::1

This error likely doesn’t come from Let’s Encrypt:

Sometimes ACME Clients pre-check the cert request before sending it to LE. This looks like that kind of failure. Sorry but I don't know Traefik well enough to be specific.

The LE server would not look at the A or AAAA record for a DNS Challenge. Only a TXT record.

This Traefik container is part of a Coolify install. See the full docker-compose.yml below:

docker-compose.yml
networks:
  coolify:
    external: true
services:
  traefik:
    container_name: coolify-proxy
    image: 'traefik:v3.1'
    restart: unless-stopped
    extra_hosts:
      - 'host.docker.internal:host-gateway'
    networks:
      - coolify
    ports:
      - '80:80'
      - '443:443'
      - '443:443/udp'
      - '8080:8080'
    healthcheck:
      test: 'wget -qO- http://localhost:80/ping || exit 1'
      interval: 4s
      timeout: 2s
      retries: 5
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
      - '/data/coolify/proxy:/traefik'
    command:
      - '--ping=true'
      - '--ping.entrypoint=http'
      - '--api.dashboard=true'
      - '--entrypoints.http.address=:80'
      - '--entrypoints.https.address=:443'
      - '--entrypoints.http.http.encodequerysemicolons=true'
      - '--entryPoints.http.http2.maxConcurrentStreams=50'
      - '--entrypoints.https.http.encodequerysemicolons=true'
      - '--entryPoints.https.http2.maxConcurrentStreams=50'
      - '--entrypoints.https.http3'
      - '--providers.file.directory=/traefik/dynamic/'
      - '--providers.file.watch=true'
      - '--certificatesresolvers.letsencrypt.acme.httpchallenge=false'
      - '--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http'
      - '--certificatesresolvers.letsencrypt.acme.dnschallenge=true'
      - '--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=ovh'
      - '--certificatesresolvers.letsencrypt.acme.email=my@email.com'
      - '--certificatesresolvers.letsencrypt.acme.storage=/traefik/acme.json'
      - '--api.insecure=false'
      - '--providers.docker=true'
      - '--providers.docker.exposedbydefault=false'
    environment:
      - "OVH_ENDPOINT=ovh-eu"
      - "OVH_APPLICATION_KEY=..."
      - "OVH_APPLICATION_SECRET=..."
      - "OVH_CONSUMER_KEY=..."
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.entrypoints=http
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.services.traefik.loadbalancer.server.port=8080
      - coolify.managed=true
      - coolify.proxy=true

Do you have any idea about how to fix this issue? No external tool is able to find any DNSSEC issue with this domain and I searched everywhere about that with no result.

Thanks in advance,

Remove all

Try to set propagation.disableChecks (doc).

Thank you; in the end my issue was that my setup wasn’t reloading the configuration from docker-compose.yml, so I was becoming crazy because nothing worked but that was because my modifications weren’t taken into account. I removed everything related to HTTP and used this config:

...
      - '--certificatesresolvers.letsencrypt.acme.dnschallenge=true'
      - '--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=ovh'
      - '--certificatesresolvers.letsencrypt.acme.dnschallenge.disablePropagationCheck=true'
      - '--certificatesresolvers.letsencrypt.acme.email=my@email.com'
...

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.