I/o timeout while trying to obtain certificate

Traefik Traefik v3 (latest)
1

What did you do?

I am trying to get a wildcard ssl certificate for my server using the dns challenge.

it previously worked. without changing anything it suddenly stopped working

Networking and reaching cloudflare dns servers, or fetching to dns records for the wildcard domain from inside the container works fine

What did you see instead?

It should obtain the ssl certificate no problem

What version of Traefik are you using?

Version: 3.3.4
Codename: saintnectaire
Go version: go1.23.6
Built: 2025-02-25T10:11:01Z
OS/Arch: linux/amd64

What is your environment & configuration?

certificatesResolvers:
  letsencrypt:
    acme:
      email: example@gmail.com
      storage: acme.json
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
#      httpChallenge:
#        entryPoint: web
      dnsChallenge:
        provider: cloudflare

If applicable, please paste the log output in DEBUG level

example.com is not the real domain

traefik  | 2025-03-24T08:06:26Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:270 > Building ACME client... providerName=letsencrypt.acme
traefik  | 2025-03-24T08:06:26Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:276 > https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme
traefik  | 2025-03-24T08:06:27Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:457 > Register... providerName=letsencrypt.acme
traefik  | 2025-03-24T08:06:27Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] acme: Registering account for example@gmail.com lib=lego
traefik  | 2025-03-24T08:06:27Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:317 > Using DNS Challenge provider: cloudflare providerName=letsencrypt.acme
traefik  | 2025-03-24T08:06:27Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com, *.server.example.com] acme: Obtaining bundled SAN certificate lib=lego
traefik  | 2025-03-24T08:06:28Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/redacted/redacted lib=lego
traefik  | 2025-03-24T08:06:28Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/redacted/redacted lib=lego
traefik  | 2025-03-24T08:06:28Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: use dns-01 solver lib=lego
traefik  | 2025-03-24T08:06:28Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Could not find solver for: tls-alpn-01 lib=lego
traefik  | 2025-03-24T08:06:28Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Could not find solver for: http-01 lib=lego
traefik  | 2025-03-24T08:06:28Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: use dns-01 solver lib=lego
traefik  | 2025-03-24T08:06:28Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: Preparing to solve DNS-01 lib=lego
traefik  | 2025-03-24T08:06:30Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] cloudflare: new record for server.example.com, ID ccee234ec5fd5947ef6e207d5275a8fb lib=lego
traefik  | 2025-03-24T08:06:30Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Preparing to solve DNS-01 lib=lego
traefik  | 2025-03-24T08:06:30Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] cloudflare: new record for server.example.com, ID 6eaa36d0727dfdc0e4f0990ef2a91415 lib=lego
traefik  | 2025-03-24T08:06:30Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: Trying to solve DNS-01 lib=lego
traefik  | 2025-03-24T08:06:30Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: Checking DNS record propagation. [nameservers=1.1.1.1:53] lib=lego
traefik  | 2025-03-24T08:06:32Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] lib=lego
traefik  | 2025-03-24T08:06:42Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:06:54Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:07:06Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:07:18Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:07:30Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:07:42Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:07:54Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:08:06Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:08:18Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:08:30Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:08:32Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Trying to solve DNS-01 lib=lego
traefik  | 2025-03-24T08:08:32Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Checking DNS record propagation. [nameservers=1.1.1.1:53] lib=lego
traefik  | 2025-03-24T08:08:34Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] lib=lego
traefik  | 2025-03-24T08:08:44Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:08:56Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:09:08Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:09:20Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:09:32Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:09:44Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:09:50Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:216 > TLS: strict SNI enabled - No certificate found for domain: "", closing connection
traefik  | 2025-03-24T08:09:50Z DBG log/log.go:245 > http: TLS handshake error from 144.202.82.88:61234: tls: no certificates configured
traefik  | 2025-03-24T08:09:56Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:10:08Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:10:20Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:10:32Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Waiting for DNS record propagation. lib=lego
traefik  | 2025-03-24T08:10:34Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.server.example.com] acme: Cleaning DNS-01 challenge lib=lego
traefik  | 2025-03-24T08:10:35Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [server.example.com] acme: Cleaning DNS-01 challenge lib=lego
traefik  | 2025-03-24T08:10:36Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz/redacted/redacted lib=lego
traefik  | 2025-03-24T08:10:36Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz/redacted/redacted lib=lego
traefik  | 2025-03-24T08:10:37Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:553 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [server.example.com *.server.example.com]: error: one or more domains had a problem:\n[*.server.example.com] propagation: time limit exceeded: last error: authoritative nameservers: DNS call error: read udp 172.26.0.2:34313->173.245.58.58:53: i/o timeout [ns=aida.ns.cloudflare.com.:53, question='_acme-challenge.server.example.com. IN  TXT']\n[server.example.com] propagation: time limit exceeded: last error: authoritative nameservers: DNS call error: read udp 172.26.0.2:41488->173.245.58.58:53: i/o timeout [ns=aida.ns.cloudflare.com.:53, question='_acme-challenge.server.example.com. IN  TXT']\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["server.example.com","*.server.example.com"] providerName=letsencrypt.acme routerName=catchall@file rule="HostRegexp(`^(?:.+\\.)?server\\.example\\.com$`)"
2

Staging CA server? Using CNAMEs?

Did anything in the network change, like using Pi-Hole?

Share your full Traefik static and dynamic config, and Docker compose file(s) if used.

3

It looks like your Traefik instance is failing to obtain the wildcard SSL certificate using the DNS challenge with Cloudflare. Since it previously worked but has now stopped, the issue might be related to DNS propagation, Cloudflare API credentials, or rate limits.

From the logs, Traefik is correctly attempting the DNS-01 challenge and creating new DNS records for validation. However, it repeatedly waits for DNS propagation, which suggests that the ACME provider (Let's Encrypt) is unable to verify the challenge.

Possible reasons for this issue include a delay in DNS propagation, incorrect Cloudflare API credentials, or missing permissions for the API token. You can verify DNS propagation by checking if the TXT record _acme-challenge.server.example.com is resolving properly using a public DNS lookup tool.

Another potential issue is the strict SNI mode error in the logs, which indicates that Traefik is not serving a certificate because it was not issued. This might mean that the ACME challenge ultimately failed.

To troubleshoot, try manually checking Cloudflare’s DNS records to confirm that the required TXT records are being created and propagated. If they are missing, ensure that your API token has permissions to manage DNS records. Also, check if your Traefik container’s system time is correct, as time drift can cause ACME challenges to fail.

4

The exact same setup works on different servers and I want to discontinue the server anyway therefore I dont care