INWX SSL certificate renewal error

Hi,
somehow my once working setup for my SSL certificates via letsencrypt for INWX broke down.
I get the following error:
Error renewing certificate from LE: [...] acme: error presenting token: inwx: (2303) Object does not exist\n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=production.acme

I'm running 2.9.6. in a docker. Worked fine, seems to be broken a little while, encountered the issue now because my certificates are no longer valid.

Google wasn't my friend on this one, any ideas/pointers?

The last person complaining today about non-working certs found out, that their domains had expired.

Share you config (static, dynamic, docker-compose.yml).

Just checked, my domain is valid until 22.09.2023, so this is not an issue.
dynamic_conf.yml:

tls:
  options:
    default:
      minVersion: VersionTLS12

      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256

      curvePreferences:
        - CurveP521
        - CurveP384

      sniStrict: true

http:
  middlewares:
    secHeaders:
      headers:
        stsPreload: true
        stsSeconds: 31536000
        forceSTSHeader: true
        referrerPolicy: "same-origin"
        frameDeny: true
        contentTypeNosniff: true
        browserXssFilter: true
        accessControlAllowMethods: ["GET", "OPTIONS", "PUT"]
        accessControlMaxAge: 100
        customFrameOptionsValue: "SAMEORIGIN"
        customRequestHeaders:
          X-Forwarded-Proto: ["https", "wss"]

    admin-auth:
      basicAuth:
        users:
          - "me:mypw"

traefik.yml


global:
  checkNewVersion: true
  sendAnonymousUsage: false

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443
    http:
      tls:
        certResolver: production
      middlewares:
        - secHeaders@file

log:
  level: WARNING

api:
  dashboard: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"

  file:
    filename: "./dynamic_conf.yml"

certificatesResolvers:
  staging:
    acme:
      email: me@mail.com
      storage: acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
#      httpChallenge:
#        entryPoint: web
      dnsChallenge:
        provider: inwx

  production:
    acme:
      email: me@mail.com
      storage: acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
#      httpChallenge:
#        entryPoint: web
      dnsChallenge:
        provider: inwx

docker-compose.yml

version: '3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik_proxy
    ports:
      - "80:80"
      - "443:443"
    environment:
      - INWX_USERNAME=${INWX_USERNAME}
      - INWX_PASSWORD=${INWX_PASSWORD}
      - INWX_PROPAGATION_TIMEOUT=1200 # INWX loves to time out...
      - TIMEZONE=Europe/Berlin
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      - ./data/dynamic_conf.yml:/dynamic_conf.yml
    labels:
      - "providers.file.filename=/dynamic_conf.yml"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.my.domain`)"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik-secure.middlewares=admin-auth@file"

networks:
  traefik_proxy:
    external: true

And I wanted to state again, this setup worked for almost a year, somehow in the last 90 days(cert lifetime) something broke (no config changes done).

Maybe an easy workaround: switch to tlschallenge. That is independent of the DNS provider, saves a lot of hassle. The only case you need the dnschallenge is when you want wildcard certificates. But if every service has one or multiple hosts in the rule, then you don't need it.