LEGO not following "LEGO_DISABLE_CNAME_SUPPORT"?

Environment

• image Traefik 3.6.13
• acme / dnsChallenge / with provider:hetzner
• environment vars:
  • LEGO_DISABLE_CNAME_SUPPORT=true
  • HETZNER_API_TOKEN=hhh
• DNS entry on Hetzner Name Server
  • CNAME *.mydomain.de xxx.myfritz.net

when cert generation starts the TXT records are create on the Hetzner DNS server –> o.k. but the NS of the dyndns provider is questioned

last error: authoritative nameservers: NS ns3.myfritz.net.:53 did not return the expected TXT record

so not the nameserver for mydomain.de is queried

How to get rid of this error?

When directly using lego with the following script:

#!/bin/bash
# new token
HETZNER_API_TOKEN="token" \
LEGO_DISABLE_CNAME_SUPPORT=true \
lego --dns hetzner  -d '*.mydomain.de' -d mydomain.de \
--dns.propagation-wait=30s \
-s https://acme-staging-v02.api.letsencrypt.org/directory \
run

I get no error (see log)

2026/04/11 23:35:58 [INFO] [*.mydomain.de, mydomain.de] acme: Obtaining bundled SAN certificate
2026/04/11 23:35:59 [INFO] [*.mydomain.de] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/282405013/507611373
2026/04/11 23:35:59 [INFO] [mydomain.de] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/282405013/507611383
2026/04/11 23:35:59 [INFO] [*.mydomain.de] acme: Could not find solver for: dns-persist-01
2026/04/11 23:35:59 [INFO] [*.mydomain.de] acme: use dns-01 solver
2026/04/11 23:35:59 [INFO] [mydomain.de] acme: Could not find solver for: tls-alpn-01
2026/04/11 23:35:59 [INFO] [mydomain.de] acme: Could not find solver for: http-01
2026/04/11 23:35:59 [INFO] [mydomain.de] acme: Could not find solver for: dns-persist-01
2026/04/11 23:35:59 [INFO] [mydomain.de] acme: use dns-01 solver
2026/04/11 23:35:59 [INFO] [*.mydomain.de] acme: Preparing to solve DNS-01
2026/04/11 23:36:09 [INFO] [mydomain.de] acme: Preparing to solve DNS-01
2026/04/11 23:36:14 [INFO] [*.mydomain.de] acme: Trying to solve DNS-01
2026/04/11 23:36:14 [INFO] [*.mydomain.de] acme: Checking DNS record propagation. [nameservers=192.168.10.11:53]
2026/04/11 23:36:16 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2026/04/11 23:36:49 [INFO] [*.mydomain.de] The server validated our request
2026/04/11 23:36:49 [INFO] [mydomain.de] acme: Trying to solve DNS-01
2026/04/11 23:36:49 [INFO] [mydomain.de] acme: Checking DNS record propagation. [nameservers=192.168.10.11:53]
2026/04/11 23:36:51 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2026/04/11 23:37:29 [INFO] [mydomain.de] The server validated our request
2026/04/11 23:37:29 [INFO] [*.mydomain.de] acme: Cleaning DNS-01 challenge
2026/04/11 23:37:35 [INFO] [mydomain.de] acme: Cleaning DNS-01 challenge
2026/04/11 23:37:39 [INFO] [*.mydomain.de, mydomain.de] acme: Validations succeeded; requesting certificates
2026/04/11 23:37:39 [INFO] Wait for certificate [timeout: 30s, interval: 500ms]
2026/04/11 23:37:41 [INFO] [*.mydomain.de] Server responded with a certificate.

Solved . Added resolversand disablePropagationCheck to Resolver Definition. I.e.

certificatesResolvers:
  letsencrypt-staging:
    acme:
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      email: "me@email"
      storage: /data/acme.json
      dnsChallenge:
        provider: hetzner
        propagation:
          delayBeforeChecks: 10s     # Achtung "Checks" nicht "Check"
# -------------------------------------------------------------------
# added from here
# -------------------------------------------------------------------
        disablePropagationCheck: false
        resolvers:
          - 1.1.1.1:53
          - 1.0.0.1:53