Let's Encrypt certificate on gandiv5 with Personal Access Token (PAT)

ramor · February 6, 2024, 9:56pm

Hi
I'm on Traefik version 2.10.7 on windows, trying to get let's encrypt working with gandi live DNS (gandi v5 REST API, last version)
I've been struggling with this for almost a week, and I think I found the issue

Following Lego instructions (Gandi Live DNS (v5) :: Let’s Encrypt client and ACME library written in Go.) and gandi's, the usage of API Key is now deprecated and should be replaced with PAT

Environment Variable Name Description
GANDIV5_API_KEY API key (Deprecated)
GANDIV5_PERSONAL_ACCESS_TOKEN Personal Access Token

When I try to use the PAT environment variable I got the error
"some credentials information are missing: GANDIV5_API_KEY"

When I use a PAT key with this variable, I got this error
"unable to generate a certificate for the domains [app.example.com]: error: one or more domains had a problem
acme: error presenting token: unable to get TXT records for domain example.com and name _acme-challenge.xray: 403: request failed: Access was denied to this resource"

So I think that acme client implementation in Traefik is not taking profit of the new PAT usage
(I could get a certificate with a certbot client and the PAT key, so PAT access is good)

Thanks for your help

ramor · February 6, 2024, 10:00pm

Sorry, forgot to mention that this is for dnsChallenge (intrenal only application)

This is my trafic.yml

EntryPoints configuration

entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
websecure:
address: ":443"

traefik:
address: ":8080"

TLS cert providers

certificatesResolvers:
c-letsencrypt:
acme:
certificatesDuration: 24 # in hours
dnsChallenge:
provider: gandiv5
delayBeforeCheck: 10
resolvers:
- "ns-237-a.gandi.net"
- "ns-170-b.gandi.net"

providers (router configuration in dynamic file)

providers:
file:
directory: "D:/Tools/Traefik"
watch: true

whatever I can get in the dynamic file doesn't change anything
only thing that works is API key with deprecated environment variable

bluepuma77 · February 6, 2024, 10:03pm

It seems the LetsEncrypt library Traefik uses has not been updated yet (doc).

You would need to wait for the library to be updated and then Traefik to be updated.

For now you can use your created TLS certs via custom TLS in Traefik dynamic config file (doc).

ramor · February 7, 2024, 12:29am

Yes, this what I was thinking
Thanks

bluepuma77 · February 7, 2024, 8:00am

It seems it has been fixed in Lego 2.15, which still needs to be released (link, link).

Current Traefik is using 2.14, according to release notes (link).

shaun · August 22, 2025, 9:51am

This seems to be resolved, however Traefik is using the API URL of https://dns.api.gandi.net/api/v5/ instead of https://api.gandi.net/v5/livedns from the documentation - the former of which doesn’t work for me.

Is there anyway I can override this?

Thanks in advance!

EDIT: Traefik error from log below

ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [example.com .example.com]: error: one or more domains had a problem:\n[.example.com] [.example.com] acme: error presenting token: unable to get TXT records for domain example.com and name _acme-challenge: unable to communicate with the API server: error: Get "``https://dns.api.gandi.net/api/v5/domains/``example.com``/records/_acme-challenge/TXT\``": net/http: invalid header field value for "Authorization"\n[example.com] [example.com] acme: error presenting token: unable to get TXT records for domain example.com and name _acme-challenge: unable to communicate with the API server: error: Get "``https://dns.api.gandi.net/api/v5/domains/``example.com``/records/_acme-challenge/TXT\``": net/http: invalid header field value for "Authorization"\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["example.com",".example.com"] providerName=lets-encr.acme routerName=websecure-openwrt@file rule=Host(openwrt.example.com)

bluepuma77 · August 23, 2025, 7:50am

It needs to be fixed in the go-acme library, then the lib needs to be updated in Traefik.

shaun · August 24, 2025, 6:34pm

Thanks, I have created an issue on the lego github. I was hoping there might be a bypass within Traefik to provide the API URL directly for the interim.

bluepuma77 · August 24, 2025, 8:38pm

You already got an answer from the expert.

github.com/go-acme/lego

Gandi API URL appears to be outdated

opened 06:33PM - 24 Aug 25 UTC

closed 07:01PM - 24 Aug 25 UTC

shaunblyde

question

### Welcome - [x] Yes, I'm using a binary release within 2 latest releases. - […x] Yes, I've searched similar issues on GitHub and didn't find any. - [x] Yes, I've included all information below (version, config, etc). ### What did you expect to see? I expected to see the ACME DNS challenge work successfully using the URL provided by Gandi Documentation for gandiv5: https://api.gandi.net/v5/livedns ### What did you see instead? Lego appears to be using an outdated gandiv5 API URL of https://dns.api.gandi.net/api/v5/ This gives an error (in logs below) ### How do you use lego? Through Traefik ### Reproduction steps Configure Traefik for provider gandiv5, including providing the PAT environment variable, and using the staging server. Restart Traefik Check logs. ### Effective version of lego ```console This command gives "lego: not found" when executed within the Traefik container. Traefik version is 3.5.0 ``` ### Logs <details> ```console ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [example.com .example.com]: error: one or more domains had a problem: [.example.com] [.example.com] acme: error presenting token: unable to get TXT records for domain example.com and name _acme-challenge: unable to communicate with the API server: error: Get "``https://dns.api.gandi.net/api/v5/domains/``example.com``/records/_acme-challenge/TXT\``": net/http: invalid header field value for "Authorization" [example.com] [example.com] acme: error presenting token: unable to get TXT records for domain example.com and name _acme-challenge: unable to communicate with the API server: error: Get "``https://dns.api.gandi.net/api/v5/domains/``example.com``/records/_acme-challenge/TXT\``": net/http: invalid header field value for "Authorization" " ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["example.com",".example.com"] providerName=lets-encr.acme routerName=websecure-test@file rule=Host(test.example.com)` ``` </details> ### Go environment (if applicable) <details> ```console $ go version && go env # paste output here ``` </details>

shaun · August 24, 2025, 9:06pm

Thanks! And pleased they are active to set me on the right path, I seem to have solved it.
Believe that it was an issue with trailing whitespace on the PAT - the different API URLs was a red herring unfortunately.

Topic		Replies	Views
Traefiks Gandi DNS resolver certs are not creating Traefik v3 (latest) docker , letsencrypt-acme	4	300	December 11, 2024
Having issue that started a few weeks ago with Cloudflare & acme Traefik v3 (latest) docker-swarm , letsencrypt-acme	3	291	July 19, 2025
[GANDI] acme: error presenting token: unable to create TXT record for domain Traefik v2 letsencrypt-acme	7	4246	October 2, 2019
dnsChallenge API key define in YAML Traefik v2 letsencrypt-acme	1	169	September 13, 2024
Unable to obtain ACME Certificate cloudflare inside traefik Traefik v3 (latest) letsencrypt-acme	8	441	February 14, 2025

Let's Encrypt certificate on gandiv5 with Personal Access Token (PAT)

EntryPoints configuration

TLS cert providers

providers (router configuration in dynamic file)

Related topics