Let's Encrypt DNS challange DNS provider hetzner unrecognized

Hi,

I try to get a wildcard certificate using the Let's Encrypt DNS challenge.

Unfortunately i always get the error:
traefik2 | time="2020-07-11T09:20:09Z" level=error msg="Unable to obtain ACME certificate for domains \"nuc.cmos.at,*.nuc.cmos.at\" : cannot get ACME client unrecognized DNS provider: hetzner" providerName=myresolver.acme

I am using the docker container: "traefik:v2.2"
As I am reading the the documentation https://docs.traefik.io/https/acme/#dnschallenge this should support the DNS provider "hetzner".

Any suggestions whats wrong, or how to further investigate the root cause?

Could you please post your configs. Right under the dnsChallenge there is a purple line saying "Configuring a dnsChallenge with the DigitalOcean Provider". If you click on it, you will see an example of what your configuration should approximately look like.

Tanks:
I think I just found out the issue.

I probably used and older version 2.2.(0/1) in my docker setup.
Hetzner is supported since Lego 3.7.0 Link which was added to traefik 2.2.2 (releases)

Now I just stepped into the next problem:
"could not determine authoritative nameservers\n[nuc.cmos.at] time limit exceeded:"

The problem is with your DNS setup. lego cannot find authoritative nameservers for your zone. Try it with dig or nslookup and you won't be able either.

My understanding of this is quite limited.

For testing I moved from the sub domain to the normal domain cmos.at

I expected the authoritative name server is defined by the SOA Record.
Zone File:

; SOA Records
@		IN	SOA	hydrogen.ns.hetzner.com. dns.hetzner.com. 2020071121 86400 10800 3600000 3600

The dig response also looks Ok (containing the frag aa)

% dig @hydrogen.ns.hetzner.com whoami.cmos.at                                                                                                                                                                                                           :(

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> @hydrogen.ns.hetzner.com whoami.cmos.at
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15034
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;whoami.cmos.at.			IN	A

;; ANSWER SECTION:
whoami.cmos.at.		60	IN	A	116.202.181.57

;; Query time: 30 msec
;; SERVER: 213.133.100.98#53(213.133.100.98)
;; WHEN: Sat Jul 11 15:19:08 CEST 2020
;; MSG SIZE  rcvd: 59

But still I get the Error:

traefik2    | time="2020-07-11T12:30:47Z" level=error msg="Unable to obtain ACME certificate for domains \"cmos.at,*.cmos.at\" : unable to generate a certificate for the domains [cmos.at *.cmos.at]: error: one or more domains had a problem:\n[*.cmos.at] time limit exceeded: last error: could not determine authoritative nameservers\n[cmos.at] time limit exceeded: last error: could not determine authoritative nameservers\n" providerName=myresolver.acme

Yep, you need to get to the bottom of this. Traefik really cannot figure it out if the dns setup is wrong. Perhaps you can contact hetzner support.

Your whoami.cmos.at domain is located in cmos.at zone, but dig cmos.at NS does not return any nameservers. Lego expects to get them, as it needs them for subsequent DNS queries.

I found one issue with the DNS (Propagation with the hetzner server center).

Therefore I now manually configured the resolver.
If I use "dig _acme-challenge.cmos.at TXT" in the contain I also get the correct TXT Records.
Nevertheless the log says "Waiting for DNS record propagation.".

I know we are now more in LEGO than in Traefik.
But is there a way to get an even more detailed log where it is visible why the program is waiting.

traefik.yaml

log:
    filePath: "/logs/traefik.log"
    level: DEBUG
accessLog:
    filePath: "/logs/access.log"
    bufferingSize: 10
entryPoints:
    web:
        address: ":80"
        http:
            redirections:
                entryPoint:
                    to: "websecure"
                    scheme: "https"
                    permanent: "true"
    websecure:
        address: ":443"

providers:
    docker:
        exposedbydefault: False

certificatesResolvers:
    myresolver:
      acme:
        email: wasle@cmos.at
        storage: /letsencrypt/acme.json
        dnsChallenge:
            provider: "hetzner"
            #delayBeforeCheck: 0
            resolvers:
                - "hydrogen.ns.hetzner.com"
        caserver: https://acme-staging-v02.api.letsencrypt.org/directory # for Experiments

compose File:

version: "2.4"

services:
  traefik2:
    #image: "traefik:v2.2"
    image: "traefik:latest"
    container_name: "traefik2"
    command:
        - "--configfile=/traefik.yaml"
        - "--log.level=DEBUG"

    ports:
      - "116.202.181.57:80:80"
      - "116.202.181.57:443:443"
    environment:
      - "HETZNER_API_KEY=Private"
    volumes:
       - "./data/letsencrypt:/letsencrypt"
       - "./data/logs:/logs"
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "./config/traefik.yaml:/traefik.yaml"


  whoami:
    image: "containous/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.cmos.at`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"
      - "traefik.http.routers.whoami.tls.domains[0].main=cmos.at"
      - "traefik.http.routers.whoami.tls.domains[0].sans=*.cmos.at"

Log:

time="2020-07-11T16:16:02Z" level=debug msg="legolog: [INFO] [*.cmos.at] acme: Trying to solve DNS-01"
time="2020-07-11T16:16:02Z" level=debug msg="legolog: [INFO] [*.cmos.at] acme: Checking DNS record propagation using [hydrogen.ns.hetzner.com:53]"
time="2020-07-11T16:16:04Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
time="2020-07-11T16:16:04Z" level=debug msg="legolog: [INFO] [*.cmos.at] acme: Waiting for DNS record propagation."
time="2020-07-11T16:16:06Z" level=debug msg="legolog: [INFO] [*.cmos.at] acme: Waiting for DNS record propagation."
...
time="2020-07-11T16:18:04Z" level=debug msg="legolog: [INFO] [*.cmos.at] acme: Waiting for DNS record propagation."
time="2020-07-11T16:18:06Z" level=debug msg="legolog: [INFO] [cmos.at] acme: Trying to solve DNS-01"
time="2020-07-11T16:18:06Z" level=debug msg="legolog: [INFO] [cmos.at] acme: Checking DNS record propagation using [hydrogen.ns.hetzner.com:53]"
time="2020-07-11T16:18:08Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
time="2020-07-11T16:18:08Z" level=debug msg="legolog: [INFO] [cmos.at] acme: Waiting for DNS record propagation."
time="2020-07-11T16:18:10Z" level=debug msg="legolog: [INFO] [cmos.at] acme: Waiting for DNS record propagation."
t...
time="2020-07-11T16:20:05Z" level=debug msg="legolog: [INFO] [cmos.at] acme: Waiting for DNS record propagation."
time="2020-07-11T16:20:07Z" level=debug msg="legolog: [INFO] [cmos.at] acme: Waiting for DNS record propagation."
time="2020-07-11T16:20:09Z" level=debug msg="legolog: [INFO] [*.cmos.at] acme: Cleaning DNS-01 challenge"
time="2020-07-11T16:20:15Z" level=debug msg="legolog: [INFO] [cmos.at] acme: Cleaning DNS-01 challenge"
time="2020-07-11T16:20:21Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/75836619"
time="2020-07-11T16:20:22Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/75836620"
time="2020-07-11T16:20:22Z" level=error msg="Unable to obtain ACME certificate for domains \"cmos.at,*.cmos.at\" : unable to generate a certificate for the domains [cmos.at *.cmos.at]: error: one or more domains had a problem:\n[*.cmos.at] time limit exceeded: last error: read udp 192.168.64.2:49075->116.203.132.207:53: read: connection refused\n[cmos.at] time limit exceeded: last error: read udp 192.168.64.2:52349->116.203.132.207:53: read: connection refused\n" providerName=myresolver.acme

With some support of a friend I now got it Running.

As suggested by zesprl the issue was in the the NS records.
I forgot the "." at the end of the domain name resulting in an incorrect response.
And probably I needed more than one NS record.

Thanks zesprl for pointing me in the right direction