No subdomain because the domain and the zone are identical

Dear All,

I have been using traefik successfully for a year now on a couple of domains I own. Now I am trying to set up yet another one (for a friend of mine) in a very similar fashion, but it just wouldn't work...
The domain in question is yankele.eu.

The only change (apart from the domain name) compared to the original sites is that the other domains are hosted at Cloudflare, this domain is hosted at GoDaddy.

Here are my traefik config files, which I simply copied over from existing, working domains/sites and modified them as best as I could:

docker-compose.yaml:

services:
  traefik:
    image: traefik:2.10.3
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - mynet
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/localtime:/etc/localtime:ro
      - ./data:/etc/traefik
      - ./ssl-certs:/ssl-certs
      - ./logs:/var/log/traefik

    environment:
      - GODADDY_API_KEY=*********
      - GODADDY_API_SECRET=*********
      - GODADDY_POLLING_INTERVAL=300
      - GODADDY_PROPAGATION_TIMEOUT=600
      - GODADDY_TTL=600
      - GODADDY_HTTP_TIMEOUT=600

    labels:
      - "traefik.enable=true"

      # Dashboard
      - "traefik.http.routers.dashboardRouter.entrypoints=websecure"
      - "traefik.http.routers.dashboardRouter.rule=Host(`traefik.yankele.eu`)"
      - "traefik.http.routers.dashboardRouter.tls=true"
      - "traefik.http.routers.dashboardRouter.tls.options=mintls13@file"
      - "traefik.http.routers.dashboardRouter.tls.certresolver=staging"    # production / staging
      - "traefik.http.routers.dashboardRouter.service=api@internal"

      - "traefik.http.routers.dashboardRouter.middlewares=secure-headers@file,dashboard-auth@file"
      
      - "traefik.frontend.passHostHeader=true"


     
networks:
  mynet:
    external: true

traefik.yml:

global:
  checkNewVersion: true

log:
  level: INFO  # DEBUG, INFO, WARNING, ERROR, CRITICAL
  format: common  # common, json, logfmt
  filePath: /var/log/traefik/traefik.log

api:
  dashboard: true
  insecure: false 

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443
 
certificatesResolvers:
  staging:
    acme:
      email: letsencrypt@viktak.com
      storage: /etc/traefik/certs/acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      httpChallenge:
        entryPoint: web

  production:
    acme:
      email: letsencrypt@viktak.com
      storage: /etc/traefik/certs/acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: godaddy
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

providers:
  docker:
    exposedByDefault: false
  file:
    directory: /etc/traefik/dynamic-config
    watch: true

config.yml:

http:

################################################################################################
### Services
################################################################################################
  services:
    
    dummy:
      loadBalancer:
        servers:
          - url: "https://microsoft.com"

################################################################################################
### Routers
################################################################################################
  routers:
    domainRouter:
      entrypoints:
        - websecure
      rule: "Host(`yankele.eu`)"
      service: dummy
      middlewares:
        - domain
      tls:
        certresolver: production

      
    # catchAllRouter:
      # entrypoints:
        # - websecure
      # middlewares:
        # - catchAll
      # rule: "PathPrefix(`/`)"
      # service: dummy
      # priority: 1
      # tls:
        # certresolver: production
        # domains:
          # - main: "yankele.eu"
          # - sans: "*.yankele.eu"

################################################################################################
### Middlewares
################################################################################################

  middlewares:
  
    dashboard-auth:
      basicAuth:
        removeHeader: true
        users:
          - "administrator:*************"

    domain:
      redirectregex:
        regex: "^https://yankele.eu/(.*)"
        replacement: "https://yankele.eu/${1}"
        permanent: true

    catchAll:
      redirectregex:
        regex: "^.*$"
        replacement: "https://yankele.eu/${1}"
        permanent: false

    secure-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        STSPreload: true
        accessControlMaxAge: 100
        accessControlAllowHeaders: "*"
        addVaryHeader: true
        referrerPolicy: "same-origin"
        contentSecurityPolicy: ""
        permissionsPolicy: "geolocation=(self), microphone=(), camera=(), fullscreen=*"
        

################################################################################################
### TLS
################################################################################################
tls:
  options:
    default:
      minVersion: VersionTLS12
    mintls13:
      minVersion: VersionTLS13

Finally, this is the log I get from Traefik:

time="2024-05-15T07:49:49-04:00" level=info msg="Traefik version 2.10.3 built on 2023-06-19T16:18:54Z"
time="2024-05-15T07:49:49-04:00" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2024-05-15T07:49:49-04:00" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
time="2024-05-15T07:49:49-04:00" level=info msg="Starting provider *file.Provider"
time="2024-05-15T07:49:49-04:00" level=info msg="Starting provider *traefik.Provider"
time="2024-05-15T07:49:49-04:00" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2024-05-15T07:49:49-04:00" level=info msg="Starting provider *acme.Provider"
time="2024-05-15T07:49:49-04:00" level=info msg="Testing certificate renew..." providerName=production.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-05-15T07:49:49-04:00" level=info msg="Starting provider *acme.Provider"
time="2024-05-15T07:49:49-04:00" level=info msg="Testing certificate renew..." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=staging.acme
time="2024-05-15T07:49:49-04:00" level=info msg="Starting provider *docker.Provider"
time="2024-05-15T07:49:51-04:00" level=error msg="Unable to obtain ACME certificate for domains \"portainer.yankele.eu\": unable to generate a certificate for the domains [portainer.yankele.eu]: error: one or more domains had a problem:\n[portainer.yankele.eu] [portainer.yankele.eu] acme: error presenting token: godaddy: no subdomain because the domain and the zone are identical: yankele.eu.\n" rule="Host(`portainer.yankele.eu`)" providerName=production.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=portainer@docker
time="2024-05-15T07:49:51-04:00" level=error msg="Unable to obtain ACME certificate for domains \"www.yankele.eu\": unable to generate a certificate for the domains [www.yankele.eu]: error: one or more domains had a problem:\n[www.yankele.eu] [www.yankele.eu] acme: error presenting token: godaddy: no subdomain because the domain and the zone are identical: yankele.eu.\n" routerName=yankele_eu@docker rule="Host(`www.yankele.eu`)" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=production.acme

Thanks in advance for any pointer!

Did you create the sub-domains in Godaddy DNS or create a wildcard sub-domain (if that is possible)?

No, but I don't have subdomains in my other domains either. This is how the domain is set up (pretty much default values except for the IP address that I entered):

image1960×825 41 KB

Shall I create CNAME records, like traefik pointing to traefik.yankele.eu? Is this what you mean?

You need to check if your DNS provider automatically resolved your domain to an IP or not.

My DNS provider returns an error when there is no explicitly created sub-domain.

I created the CNAME records, and DNS resolution seems to work correctly:

$ dig portainer.yankele.eu

; <<>> DiG 9.18.24-1-Debian <<>> portainer.yankele.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21640
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;portainer.yankele.eu.          IN      A

;; ANSWER SECTION:
portainer.yankele.eu.   3600    IN      CNAME   yankele.eu.
yankele.eu.             600     IN      A       192.3.10.36

;; Query time: 31 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Wed May 15 08:35:12 EDT 2024
;; MSG SIZE  rcvd: 79

BUT: Now I have a different error in the logs, which I never had before...:

time="2024-05-15T08:36:45-04:00" level=info msg="Traefik version 2.10.3 built on 2023-06-19T16:18:54Z"
time="2024-05-15T08:36:45-04:00" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2024-05-15T08:36:45-04:00" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
time="2024-05-15T08:36:45-04:00" level=info msg="Starting provider *file.Provider"
time="2024-05-15T08:36:45-04:00" level=info msg="Starting provider *traefik.Provider"
time="2024-05-15T08:36:45-04:00" level=info msg="Starting provider *docker.Provider"
time="2024-05-15T08:36:45-04:00" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2024-05-15T08:36:45-04:00" level=info msg="Starting provider *acme.Provider"
time="2024-05-15T08:36:45-04:00" level=info msg="Testing certificate renew..." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=production.acme
time="2024-05-15T08:36:45-04:00" level=info msg="Starting provider *acme.Provider"
time="2024-05-15T08:36:45-04:00" level=info msg="Testing certificate renew..." providerName=staging.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-05-15T08:36:47-04:00" level=error msg="Unable to obtain ACME certificate for domains \"portainer.yankele.eu\": unable to generate a certificate for the domains [portainer.yankele.eu]: error: one or more domains had a problem:\n[portainer.yankele.eu] [portainer.yankele.eu] acme: error presenting token: godaddy: no subdomain because the domain and the zone are identical: yankele.eu.\n" rule="Host(`portainer.yankele.eu`)" providerName=production.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=portainer@docker
time="2024-05-15T08:36:48-04:00" level=error msg="Unable to obtain ACME certificate for domains \"www.yankele.eu\": unable to generate a certificate for the domains [www.yankele.eu]: error: one or more domains had a problem:\n[www.yankele.eu] [www.yankele.eu] acme: error presenting token: godaddy: failed to get TXT records: unexpected status code: [status code: 403] body: {\"code\":\"ACCESS_DENIED\",\"message\":\"Authenticated user is not allowed access\"}\n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" rule="Host(`www.yankele.eu`)" routerName=yankele_eu@docker providerName=production.acme

The API key name and secret are correct.

Still having the issue.

I wonder, is it possible that GoDaddy is the reason for the errors? It is not listed as a Let's Encrypt compatible provider - although it IS an option in the Traefik documentation...

If you have less than 50 (sub-)domains and need no wildcard, you could just use tlsChallenge, which is easier to use.

Yes, I just found out that GoDaddy has recently restricted API access to people who have more than 50 domains....:

https://www.reddit.com/r/godaddy/comments/1chs1j8/godaddy_access_denied_via_apicall/

Thanks for the suggestions, I'll do it that way until I can move this domain from GoDaddy!