[solved] Problem specifying TSIG_ALGORITHM for dnsChallenge.provider=rfc2136 - bad key algorithm

Hi there,

I addition to our working httpChallenge setup with letsencrypt I am trying to get dnsChallenge working now. However, whatever I specify as TSIG_ALGORITHM triggers the following error:

level=error msg="Unable to obtain ACME certificate for domains \"example.com,*.example.com\":
unable to generate a certificate for the domains [*.example.com]: acme: Error -> One or more domains
had a problem:\n[*.example.com] [*.example.com acme: error presenting token: rfc2136: failed to insert:

DNS update failed: dns: bad key algorithm\n[example.com] [example.com] acme: error presenting token:
rfc2136: failed to insert: DNS update failed: dns: bad key algorithm\n" providerName=letsencrypt-
rfc2136.acme routerName=whoami@docker rule="Host(`example.com`, `*.example.com`)"

All tsig-related info is passed as environment variables via a docker-compose.yml file. I tried the following values for algorithm:

HMAC-MD5
HmacMD5
hmacmd5
HMAC_MD5
hmac-md5

but all I get is the error message stated above.
Grateful for any hints given

BTW: we use this mechnism on our own DNS-servers quite successfully by means of bind's nsupdate and some shell scripts.

Hoping for a sane default I removed the RFC2136_TSIG_ALGORITHM variable entirely and there we have a working dnsChallenge certificate resolver Maybe this is useful for someone in the future.

The allowable values for RFC2136_TSIG_ALGORITHM are given in tsig.go:

• hmac-md5.sig-alg.reg.int.
• hmac-sha1.
• hmac-sha224.
• hmac-sha256.
• hmac-sha384.
• hmac-sha512.

Note that they should be lowercase with a trailing dot.

We generally use the nsupdate "dns api" provider when using acme.sh - I believe this is different with traefik, how can this be implemented?

Thanks!