Suddenly experiencing Error 400: Invalid Domain errors with LE Certs

I was working on configuring new services, when I noticed that Traefik was unable to get new certificates using the automated ACME method. This has worked fine before with my services, but I'm afraid it's something I've changed. Here's an excerpt of an attempted request:

time="2022-11-03T15:22:31-07:00" level=debug msg="Looking for provided certificate(s) to validate [\"jellyfin.local.mydomain.net\"]..." rule="Host(`jellyfin.local.mydomain.net`)" providerName=porkbun.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=websecure-jellyfin@docker
time="2022-11-03T15:22:31-07:00" level=debug msg="Domains [\"jellyfin.local.mydomain.net\"] need ACME certificates generation for domains \"jellyfin.local.mydomain.net\"." routerName=websecure-jellyfin@docker rule="Host(`jellyfin.local.mydomain.net`)" providerName=porkbun.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2022-11-03T15:22:31-07:00" level=debug msg="Loading ACME certificates [jellyfin.local.mydomain.net]..." routerName=websecure-jellyfin@docker rule="Host(`jellyfin.local.mydomain.net`)" providerName=porkbun.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2022-11-03T15:22:31-07:00" level=debug msg="legolog: [INFO] [jellyfin.local.mydomain.net] acme: Obtaining bundled SAN certificate"
time="2022-11-03T15:22:31-07:00" level=debug msg="Looking for provided certificate(s) to validate [\"jellyfin.local.mydomain.net\"]..." routerName=jellyfin@docker rule="Host(`jellyfin.local.mydomain.net`)" providerName=porkbun.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2022-11-03T15:22:31-07:00" level=debug msg="No ACME certificate generation required for domains [\"jellyfin.local.mydomain.net\"]." rule="Host(`jellyfin.local.mydomain.net`)" providerName=porkbun.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=jellyfin@docker
time="2022-11-03T15:22:32-07:00" level=debug msg="legolog: [INFO] [jellyfin.local.mydomain.net] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/4200530484"
time="2022-11-03T15:22:32-07:00" level=debug msg="legolog: [INFO] [jellyfin.local.mydomain.net] acme: Could not find solver for: tls-alpn-01"
time="2022-11-03T15:22:32-07:00" level=debug msg="legolog: [INFO] [jellyfin.local.mydomain.net] acme: Could not find solver for: http-01"
time="2022-11-03T15:22:32-07:00" level=debug msg="legolog: [INFO] [jellyfin.local.mydomain.net] acme: use dns-01 solver"
time="2022-11-03T15:22:32-07:00" level=debug msg="legolog: [INFO] [jellyfin.local.mydomain.net] acme: Preparing to solve DNS-01"
time="2022-11-03T15:22:40-07:00" level=debug msg="legolog: [INFO] [jellyfin.local.mydomain.net] acme: Cleaning DNS-01 challenge"
time="2022-11-03T15:22:48-07:00" level=debug msg="legolog: [WARN] [jellyfin.local.mydomain.net] acme: cleaning up failed: porkbun: unknown record ID for 'pixie.porkbun.com.' 'R1HgjR2sL9tFcQR0HRB0Pu6w4O6kwGtEymtAxtb3850' "
time="2022-11-03T15:22:49-07:00" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/4200530484"
time="2022-11-03T15:22:49-07:00" level=error msg="Unable to obtain ACME certificate for domains \"jellyfin.local.mydomain.net\": unable to generate a certificate for the domains [jellyfin.local.mydomain.net]: error: one or more domains had a problem: [jellyfin.local.mydomain.net] [jellyfin.local.mydomain.net] acme: error presenting token: porkbun: failed to create record: 400: {\"status\":\"ERROR\",\"message\":\"Invalid domain.\"}\n" routerName=websecure-jellyfin@docker rule="Host(`jellyfin.local.mydomain.net`)" providerName=porkbun.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"

The error seems to indicate something is wrong with the domain I'm requesting, but the format hasn't changed since the other services which have successfully acquired their own certs.

My relevant static config is as follows:

################################################################
# LetsEncrypt config
################################################################
certificatesResolvers:
  porkbun:
    acme:
      email: [my email]
      storage: /etc/traefik/acme.json
      # Use staging caServer for now to not get limited (comment out when in production)
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      
      dnsChallenge:
        provider: porkbun

API keys are defined in Traefik's environment vars.

I'm currently in contact with PorkBun's support in case it's something on their end, but can anyone see if anything might be wrong with me?

Update: PorkBun's support just got back to me, they were unable to replicate the problem. They'd like to see the full payload Traefik sends to the API to make a request, is there any way I can see this?

Ok, just came to a solution on this one thanks to a dev at lego.

In version 2.9.4, Traefik upgraded the lego library, which in turn introduced a new feature where it strictly follows CNAME records now. If your host has a wildcard CNAME redirecting to a domain, or you don't have your service names published on your DNS host, then lego will fail to renew the certificate. I opted to remove the wildcard CNAME, so things are working fine now. An alternative according to the dev is using the LEGO_DISABLE_CNAME_SUPPORT = true envar to disable CNAME support entirely.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.