I am having an issue with Traefik and the Hetzner DNS challenge for ACME certificates, and I would appreciate some clarification or guidance.
I have updated Traefik to the latest version (v3.6.6), which according to the documentation should support the new Hetzner DNS API (not the legacy one) for DNS-based certificate validation.
However, when Traefik tries to obtain a certificate via Let’s Encrypt using the DNS challenge, I receive the following error:
ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [*******]:
error: one or more domains had a problem:
[*******] acme: error presenting token:
hetzner (legacy): unexpected status code: [status code: 401]
body: {"message":"Invalid authentication credentials"}"
What confuses me is that the error message explicitly mentions hetzner (legacy), which suggests that Traefik is still using the legacy Hetzner API, even though I am running a Traefik version that should use the new API.
Important details:
The Hetzner API token is correct and valid
The same token has been tested successfully from another external service (outside Traefik)
The token has DNS write permissions
My intention is to use only the new Hetzner DNS API, not the legacy one
My questions are:
Under what conditions does Traefik still fall back to the legacy Hetzner API?
Is there a specific configuration flag or environment variable required to force the new Hetzner API?
Could this be a bug, a documentation gap, or a backward-compatibility behavior in Traefik 3.6.6?
Any insight into why Traefik is still using the legacy Hetzner provider — despite being on a version that supposedly supports the new API — would be greatly appreciated.
The latest version (4.31.0) works. In fact, it is the tool I mentioned that I tested outside of Traefik.
According to the go-acme changelog, they added the new API in version 4.27.0, and Traefik 3.6.6 uses version 4.30.1. Traefik is only one version behind go-acme, and the changelog does not indicate that any relevant changes have been made regarding the Hetzner API.
We will wait for Traefik to update to the very latest version of go-acme, but honestly, it seems strange to me. Thanks.
ERR Unable to obtain ACME certificate for domains error="unable to generate a
certificate for the domains [whoami.example.de]: error: one or more domains had a
problem:\n[whoami.example.de] [whoami.example.de] acme: error presenting token:
hetzner: could not find zone for domain \"whoami.example.de\": [fqdn=_acme-
challenge.whoami.example.de.] could not find the start of authority for '_acme-
challenge.whoami.example.de.' [question='de. IN SOA', code=NXDOMAIN]\n"
Yes, it worked with the legacy API, but I migrated my domains to the new API because Hetzner is going to completely disable the legacy one in a few months.
It’s curious that it works for you, because I have the same configuration as you, but in my logs—as you can see—the “(legacy)” part appears in parentheses. I don’t know what specific difference there might be in my setup that’s causing this to happen.
I’ve updated it, although I already found what my problem was. I was using HETZNER_API_KEY instead of HETZNER_API_TOKEN. I checked it several times and still didn’t notice the mistake.
Therefore, everything is clear now and the issue is resolved.
Thank you very much.