Traefik fails to generate valid Let's Encrypt certificate

(the original post i made got moderated by a bot, i am not sure if that was intentional or a mistake so i am trying again just in case)
Hello,

I have a rocketchat container running on docker with portainer and i wanted to add https to it so i could use the mobile app and notifications.

I have followed the instructions on how to set up traefik in the rocketchat documentation, traefik is working fine, however when it goes to generate a certificate, this error shows up:

level=error msg="Unable to obtain ACME certificate for domains \"*****.*****.com\": unable to generate a certificate for the domains [*****.*****.com]: error: one or more domains had a problem:\n[*****.*****.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: no valid A records found for *****.*****.com; no valid AAAA records found for *****.*****.com\n" rule="Host(`*****.*****.com`)" routerName=rocketchat@docker providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"

It is still possible to access the domain, however it deems the certificate as NET::ERR_CERT_AUTHORITY_INVALID and it's named "TRAEFIK DEFAULT CERT".

I have looked around on solutions and haven't been able to find anything that would fix the issue. All my A and AAAA records seem to be fine and the configuration also.

Does anyone have an idea on what could be causing this?

my docker-compose.yml:

services:
  rocketchat:
    image: registry.rocket.chat/rocketchat/rocket.chat:${RELEASE:-latest}
    restart: always
    labels:
      traefik.enable: "true"
      traefik.http.routers.rocketchat.rule: Host(`${DOMAIN:-}`)
      traefik.http.routers.rocketchat.tls: "true"
      traefik.http.routers.rocketchat.entrypoints: https
      traefik.http.routers.rocketchat.tls.certresolver: le
    environment:
      MONGO_URL: "${MONGO_URL:-\
        mongodb://${MONGODB_ADVERTISED_HOSTNAME:-mongodb}:${MONGODB_INITIAL_PRIMARY_PORT_NUMBER:-27017}/\
        ${MONGODB_DATABASE:-rocketchat}?replicaSet=${MONGODB_REPLICA_SET_NAME:-rs0}}"
      MONGO_OPLOG_URL: "${MONGO_OPLOG_URL:\
        -mongodb://${MONGODB_ADVERTISED_HOSTNAME:-mongodb}:${MONGODB_INITIAL_PRIMARY_PORT_NUMBER:-27017}/\
        local?replicaSet=${MONGODB_REPLICA_SET_NAME:-rs0}}"
      ROOT_URL: ${ROOT_URL:-http://localhost:${HOST_PORT:-3000}}
      PORT: ${PORT:-3000}
      DEPLOY_METHOD: docker
      DEPLOY_PLATFORM: ${DEPLOY_PLATFORM:-}
      REG_TOKEN: ${REG_TOKEN:-}
    depends_on:
      - mongodb
    expose:
      - ${PORT:-3000}
    ports:
      - "${BIND_IP:-0.0.0.0}:${HOST_PORT:-3000}:${PORT:-3000}"

traefik:
    image: docker.io/traefik:${TRAEFIK_RELEASE:-v2.10.7}
    restart: always
    command:
     - --log.level=DEBUG
     - --api.insecure=true
     - --providers.docker=true
     - --providers.docker.exposedbydefault=false
     - --entrypoints.web.address=:80
     - --entrypoints.web.http.redirections.entryPoint.to=https
     - --entrypoints.web.http.redirections.entryPoint.scheme=https
     - --entrypoints.https.address=:443
     - --certificatesresolvers.le.acme.tlschallenge=true
     - --certificatesresolvers.le.acme.email=${LETSENCRYPT_EMAIL?need email for cert expiry notifications}
     - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - traefik:/letsencrypt:rw
      - /run/docker.sock:/var/run/docker.sock:ro

extended logs:

time="2024-02-12T06:29:45Z" level=debug msg="Trying to challenge certificate for domain [*****.*****.com] found in HostSNI rule" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=rocketchat@docker rule="Host(`*****.*****.com`)" providerName=le.acme
time="2024-02-12T06:29:45Z" level=debug msg="Looking for provided certificate(s) to validate [\"*****.*****.com\"]..." providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=rocketchat@docker rule="Host(`*****.*****.com`)"
time="2024-02-12T06:29:45Z" level=debug msg="No ACME certificate generation required for domains [\"*****.*****.com\"]." ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=rocketchat@docker rule="Host(`*****.*****.com`)" providerName=le.acme
time="2024-02-12T06:29:45Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/************"
time="2024-02-12T06:29:45Z" level=error msg="Unable to obtain ACME certificate for domains \"*****.*****.com\": unable to generate a certificate for the domains [*****.*****.com]: error: one or more domains had a problem:\n[*****.*****.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: no valid A records found for *****.*****.com; no valid AAAA records found for *****.*****.com\n" rule="Host(`*****.*****.com`)" routerName=rocketchat@docker providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"

Do your domains point to the Traefik server IP?

It seems one has a cert ("No ACME certificate generation required", one already there) and another one is failing. Too many stars

Compare to simple Traefik example, I recommend to assign TLS centrally on entrypoint.

My domains point to the docker server running traefik and then I use Unifi's Dream Machine port forwarding to redirect it to the 3000 port. It's not a great solution but I haven't figured out how to correctly use a different address yet.

Stars are just the domain address redacted as i'd like to keep it private, I don't think I'm blurring out too much vital information by doing that

My question is rather: are more than one domain used, are the stars masking different sub-domains?

All starred domain strings are equal to the same one

That does not make sense to me. Traefik usually does not load a valid certificate and then generate the same one again.

And this seems to be your problem:
no valid A records found

I'm not sure why this could be happening.

I have added an A record and an AAAA record of the domain, both leading to the same IP address.

However now I remember I do recall adding a let's encrypt certificate on the domain through my domain provider console a while ago, is that something that could interfere with this?