I have several traefik instances running independently on the same TLD. They are using Let's Encrypt via the httpreq mechanism which connects to acmeproxy which in turn uses its digitalocean provider.
There are now recurring errors during renew (No TXT record found at _acme-challenge.REDACTED\n" ) on at least one server so I had a look.
Turns out there are hundreds of _acme-challenge TXT records on that domain. It seems they are not removed if outdated. Shouldn't Traefik do this regularly? Or is something else going wrong here?
I have seen this (often) if I cycle a copy of Traefik too quickly when it is trying to create LetsEncrypt certs and the process takes time. Traefik does not seem to retain any state information about how far it got during the last cert request attempt and so just tries again - the result is a lot of DNS records and I guess requests sent to LetsEncrypt.
My quick and dirty solution was to add a 5min delay during my deployment script that allows Traefik to startup and get the certs before I during down the environment to complete other tasks.