Traefik use wrong zone for dns challenge

dkmatt0 · February 6, 2021, 12:31pm

Hello !

I have a domain domain.click, but traefik want to connect to the ovh api with partial zone click (API path: /domain/zone/click/record). If I replace domain.click by domain.com, it want to connect with the entire zone domain.com (API path: /domain/zone/domain.com/record).

Why traefik doesn't recognize domain.click but recognize domain.com ?
How can I fix that ? Please

Log (with domain.click):

time="2021-02-06T13:22:55+01:00" level=error msg="Unable to obtain ACME certificate for domains \"domain.click,*.domain.click\" : unable to generate a certificate for the domains [domain.click *.domain.click]: error: one or more domains had a problem:\n[*.domain.click] [*.domain.click] acme: error presenting token: ovh: error when call api to add record (/domain/zone/click/record): Error 404: \"This service does not exist\"\n[domain.click] [domain.click] acme: error presenting token: ovh: error when call api to add record (/domain/zone/click/record): Error 404: \"This service does not exist\"\n" providerName=letsencrypt.acme

Log (with domain.com):

time="2021-02-06T13:26:38+01:00" level=error msg="Unable to obtain ACME certificate for domains \"domain.com,*.domain.com\" : unable to generate a certificate for the domains [domain.com *.domain.com]: error: one or more domains had a problem:\n[*.domain.com] [*.domain.com] acme: error presenting token: ovh: error when call api to add record (/domain/zone/domain.com/record): Error 404: \"This service does not exist\"\n[domain.com] [domain.com] acme: error presenting token: ovh: error when call api to add record (/domain/zone/domain.com/record): Error 404: \"This service does not exist\"\n" providerName=letsencrypt.acme

traefik conf file:

log:
  level: DEBUG

api:
  insecure: true
  dashboard: true

providers:
  docker:
    exposedbydefault: false
    watch: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

certificatesResolvers:
  letsencrypt:
   acme:
     email: mymail@something.com
     storage: /etc/traefik/acme.json
     dnsChallenge:
       provider: ovh
       delayBeforeCheck: 30
       resolvers:
         - 9.9.9.9:53
         - 8.8.8.8:53

docker compose file (deployed with ansible for lets encrypt variables):

version: "3.6"

services:
  traefik:
    container_name: traefik
    image: traefik:latest
    labels:
      traefik.enable: true

      traefik.http.routers.traefik-secure.entrypoints: websecure
      traefik.http.routers.traefik-secure.rule: Host(`traefik.domain.click`)
      traefik.http.routers.traefik-secure.tls: true
      traefik.http.routers.traefik-secure.tls.certresolver: letsencrypt
      traefik.http.routers.traefik-secure.tls.domains[0].main: "domain.click"
      traefik.http.routers.traefik-secure.tls.domains[0].sans: "*.domain.click"
      traefik.http.routers.traefik-secure.service: api@internal
    network_mode: bridge
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /data/traefik:/etc/traefik
    environment:
      TZ: Europe/Paris
      OVH_ENDPOINT: {{ letsencrypt.dns_ovh_endpoint }}
      OVH_APPLICATION_KEY: {{ letsencrypt.dns_ovh_application_key }}
      OVH_APPLICATION_SECRET: {{ letsencrypt.dns_ovh_application_secret }}
      OVH_CONSUMER_KEY: {{ letsencrypt.dns_ovh_consumer_key }}

Thank you !