Unable to generate certificates // ns1

We are about to migrate to traefik as reverse proxy but are having issues with a bare minimum test instance when setting up the cert-resolver
When trying to issue a certificate with the lego cli everything works as expected but traefik is unable to generate a certificate, throwing an error that the zone couldn't be found / it is unable to present th token.
We are using an alias challnge domain, so the original _acme-challenge.host.domain.com is pointing to host.acmesh.domain.com via CNAME. But this is properly resolved .. so it doens't seem to be the root-cause

TRAEFIK CONFIG

version: '3'

services:
  reverse-proxy:
    image: traefik:latest
    env_file: ".env"
    command: 
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
      - "--entryPoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=ns1"
      - "--certificatesresolvers.letsencrypt.acme.email=foo@xxx.de"
      - "--certificatesresolvers.letsencrypt.acme.storage=/tls/acme.json"      
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./tls:/tls/

  whoami:
    image: traefik/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`test.zit.xxx.de`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"

TRAEFIK LOG

reverse-proxy-1  | 2025-03-11T14:08:40Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:633 >
reverse-proxy-1  | Stats collection is disabled.
reverse-proxy-1  | Help us improve Traefik by turning this feature on :)
reverse-proxy-1  | More details on: https://doc.traefik.io/traefik/contributing/data-collection/
reverse-proxy-1  |
reverse-proxy-1  | 2025-03-11T14:08:40Z INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator *aggregator.ProviderAggregator
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231 > Starting TCP Server entryPointName=web
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231 > Starting TCP Server entryPointName=websecure
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231 > Starting TCP Server entryPointName=traefik
reverse-proxy-1  | 2025-03-11T14:08:40Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *traefik.Provider
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *traefik.Provider provider configuration config={}
reverse-proxy-1  | 2025-03-11T14:08:40Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.ChallengeTLSALPN
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.ChallengeTLSALPN provider configuration config={}
reverse-proxy-1  | 2025-03-11T14:08:40Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *docker.Provider
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *docker.Provider provider configuration config={"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","watch":true}
reverse-proxy-1  | 2025-03-11T14:08:40Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.Provider
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.Provider provider configuration config={"HTTPChallengeProvider":{},"ResolverName":"letsencrypt","TLSChallengeProvider":{},"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"dnsChallenge":{"provider":"ns1"},"email":"edv-netz@xxx.de","keyType":"RSA4096","storage":"/tls/acme.json","store":{}}
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:232 > Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s" acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme
reverse-proxy-1  | 2025-03-11T14:08:40Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:884 > Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"dashboard_redirect":{"redirectRegex":{"permanent":true,"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/"}},"dashboard_stripprefix":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]}},"redirect-web-to-websecure":{"redirectScheme":{"permanent":true,"port":"443","scheme":"https"}}},"routers":{"api":{"entryPoints":["traefik"],"priority":9223372036854775806,"rule":"PathPrefix(`/api`)","ruleSyntax":"v3","service":"api@internal"},"dashboard":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"priority":9223372036854775805,"rule":"PathPrefix(`/`)","ruleSyntax":"v3","service":"dashboard@internal"},"web-to-websecure":{"entryPoints":["web"],"middlewares":["redirect-web-to-websecure"],"priority":9223372036854775806,"rule":"HostRegexp(`^.+$`)","ruleSyntax":"v3","service":"noop@internal"}},"serversTransports":{"default":{"maxIdleConnsPerHost":200}},"services":{"api":{},"dashboard":{},"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=letsencrypt.acme
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/pdocker.go:90 > Provider connection established with docker 27.5.1 (API 1.47) providerName=docker
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17 > Creating middleware entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18 > Setting up redirection from ^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$ to ${1}/dashboard/ entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17 > Creating middleware entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18 > Setting up redirection from ^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$ to ${1}/dashboard/ entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
reverse-proxy-1  | 2025-03-11T14:08:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=reverse-proxy-traefik-99869089d7b5a36e67d5baa4e56b639f16d80657c8865065a01523a60f442db3 providerName=docker
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"routers":{"whoami":{"entryPoints":["websecure"],"rule":"Host(`test.zit.xxx.de`)","service":"whoami-traefik","tls":{"certResolver":"letsencrypt"}}},"services":{"whoami-traefik":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.18.0.2:80"}]}}}},"tcp":{},"tls":{},"udp":{}} providerName=docker
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17 > Creating middleware entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18 > Setting up redirection from ^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$ to ${1}/dashboard/ entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:312 > Creating load-balancer entryPointName=websecure routerName=whoami@docker serviceName=whoami-traefik@docker
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:344 > Creating server URL=http://172.18.0.2:80 entryPointName=websecure routerName=whoami@docker serverIndex=0 serviceName=whoami-traefik@docker
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for test.zit.xxx.de with TLS options default entryPointName=websecure
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:470 > Trying to challenge certificate for domain [test.zit.xxx.de] found in HostSNI rule ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme routerName=whoami@docker rule=Host(`test.zit.xxx.de`)
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:940 > Looking for provided certificate(s) to validate ["test.zit.xxx.de"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme routerName=whoami@docker rule=Host(`test.zit.xxx.de`)
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:986 > Domains need ACME certificates generation for domains "test.zit.xxx.de". ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["test.zit.xxx.de"] providerName=letsencrypt.acme routerName=whoami@docker rule=Host(`test.zit.xxx.de`)
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:706 > Loading ACME certificates [test.zit.xxx.de]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme routerName=whoami@docker rule=Host(`test.zit.xxx.de`)
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:270 > Building ACME client... providerName=letsencrypt.acme
reverse-proxy-1  | 2025-03-11T14:08:43Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:276 > https://acme-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme
reverse-proxy-1  | 2025-03-11T14:08:44Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:317 > Using DNS Challenge provider: ns1 providerName=letsencrypt.acme
reverse-proxy-1  | 2025-03-11T14:08:44Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [test.zit.xxx.de] acme: Obtaining bundled SAN certificate lib=lego
reverse-proxy-1  | 2025-03-11T14:08:45Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [test.zit.xxx.de] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/2275235376/488154226276 lib=lego
reverse-proxy-1  | 2025-03-11T14:08:45Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [test.zit.xxx.de] acme: Could not find solver for: tls-alpn-01 lib=lego
reverse-proxy-1  | 2025-03-11T14:08:45Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [test.zit.xxx.de] acme: Could not find solver for: http-01 lib=lego
reverse-proxy-1  | 2025-03-11T14:08:45Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [test.zit.xxx.de] acme: use dns-01 solver lib=lego
reverse-proxy-1  | 2025-03-11T14:08:45Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [test.zit.xxx.de] acme: Preparing to solve DNS-01 lib=lego
reverse-proxy-1  | 2025-03-11T14:08:45Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Found CNAME entry for "_acme-challenge.test.zit.xxx.de.": "test.acmesh.xxx.de." lib=lego
reverse-proxy-1  | 2025-03-11T14:08:53Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [test.zit.xxx.de] acme: Cleaning DNS-01 challenge lib=lego
reverse-proxy-1  | 2025-03-11T14:08:53Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Found CNAME entry for "_acme-challenge.test.zit.xxx.de.": "test.acmesh.xxx.de." lib=lego
reverse-proxy-1  | 2025-03-11T14:09:01Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [WARN] [test.zit.xxx.de] acme: cleaning up failed: ns1: could not find zone: [fqdn=test.acmesh.xxx.de.] unexpected response for 'test.acmesh.xxx.de.' [question='test.acmesh.xxx.de. IN  SOA', code=SERVFAIL]  lib=lego
reverse-proxy-1  | 2025-03-11T14:09:01Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/2275235376/488154226276 lib=lego
reverse-proxy-1  | 2025-03-11T14:09:01Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:482 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [test.zit.xxx.de]: error: one or more domains had a problem:\n[test.zit.xxx.de] [test.zit.xxx.de] acme: error presenting token: ns1: could not find zone: [fqdn=test.acmesh.xxx.de.] unexpected response for 'test.acmesh.xxx.de.' [question='test.acmesh.xxx.de. IN  SOA', code=SERVFAIL]\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["test.zit.xxx.de"] providerName=letsencrypt.acme routerName=whoami@docker rule=Host(`test.zit.xxx.de`)

LEGO

user:~$ lego --email "foo@xxx.de" -dns ns1 -d 'test.zit.xxx.de' run
2025/03/11 15:11:30 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf
Do you accept the TOS? Y/n

2025/03/11 15:11:32 [INFO] acme: Registering account for foo@xxx.de
!!!! HEADS UP !!!!

Your account credentials have been saved in your
configuration directory at "/Users/user/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from the ACME server so making regular
backups of this folder is ideal.
2025/03/11 15:11:33 [INFO] [test.zit.xxx.de] acme: Obtaining bundled SAN certificate
2025/03/11 15:11:33 [INFO] [test.zit.xxx.de] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/2275427256/488155198026
2025/03/11 15:11:33 [INFO] [test.zit.xxx.de] acme: Could not find solver for: tls-alpn-01
2025/03/11 15:11:33 [INFO] [test.zit.xxx.de] acme: Could not find solver for: http-01
2025/03/11 15:11:33 [INFO] [test.zit.xxx.de] acme: use dns-01 solver
2025/03/11 15:11:33 [INFO] [test.zit.xxx.de] acme: Preparing to solve DNS-01
2025/03/11 15:11:33 [INFO] Found CNAME entry for "_acme-challenge.test.zit.xxx.de.": "test.acmesh.xxx.de."
2025/03/11 15:11:34 [INFO] Create a new record for [zone: acmesh.xxx.de, fqdn: test.acmesh.xxx.de., domain: test.zit.xxx.de]
2025/03/11 15:11:34 [INFO] [test.zit.xxx.de] acme: Trying to solve DNS-01
2025/03/11 15:11:34 [INFO] Found CNAME entry for "_acme-challenge.test.zit.xxx.de.": "test.acmesh.xxx.de."
2025/03/11 15:11:34 [INFO] [test.zit.xxx.de] acme: Checking DNS record propagation. [nameservers=8.8.8.8:53,9.9.9.9:53]
2025/03/11 15:11:36 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/03/11 15:11:42 [INFO] [test.zit.xxx.de] The server validated our request
2025/03/11 15:11:42 [INFO] [test.zit.xxx.de] acme: Cleaning DNS-01 challenge
2025/03/11 15:11:42 [INFO] Found CNAME entry for "_acme-challenge.test.zit.xxx.de.": "test.acmesh.xxx.de."
2025/03/11 15:11:42 [INFO] [test.zit.xxx.de] acme: Validations succeeded; requesting certificates
2025/03/11 15:11:45 [INFO] [test.zit.xxx.de] Server responded with a certificate.

Traefik LetsEncrypt has a special switch for CNAME (doc), try turning it on or off.

CNAME are supported (and sometimes even encouraged), but there are a few cases where they can be problematic.

If needed, CNAME support can be disabled with the following environment variable:

LEGO_DISABLE_CNAME_SUPPORT=true

Thanks for the recommendation but this didn't help. Which isn't too surprising as we are using CNAME .

However, I've been able to solve the issue by explicitly configuring a DNS resolver for the dnschallange via

      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"

I don't fully understand why this is necessary. DNS was my first thought, but when I realized traefikis able to resolve the CNAME, I discarded that path.
Maybe someone has a good explanation why the CNAME lookup succeeds and the SOA lookup on the acme-challenge domain fails?

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.