Wildcard Letsencrypt certificate for subdomain doesn't works with Dynu (domain provider)

I was trying to get some Traefik Letsencrypt wildcard certificate for a subdomain of my domain (*.local.example.com), the certificates for previous level of the domain was working fine (example.com, local.example.com, *.example.com) but for *.local.example.com specifically I receive an error: [ | level=error msg="Unable to obtain ACME certificate for domains \"*.local.example.com\"" providerName=dynu.acme routerName=traefik-secure@docker rule="Host(traefik-dashboard.local.example.com)" error="unable to generate a certificate for the domains [*.local.example.com]: error: one or more domains had a problem:\n[*.local.example.com] propagation: time limit exceeded: last error: NS ns4.dynu.com. did not return the expected TXT record [fqdn: _acme-challenge.local.example.com., value: pq9bdnM5LL9Sv-K1XzPrwy-NqkTrcaK3mJq0HRLk29W]: \n" ACME CA="https://acme-v02.api.letsencrypt.org/directory"].
Because the exact same setup was working with Cloudflare, and the previous level of the domain works just fine, as well as the fact that the proper acme challenge DNS record were still being created for *.local.example.com, I conclude that the issue is probably because Dynu resolver can't return the proper DNS record for some reason, and in fact I have encountered this issue once before when I was using Nginx Proxy Manager, and the solution was to create a new third level domain (local.example.com) (this is Dynu specific), and to create the DNS record directly within the third level domain. However, Traefik works using the API and their doesn't seem to be a way to tell the docker compose file to create the DNS record in the third level domain instead of the top level one. May be there is a solution on the Traefik end somehow, like getting it to create the acme challenge in a specific domain, or other possible solution? If you can come up with any then please let me know as soon as possible, the new year is coming and my deadline of this deployment is due tomorrow. I appreciate your support.

    • As you can see here the Dynu DNS records can be split into top level and third level domain, and their DNS records are separated
  • My docker compose file:

version: '3'

    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
      - no-new-privileges:true
      - proxy
      - 80:80
      - 443:443
      - DYNU_API_KEY=
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /srv/docker_data/traefik/data/traefik.yml:/traefik.yml:ro
      - /srv/docker_data/traefik/data/acme.json:/acme.json
      - /srv/docker_data/traefik/data/config.yml:/config.yml:ro
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.example.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=CREDENTIALS"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.example.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=dynu"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=example.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.example.com"
      - "traefik.http.routers.traefik-secure.tls.domains[1].main=local.example.com"
      - "traefik.http.routers.traefik-secure.tls.domains[1].sans=*.local.example.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"

    external: true
  • My traefik.yml file:
  dashboard: true
  debug: true
    address: ":80"
          to: https
          scheme: https
    address: ":443"
  insecureSkipVerify: true
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    filename: /config.yml
      email: example@example.com
      storage: acme.json
        provider: dynu

Again, thanks a lot for your support. :smile:

I think you need to create local.example.com in DNS if you want to create a second level wildcard.

Can you explain it clearer on how I can do that please?

I don’t know, it depends on your DNS provider. In general I would create an A record with the Traefik IP.

Yeah, I did create an A record with the Traefik IP already (from before when I was still using NPM) and it still doesn't work, also, by IP do you mean the local or the public one? But either way I have an a record of them both
Picture for reference (this is the local.example.com third level domain record section, separated from the top level example.com section)

Enable and check Traefik debug log (doc).

You can also set delayBeforeCheck to manually check if the TXT entry was created (doc, at end of providers):

By default, the provider verifies the TXT record before letting ACME verify. You can delay this operation by specifying a delay (in seconds) with delayBeforeCheck (value must be greater than zero).

Well, the lucky thing is I figured out some crap and finally got a different error:
time="2023-12-31T19:05:08Z" level=error msg="Unable to obtain ACME certificate for domains \"*.local.example.com\"" error="unable to generate a certificate for the domains [*.local.example.com]: error: one or more domains had a problem:\n[*.local.example.com] propagation: time limit exceeded: last error: NS ns4.dynu.com. returned NXDOMAIN for _acme-challenge.local.example.com.\n" providerName=dynu.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=traefik-secure@docker rule="Host(traefik-dashboard.local.example.com)"

Also, now Firefox doesn't allow me to visit the websites at all instead of just saying it's insecure

But the bad thing is I still have no idea on how to solve it, so I would greatly appreciate it if you lend me a hand on this one

Update: I went and mess around with the delayBeforeCheck , and finally got it working with delayBeforeCheck: 60

But there is still a question I want to ask: will their be any future consequences (error or other stuff that ) when using this delayBeforeCheck parameter? I mean it kinda feel like a workaround

I don’t think there are any issues, it just waits a bit for the DNS data propagation, so that all DNS servers have the same new data available.

Thanks a lot, but unfortunately I have encountered another issue so I'm hoping you could come over with it. That would be great

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.