No subdomain because the domain and the zone are identical

dows · September 25, 2024, 1:16pm

Hi everyone,
i recently switched from an other DNS provider to desec. Reason beeing the possibility to issue wildcard certificates for my homeserver via traefik.
My setup is as followed:
FritzBox - ProxmoxServer - UbuntuVM running Docker - traefik container
If I fireup traefik, I’ll get the following error message:
ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [mydomain.net *.mydomain.net]: error: one or more domains had a problem:\n[*.mydomain.net] [*.mydomain.net] acme: error presenting token: desec: no subdomain because the domain and the zone are identical: mydomain.net.\n[mydomain.net] [mydomain.net] acme: error presenting token: desec: no subdomain because the domain and the zone are identical: mydomain.net.\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["mydomain.net","*.mydomain.net"] providerName=production.acme routerName=traefik-secure@docker rule=Host(`traefik-traefik`)

docker-compose:

services:
  traefik:
    image: docker.io/traefik:latest
    container_name: traefik
    hostname: traefik
    command: --api.insecure=true --providers.docker
    ports:
      - 443:443/tcp
      - 80:80/tcp
      - 8080:8080/tcp
    restart: always
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /mnt/datastorage/arrecife/traefik/traefik.yml:/etc/traefik/traefik.yml
      - /mnt/datastorage/arrecife/traefik/letsencrypt/acme.json:/acme.json
      - /mnt/datastorage/arrecife/traefik/dynamic_conf.yml:/dynamic_conf.yml
      - /mnt/datastorage/arrecife/traefik/conf:/etc/traefik/conf
      - /mnt/datastorage/arrecife/traefik/logs:/logs
    entrypoint:
      - /entrypoint.sh
    env_file: stack.env
    environment:
      LEGO_DISABLE_CNAME_SUPPORT: false
      LEGO_EXPERIMENTAL_CNAME_SUPPORT: true
      DESEC_TOKEN: ${DESEC_TOKEN}
      DESEC_POLLING_INTERVAL: 65
      DESEC_TTL: 3600
      PATH: ${PATH}
    labels:
      - "providers.file.filename=/dynamic_conf.yml"
      
      - "traefik.enable=true"
      - "traefik.api.dashboard=true"
      - "traefik.api.insecure=true"
      
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.net`)"
      - "traefik.http.routers.traefik.middlewares=redirect@file"
      
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain.net`)"
      - "traefik.http.routers.traefik-secure.middlewares=auth,secHeaders@file"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      
      - "traefik.http.middlewares.auth.basicauth.users=${LOGINS}"
      - "traefik.http.routers.dashboard.middlewares=auth"
      - "traefik.http.routers.dashboard.service=api@internal"
      
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik-secure.tls.certResolver=production"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.net"
      # Activate this, if you also need a certificate for root Domain
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.net"
    networks:
      - traefik

networks:
  traefik:
    driver: bridge

traefik.yml

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

tls:
  options:
    modern:
      minVersion: "VersionTLS13"
    intermediate:
      minVersion: "VersionTLS12"
      cipherSuites:
        - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
        - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
api:
  dashboard: true
  insecure: true
accessLog:
  filePath: "/logs/access.log"
  bufferingSize: 100

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    
  file:
    filename: "/dynamic_conf.yml"
    watch: true

certificatesResolvers:
  staging:
    acme:
      email: ***@***.net
      storage: acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      httpChallenge:
        entryPoint: web

  production:
    acme:
      email: ***@***.net
      storage: acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: desec
        delayBeforeCheck: 300
        resolvers:
          - "45.54.76.1:53"
          - "1.1.1.1:53"
          - "1.0.0.1:53"

steineb · October 22, 2024, 4:20pm

Hello !
I had similar problem, don’t remember if it was same error message, but just give it a try.

Add to your traefik service in docker environment config

environment:
  - LEGO_DISABLE_CNAME_SUPPORT=true

Good luck