Traefik/Lego: faile? address: ':80' d to create records

snowborn · May 16, 2025, 10:24pm

Hi there!
I am using Traefik 3.4 (also tried on 3.3) and am unable to get a container under a domain up and running. I looked for similar error messages and did not find anything previous for this.

Traefik: 3.4
Domain registered with deSEC and tried to use via Traefik / Lego: [mydomain]

Error:

{“level”:“error”,“providerName”:“deSEC.acme”,“acmeCA”:“https://acme-v02.api.letsencrypt.org? ping:
/directory”,“providerName”:“deSEC.acme”,“ACME CA”:“https://acme-v02.api.letsencrypt.org/dir? address: ‘:88’
ectory”,“routerName”:“whoami@docker”,“rule”:“Host([mydomain].io)”,“error”:“unable to genera? web:
te a certificate for the domains [[mydomain].io]: error: one or more domains had a problem:\n? address: ‘:80’
[[mydomain].io] [[mydomain].io] acme: error presenting token: desec: failed to create records: ? http:
domainName=io, recordName=_acme-challenge.[mydomain]: 404: Not found.\n”,“domains”:[“[mydomain]? redirections:
.io”],“time”:“2025-05-17T00:06:51+02:00”,“message”:“Unable to obtain ACME certificate for d?
omains”}

I am not sure where to look further to solve this. Any pointers are appreciated!

black · May 17, 2025, 6:24am

desec: failed to create records: domainName=io, recordName=_acme-challenge.[mydomain]: 404: Not found.

It’s not exactly obvious from the error message, but there are two important hints there:

404 Not found is what you get when the API does not find the domain you want to manage, i.e. it is not in the account that your token belongs to.
domainName=io, recordName=_acme-challenge.[mydomain] indicates that you/Traefik/Lego supplied io as the domain to manage and _acme-challenge.[mydomain] as the subname. deSEC won’t let you manage a top level domain, so the error message (404 Not found) makes sense.

I don’t use Traefik, so I don’t know how to set it up correctly. But it seems to me that your DNS name is incorrectly split between domain and subname. Looks like you set the domain to io and the subname to [mydomain]. At least one label of [mydomain] must be in the domain and not in the subname.

An example: If you registered example.io, then that is your domain. If you want a certificate for example.io, the subname is empty. If you want a certificate for www.example.io, then the subname must be www. I suppose Traefik/Lego will add _acme-challenge to the subname as needed.

snowborn · May 19, 2025, 4:13pm

Thanks for the hints!
In Traefik I use as my certificateResolver:

deSEC:
acme:
email: “[myEmail]”
storage: “/etc/traefik/tls_desec.json”
dnsChallenge:
provider: “desec”
delayBeforeCheck: 120

and for the whoami container I use the labels:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`[mydomain]`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.tls.certresolver=deSEC"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"

The registered domain in the desec.io interface is also the whole domain.
I am not sure where else to look for the error…