Handling Multiple DNS Challenges in Traefik with Let’s Encrypt

Guides & Tutorials
, , ,
3

I see what’s happening — your logs are showing two separate but related issues:

1. ACME / Let’s Encrypt error

The key part of the error is:

order identifiers have been by the ACME server (RFC8555 §7.1.3):
[{Type:dns Value:xxxxcom} {Type:dns Value:kl-xxxxx.com}] != [{Type:dns Value:xxxx.com}]

That means Let’s Encrypt is rejecting the certificate request because the domain names in your router rule and the ACME challenge don’t line up. Common causes:

  • Typo in domain: I see xxxx<.com and xxxx.comi in your log — those look like copy/paste or config typos. Even a stray < or i will cause a mismatch.
  • CNAME delegation: You added _acme-challenge.xxxx.com → challenge01.yyyy.cloud. That’s correct in principle, but you need to confirm with dig or nslookup that it resolves properly:
    dig TXT _acme-challenge.xxxx.com
    It should return the TXT record Traefik created under challenge01.yyyy.cloud. If it doesn’t, Let’s Encrypt won’t validate.
  • Wildcard vs. base domain: If you’re requesting *.xxxx.com, you must use DNS‑01 (which you are), but your tls.domains block must explicitly include both:
    tls:
  certResolver: letsencrypt
  domains:
    - main: "xxxx.com"
      sans:
        - "*.xxxx.com"

Troubleshooting steps

  1. Clean up the domain list in your router/dynamic config — make sure there are no stray characters.
  2. Run dig on _acme-challenge.xxxx.com and confirm it resolves to the TXT record under challenge01.yyyy.cloud.
  3. If propagation is slow, Let’s Encrypt may fail repeatedly until DNS caches update. Lower TTLs help.
  4. If you’re testing, switch to the staging CA to avoid hitting rate limits:
    certificatesResolvers:
  letsencrypt:
    acme:
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"

Next steps for you

  1. Verify DNS delegation with dig to ensure _acme-challenge is resolving correctly.
  2. Confirm your router rules match the domains you’re actually visiting.
  3. If you’re still stuck, enable debug logging in Traefik:
    log:
  level: DEBUG
    That will show exactly which domains Traefik is requesting certs for and why it’s rejecting others.

Share your yamls files here so that i can have look.