ACME certificate fails with Hetzner DNS: NS REFUSED for _acme-challenge on Traefik

[zft9xgy]

Hi, Ive been trying for several days to understand where the issue is and how to fix it. Maybe someone can give me a hand or point me in the right direction.

What am I trying to achieve?

• Get an SSL certificate for my services using Traefik with my domain hosted on Hetzner.

The problem?

(full log is attach in the bottom)

• traefik | 2025-12-11T10:43:41Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:501 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [senkiu.net]: error: one or more domains had a problem:\n[senkiu.net] propagation: time limit exceeded: last error: authoritative nameservers: NS helium.ns.hetzner.de.:53 returned REFUSED for _acme-challenge.senkiu.net.\n"

Context:

On my machine I have several services and I want to use Traefik as a reverse proxy. Traefik is not accessible to the public, only through Tailscale. This way, when I visit "service.senkiu.net" the public DNS will return a 100.x.x.x IP from my Tailscale network, which I can access if Im connected to Tailscale.

What have I tried so far?

• Checked Hetzners zone and propagation. Everything looks good.
• Confirmed that the Hetzner DNS API works correctly. The _acme_challenge TXT record is created as expected.
• Checked internal DNS resolution.
• Changed the A record to an IP outside the 100.x.x.x Tailscale range to try issuing the certificate.
• Tested with subdomains like "service.senkiu.net" and also with "senkiu.net".
• Tried different resolvers in the Traefik configuration.

Im running out of ideas. The only thing left I can think of is trying another DNS provider, although Im not really a fan of using Cloudflare.

After this, I’ll contact Hetzner support.

Any idea where I should look next?

docker compose y traefik.yml

#docker-compose.yml
services:
  traefik:
    image: traefik:v3
    container_name: traefik
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - ./coraza:/etc/traefik/coraza:ro
      - ./letsencrypt:/letsencrypt
    env_file:
      - .env
    restart: unless-stopped
    networks:
      - traefik
    

  nginx:
    image: nginx:latest
    container_name: nginx_test
    labels:
      - traefik.enable=true
      - traefik.http.routers.nginx.rule=Host("senkiu.net")
      - traefik.http.routers.nginx.entrypoints=websecure
      - traefik.http.routers.nginx.tls.certresolver=myresolver
    networks:
      - traefik
    depends_on:
      - traefik

networks:
  traefik:
    external: true

traefik.yml

#traefik.yml
global:
  checkNewVersion: false
  sendAnonymousUsage: false
log:
  level: DEBUG
api:
  dashboard: true
  insecure: true

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
providers:
  docker:
    exposedByDefault: false

certificatesResolvers:
  myresolver:
    acme:
      email: rafaelco@tuta.com
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: hetzner
        delayBeforeCheck: 5
        resolvers:
            - "9.9.9.9:53"

traefik/lego logs during deploy

traefik     | 2025-12-11T10:42:23Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:489 > Trying to challenge certificate for domain [senkiu.net] found in HostSNI rule ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=nginx@docker rule="Host(\"senkiu.net\")"
traefik     | 2025-12-11T10:42:23Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:962 > Looking for provided certificate(s) to validate ["senkiu.net"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=nginx@docker rule="Host(\"senkiu.net\")"
traefik     | 2025-12-11T10:42:23Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:1008 > Domains need ACME certificates generation for domains "senkiu.net". ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["senkiu.net"] providerName=myresolver.acme routerName=nginx@docker rule="Host(\"senkiu.net\")"
traefik     | 2025-12-11T10:42:23Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:726 > Loading ACME certificates [senkiu.net]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=nginx@docker rule="Host(\"senkiu.net\")"
traefik     | 2025-12-11T10:42:23Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:288 > Building ACME client... providerName=myresolver.acme
traefik     | 2025-12-11T10:42:23Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:294 > https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme
traefik     | 2025-12-11T10:42:24Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:336 > Using DNS Challenge provider: hetzner providerName=myresolver.acme
traefik     | 2025-12-11T10:42:24Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Obtaining bundled SAN certificate lib=lego
traefik     | 2025-12-11T10:42:24Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/2867354016/625876375586 lib=lego
traefik     | 2025-12-11T10:42:24Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Could not find solver for: tls-alpn-01 lib=lego
traefik     | 2025-12-11T10:42:24Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Could not find solver for: http-01 lib=lego
traefik     | 2025-12-11T10:42:24Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: use dns-01 solver lib=lego
traefik     | 2025-12-11T10:42:24Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Preparing to solve DNS-01 lib=lego
traefik     | 2025-12-11T10:42:27Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Trying to solve DNS-01 lib=lego
traefik     | 2025-12-11T10:42:27Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Checking DNS record propagation. [nameservers=9.9.9.9:53] lib=lego
traefik     | 2025-12-11T10:42:29Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] lib=lego
traefik     | 2025-12-11T10:42:34Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Waiting for DNS record propagation. lib=lego
traefik     | 2025-12-11T10:42:41Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Waiting for DNS record propagation. lib=lego
traefik     | 2025-12-11T10:42:48Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Waiting for DNS record propagation. lib=lego
traefik     | 2025-12-11T10:42:55Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Waiting for DNS record propagation. lib=lego
traefik     | 2025-12-11T10:43:02Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Waiting for DNS record propagation. lib=lego
traefik     | 2025-12-11T10:43:09Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Waiting for DNS record propagation. lib=lego
traefik     | 2025-12-11T10:43:16Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Waiting for DNS record propagation. lib=lego
traefik     | 2025-12-11T10:43:23Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Waiting for DNS record propagation. lib=lego
traefik     | 2025-12-11T10:43:30Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Waiting for DNS record propagation. lib=lego
traefik     | 2025-12-11T10:43:32Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] [senkiu.net] acme: Cleaning DNS-01 challenge lib=lego
traefik     | 2025-12-11T10:43:41Z DBG github.com/go-acme/lego/v4@v4.29.0/log/logger.go:48 > [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/2867354016/625876375586 lib=lego
traefik     | 2025-12-11T10:43:41Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:501 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [senkiu.net]: error: one or more domains had a problem:\n[senkiu.net] propagation: time limit exceeded: last error: authoritative nameservers: NS helium.ns.hetzner.de.:53 returned REFUSED for _acme-challenge.senkiu.net.\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["senkiu.net"] providerName=myresolver.acme routerName=nginx@docker rule="Host(\"senkiu.net\")"

[zft9xgy]

Its funny that after publish and try with different configuration is working.

for the domain "senkiu.net" it work by changing this in the traefik.yml: (disableANSChecks)

certificatesResolvers:
  myresolver:
    acme:
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: hetzner
        propagation:
          disableANSChecks: true
          delayBeforeChecks: 10

But know, i got this if i want to use subdomains like "service.senkiu.net"

traefik     | 2025-12-11T11:14:41Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:501 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [nginx.senkiu.net]: error: one or more domains had a problem:\n[nginx.senkiu.net] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nginx.senkiu.net - check that a DNS record exists for this domain\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["nginx.senkiu.net"] providerName=myresolver.acme routerName=nginx@docker rule="Host(\"nginx.senkiu.net\")"

[zft9xgy]

Ok, finally this was the way around i did:

In the service, i issue wild card certificate, so thats working for all the subservices right now.

  nginx:
    image: nginx:latest
    container_name: nginx_test
    labels:
      - traefik.enable=true
      - traefik.http.routers.nginx.rule=Host("nginx.senkiu.net")
      - traefik.http.routers.nginx.entrypoints=websecure
      - traefik.http.routers.nginx.tls.certresolver=myresolver
      - traefik.http.routers.nginx.tls.domains[0].main=senkiu.net
      - traefik.http.routers.nginx.tls.domains[0].sans=*.senkiu.net
    networks:
      - traefik
    depends_on:
      - traefik

And for a more "clean up" configuration i move it to taefik.yml static config isntead to a single service label:

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: myresolver
        domains:
          - main: "senkiu.net"
            sans:
              - "*.senkiu.net"

I believe the issue is related to how zones are handled in Hetzner DNS. When I request a certificate for "sub.senkiu.net", ACME creates a TXT record named "_acme.sub.senkiu.net". It seems that Hetzner might be treating it as a separate zone, although I can’t say this with full certainty since it’s beyond my current understanding.

Althought my problem is solve right now, i would keep in open because i will aprecciate someone can take a look at this and give me feedback.

Thanks

The discussion section of lego is not for Traefik support, please use their community forum.