DNS-01 challenge with OVH not working "acme: error cleaning up: ovh: unknown record ID" "acme: Error -\u003e"

Hello !

I'm trying to set up Traefik V2 on a Synology DS1518+ with a Let's encrypt certificate using a DNS-01 challenge with OVH as my domain name host.

It doesn't work and I really don't understand why. I can't find any good info about the Error -\u003e .

I have tried to generate different ovh application, but it didn't help. I have also tried to simplify my docker compose to put directly my appliction key, etc and the error is still the same.
I really don't know what to debug next.

Thank you for taking the time to read !

My docker-compose is :

version: '3.7'

#secrets:
#  # secret name also used to name the file exposed within the container
#  ovh_endpoint:
#     # path on the host
#    file: "/volume1/docker/cli/traefik/secrets/ovh_endpoint.secret"
#  ovh_application_key:
#    file: "/volume1/docker/cli/traefik/secrets/ovh_application_key.secret"
#  ovh_application_secret:
#    file: "/volume1/docker/cli/traefik/secrets/ovh_application_secret.secret"
#  ovh_consumer_key:
#    file: "/volume1/docker/cli/traefik/secrets/ovh_consumer_key.secret"

networks:
  traefik-public-net:
    external: true

services:
  traefik:
    # The official v2.0 Traefik docker image
    image: "traefik:v2.1"
    container_name: "traefik"
    # Enables the web UI and tells Traefik to listen to docker
    ports:
      # The HTTP port
      - "80:80"
      # The HTTPS port
      - "443:443"
#    secrets:
#      - "ovh_endpoint"
#      - "ovh_application_key"
#      - "ovh_application_secret"
#      - "ovh_consumer_key"
    environment:
      - "TZ=Europe/Paris"
      - "OVH_ENDPOINT=ovh-eu"
      - "OVH_APPLICATION_KEY=xxxxxxxxxxx"
      - "OVH_APPLICATION_SECRET=yyyyyyyyyyyyyyyyyy"
      - "OVH_CONSUMER_KEY=zzzzzzzzzzzzzzzzzzzzzzzzzz"
    networks:
      - traefik-public-net
    volumes:
      # So that Traefik can listen to the Docker events
      - /volume1/docker/cli/traefik/traefik.toml:/etc/traefik/traefik.toml
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /volume1/docker/cli/traefik/acme.json:/etc/traefik/acme.json
      - /volume1/docker/cli/traefik/traefik.log:/var/traefik.log
    labels:
      #labels to have access to the dashboard with digest auth
      - traefik.enable=true
      - traefik.http.routers.traefikdashboard-http.rule=Host(`traefik.mydomain.ovh`)
      - traefik.http.routers.traefikdashboard-http.entrypoints=http
      - traefik.http.middlewares.httptohttps.redirectscheme.scheme=https
      - traefik.http.routers.traefikdashboard-http.middlewares=httptohttps
      - traefik.http.routers.traefikdashboard-https.rule=Host(`traefik.mydomain.ovh`)
      - traefik.http.routers.traefikdashboard-https.entrypoints=https
      - traefik.http.routers.traefikdashboard-https.service=api@internal
      - traefik.http.routers.traefikdashboard-https.tls.certresolver=dnschallengeovh
      - traefik.http.routers.traefikdashboard-https.tls.domains[0].main=*.mydomain.ovh
      - traefik.http.routers.traefikdashboard-https.tls.domains[0].sans=mydomain.ovh
      - traefik.http.routers.traefikdashboard-https.middlewares=auth
      - traefik.http.middlewares.auth.digestauth.users=admin:traefik:44322354bb6bc62ac53f507812fa4eb24398eb60
    restart: unless-stopped

my traefik.toml:

[global]
  checkNewVersion = true
  sendAnonymousUsage = false

[entryPoints]
  [entryPoints.http]
    # Listen on port 80 for incoming requests
    address = ":80"
  [entryPoints.https]
    # Listen on port 443 for incoming requests
    address = ":443"

[providers]
    [providers.docker]
      endpoint = "unix:///var/run/docker.sock"
      exposedByDefault = false  #Expose containers by default through Traefik. If set to false, containers that don't have a traefik.enable=true label will be ignored from the resulting routing configuration.
      watch = true
      #[providers.docker.tls]
      #  insecureSkipVerify = true  #If insecureSkipVerify is true, TLS for the connection to Docker accepts any certificate presented by the server and any host name in that certificate.

[certificatesResolvers.dnschallengeovh.acme]
  email = "myemail@gmail.com"
  storage = "acme.json"
 #caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
  [certificatesResolvers.dnschallengeovh.acme.dnsChallenge]
    provider = "ovh"
    delayBeforeCheck = 10
    resolvers = ["213.251.128.146:53", "213.251.188.146:53"]

[api]
  dashboard = true
  #insecure = true
  #debug = true

[log]
  filePath = "/var/traefik.log"
  format = "json"
  level = "DEBUG" #Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.

and the relevant logs :

{"level":"debug","msg":"legolog: [INFO] acme: Registering account for myemail@gmail.com","time":"2020-03-20T01:09:47+01:00"}
{"level":"debug","msg":"Using DNS Challenge provider: ovh","providerName":"dnschallengeovh.acme","time":"2020-03-20T01:09:48+01:00"}
{"level":"debug","msg":"legolog: [INFO] [*.mydomain.ovh, mydomain.ovh] acme: Obtaining bundled SAN certificate","time":"2020-03-20T01:09:48+01:00"}
{"level":"debug","msg":"legolog: [INFO] [*.mydomain.ovh] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3455425608","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.ovh] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3455425609","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [*.mydomain.ovh] acme: use dns-01 solver","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.ovh] acme: Could not find solver for: tls-alpn-01","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.ovh] acme: Could not find solver for: http-01","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.ovh] acme: use dns-01 solver","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [*.mydomain.ovh] acme: Preparing to solve DNS-01","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.ovh] acme: Preparing to solve DNS-01","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [*.mydomain.ovh] acme: Cleaning DNS-01 challenge","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [WARN] [*.mydomain.ovh] acme: error cleaning up: ovh: unknown record ID for '_acme-challenge.mydomain.ovh.' ","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.ovh] acme: Cleaning DNS-01 challenge","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [WARN] [mydomain.ovh] acme: error cleaning up: ovh: unknown record ID for '_acme-challenge.mydomain.ovh.' ","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3455425608","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3455425609","time":"2020-03-20T01:09:49+01:00"}
{"level":"error","msg":"Unable to obtain ACME certificate for domains \"*.mydomain.ovh,mydomain.ovh\" : unable to generate a certificate for the domains [*.mydomain.ovh mydomain.ovh]: acme: Error -\u003e One or more domains had a problem:\n[*.mydomain.ovh] [*.mydomain.ovh] acme: error presenting token: ovh: could not determine zone for domain: 'mydomain.ovh'. unexpected response code 'REFUSED' for mydomain.ovh.\n[mydomain.ovh] [mydomain.ovh] acme: error presenting token: ovh: could not determine zone for domain: 'mydomain.ovh'. unexpected response code 'REFUSED' for mydomain.ovh.\n","providerName":"dnschallengeovh.acme","time":"2020-03-20T01:09:50+01:00"}

Hello,

The cleanup message is not related to your issue.

From your logs:

Unable to obtain ACME certificate for domains ".mydomain.ovh,mydomain.ovh" :
unable to generate a certificate for the domains [
.mydomain.ovh mydomain.ovh]:
acme: Error -> One or more domains had a problem:
[.mydomain.ovh] [.mydomain.ovh] acme: error presenting token:
ovh: could not determine zone for domain: 'mydomain.ovh'. unexpected response code 'REFUSED' for mydomain.ovh.

FYI \u003e is the unicode representation of a character: Unicode Character 'GREATER-THAN SIGN' (U+003E)

Thank you for your input I've changed the DNS in my traefik.toml for google's and everything is working fine.

Can you send your traefik.toml updated please ?