Skip to content

Let's Encrypt certificate not retried after initial DNS NXDOMAIN failure #3803

New issue
New issue
Open
Open
Let's Encrypt certificate not retried after initial DNS NXDOMAIN failure#3803
@Edgar-Alarcon

Description

@Edgar-Alarcon
Edgar-Alarcon
opened on Feb 26, 2026

Description

When creating a new domain in Dokploy before DNS propagation is complete, Let's Encrypt fails with NXDOMAIN error. After DNS propagates correctly, Traefik does not automatically retry certificate generation and continues serving the default Traefik certificate until manually restarted.

Steps to Reproduce

  1. Create a new application in Dokploy
  2. Add a custom domain with certificateType: letsencrypt
  3. DNS record exists but hasn't fully propagated yet (or was just created)
  4. Traefik attempts ACME challenge immediately
  5. Let's Encrypt returns NXDOMAIN error
  6. Wait for DNS to propagate (can verify with nslookup or dig)
  7. Access the domain - still shows "TRAEFIK DEFAULT CERT" instead of Let's Encrypt certificate

Expected Behavior

Traefik should periodically retry failed ACME certificate requests, especially for DNS-related failures that are likely temporary.

Actual Behavior

Traefik fails once and doesn't retry. The domain continues using the default Traefik certificate indefinitely until:

  • Traefik is manually restarted (docker restart dokploy-traefik)
  • Or the domain is removed and re-added

Traefik Logs

2026-02-25T21:20:06Z ERR Unable to obtain ACME certificate for domains 
  error="unable to generate a certificate for the domains [api-dev.example.com]: 
  error: one or more domains had a problem:
  [api-dev.example.com] invalid authorization: acme: error: 400 :: 
  urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for 
  api-dev.example.com - check that a DNS record exists for this domain"
  ACME CA=https://acme-v02.api.letsencrypt.org/directory 
  domains=["api-dev.example.com"] 
  providerName=letsencrypt.acme

Workaround

Restart Traefik after DNS has propagated:

docker restart dokploy-traefik

Suggested Improvement

Consider implementing one of these solutions:

  1. Add a retry mechanism with exponential backoff for failed ACME requests
  2. Add a "Retry Certificate" button in the Dokploy UI for domains
  3. Document this behavior and recommend pointing DNS before adding domains

Environment

  • Dokploy version: 0.27.0
  • Traefik: Default Dokploy configuration
  • Certificate type: Let's Encrypt

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions