Skip to content

Unable to renew certificate with nabu.casa and custom domain. #4584

Open
Open
Unable to renew certificate with nabu.casa and custom domain.#4584
@AssortedMapTacks

Description

@AssortedMapTacks
AssortedMapTacks
opened on Apr 21, 2026

Describe the issue you are experiencing

I am using Nabu Casa for external access to HA using a custom domain (ha.mydomain.com). https://support.nabucasa.com/hc/en-us/articles/26497540527517-Using-remote-access-with-a-custom-domain-for-Home-Assistant

I also use split DNS so from inside my network my custom domain (ha.mydomain.com) resolves to the internal IP.

Setting up the custom domain with nabu casa requires creating a CNAME record _acme-challenge.ha.mydomain.com that points to _acme-challenge.somerandomnumber.ui.nabu.casa

From what I understand, LEGO is trying to follow that CNAME and create the TXT record for the nabu.casa zone instead of mine.

LEGO has an option to disable CNAME support, but I am unable to configure this in the app. If I add it in the yaml, it gets deleted. https://go-acme.github.io/lego/usage/cli/options/index.html#lego_disable_cname_support

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which app are you reporting an issue with?

Let's Encrypt

What is the version of the app?

6.3.1

Steps to reproduce the issue

...

System Health information

n/a

Anything in the Supervisor logs that might be useful for us?



Anything in the app logs that might be useful for us?


cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[18:04:01] INFO: Selected DNS Provider: dns-cloudflare
[18:04:01] INFO: Use propagation seconds: 60
[18:04:01] INFO: Using certbot-dns-multi for dns-cloudflare
[18:04:01] INFO: Using CloudFlare token
[18:04:01] INFO: Detecting existing certificate type for ha.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
[18:04:02] INFO: Existing certificate using 'ecdsa' key type.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for ha.mydomain.com
2026/04/21 18:04:04 [INFO] Found CNAME entry for "_acme-challenge.ha.mydomain.com.": "_acme-challenge.somerandomnumber.ui.nabu.casa."
2026/04/21 18:04:04 [INFO] Found CNAME entry for "_acme-challenge.ha.mydomain.com.": "_acme-challenge.somerandomnumber.ui.nabu.casa."
Cleanup of ha.mydomain.com failed: cloudflare: failed to find zone ui.nabu.casa.: zone could not be found
cloudflare: failed to find zone ui.nabu.casa.: zone could not be found
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped


Additional information


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    No labels
    No labels
    Type
    No type
    Fields
    Priority
    None yet
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions