NS8 Certificate not obtained


What would be the way to best analyse why a certificate is not obtained pls?

I have “server1.domain.com” as FQDN and several sub domains such as mail.domain.com and cloud.domain.com. The subdomains HAVE obtained a correct certificate by setting the switch in the settings page of the instance. The main domain however “domain.com” is listed as not having obtained a certificate. I removed the listing (waste bin) and tried to add it again. It says obtaining… and later on NOT obtained.


Still not published, but some info were added yesterday as draft to the manual to clarify how not obtained works


Ensure DNS records are set up correctly

Nope, that did not help. All DNS settings are like other domains on NS8 (separate) cluster and with same domain provides, Nameservers etc are all the same.

This is the error I was able to copy: (some adjustments for privacy)

{“context”:{“action”:“set-certificate”,“data”:{“fqdn”:“mydomain.com”,“sync”:true},“extra”:{“description”:“Processing”,“eventId”:“7f1328cf-70c6-4e6a-8145-xxxxxxxxxxxx”,“logs”:{“instance”:“traefik1”,“path”:“?searchQuery=&context=module&selectedAppId=traefik1&followLogs=false&startDate=2024-01-05&startTime=19%3A38&autoStartSearch=true”},“title”:“Request certificate for mydomain.com”},“id”:“822675bb-62d1-4cde-a2a8-xxxxxxxxxxxx”,“parent”:“”,“queue”:“module/traefik1/tasks”,“timestamp”:“2024-01-05T18:38:48.649476253Z”,“user”:“admin”},“status”:“aborted”,“progress”:99,“subTasks”:[],“validated”:true,“result”:{“error”:“”,“exit_code”:2,“file”:“task/module/traefik1/822675bb-62d1-4cde-a2a8-xxxxxxxxxxxx”,“output”:{“obtained”:false}}}

I am out of options and could use an extra set of eyes pls

They are set correctly with the domain name provider and locally. However. where does the domain name “host-26437.ns8.test” come from?

I have set all correct FQDN setting of the (single node) cluster and where required. Still when visiting the main domain “mydomain.com” the certificate that is served is for “host-26437.ns8.test” and not for “mydomain.com”. I don’t know where this comes from or how to resolve/prevent this.


1 Like

Something is odd and off. I will redo the whole setup. I know, not the best practice but I need to move on.

And even that did not help. Wassuuup?

1 Like

Hi LayLow,

Not being an expert on NS8 (understatement!) ; had my fights with Let’s Encrypt myself. For me (among my stupidity) it was NS8 tried to request a cert for it’s own hostname. Which I did not expect.

In the cluster-admin, if you go to Settings > TlS Certificate does it state you expect (i.e the domains configured in DNS) ?

My solution was to delete (waste-bin icon) I did not need.

I did that too several time, but did not want to exceed Let’s Encrypts cycles. For the life of me I can’t figure it out. I’ll DM you for some private details If I may?

No resolution as of yet. It could well be my stupidity.

Does not work here either…

somehow it seem to be impossible to request an certificate for the main domain without specifying a host meaning host.example.com works, example.com not

So did not obtain a certificate for just de main domain (i.e just one dot)

Route is oke:

and works to:

In the log: (as this is plaintext changed the domain name to XXXX)

2024-01-10T13:22:35+01:00 [1:traefik1:traefik] time="2024-01-10T12:22:35Z" level=error msg="Unable to obtain ACME certificate for domains \"XXXX.nl\"" rule="Host(`XXXX.nl`)" providerName=acmeServer.acme error="unable to generate a certificate for the domains [XXXX.nl]: error: one or more domains had a problem:\n[XXXXX.nl] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 2a02:9e0:9000::11: Invalid response from http://XXXXX.nl/.well-known/acme-challenge/d6OBYUdxbIuh88QhRxRCy6GJdgUmgJHI78nfzRejMtg: 404\n" ACME CA="https://acme-v02.api.<mark>lets</mark>encrypt.org/directory" routerName=webserver1-XXXXX.nl-https@file

@davidep would you have an idea please?

I can’t test anymore due to exceeding my lets encrypt cycles

For testing you can switch to the staging authority, under the certificate settings page.

The URL to set is


It is not documented, but you find the setting pushing the ACME servers button.

Thanks, but I did extensive tests already. It now becomes problematic for I can not use NS8 in production due to this issue. Not blaming NS8, but other tetst installs did not have this issue

I tried to do the following

All seems ok, so far. Maybe I need to test a 2nd level domain? :person_shrugging:

This is what Mark and I experience. sub.domian.com works, domain.com does not

How to proceed?

At least in your case, for domain havak.nl I found both IPv4 and IPv6 records pointing to (apparently) different systems. The ACME challenge may fail for this?

sogo.havak.nl has address

havak.nl has address
havak.nl has IPv6 address 2a02:9e0:9000::11