beget: erases A and MX records for the root domain (CNAME wildcard)

[tannisroot]

Welcome

• Yes, I'm using a binary release within the two latest releases.
• Yes, I've searched for similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

Since Traefik relies on lego for certificate management, I figured I would file an issue about it here as well.
I've filed the following ticket with Beget.com:

Hello, I want to configure the acquiring and auto-renewal of Let's Encrypt certificates via Traefik.
I added the following configuration to Traefik:

certificatesResolvers:
  beget:
    acme:
      email: "hidden"
      storage: /var/traefik/certs/beget-acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: beget
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

I also passed the BEGET_USER and BEGET_PASSWORD variables with my username and a pre-created API password.
In my Beget account, I went to the DNS section and changed the root (@) A record to my server's IP, and also added a Wildcard (*) record pointing to CNAME with the root record. I need this because there are many services running on the server with individual subdomains.
I start Traefik, and there seem to be no errors, but when I go to the DNS panel in Beget, I see that all records except TXT have disappeared from the root domain (@).
I restore it to how it was, change the CNAME for the wildcard * subdomain to an A record with the same IP as the A record for the root domain.
I had this configuration in Cloudflare before and everything worked fine.
I restart Traefik, and an error appears:

2025-12-30T02:17:43+03:00 ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [immich.hidden]: error: one or more domains had a problem:\n[immich.hidden] [immich.hidden] acme: error presenting token: beget: get TXT records: API answer error: METHOD_FAILED: Failed to get DNS records\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["immich.hidden"] providerName=beget.acme routerName=immich@docker rule=Host(`immich.hidden`)

To which I've received the following:

The problem arises due to the peculiarities of the Beget API:

When calling changeRecords for the root domain (@), you need to transfer all existing A, MX, and TXT records in their entirety, otherwise the rest will be deleted, leaving only TXT for the ACME challenge.

The Traefik provider (plugin) “beget” does not take this into account and tries to get/update only TXT, which leads to an error:

METHOD_FAILED: Failed to get DNS records

However, it is not clear to me why the root domain is even touched at all. Shouldn't lego create a subdomain for a particular certificate it wants to create, like _acme-challenge.DOMAIN, instead of messing with the root?

What did you see instead?

Root DNS records remain intact and certification acquisition to complete succefully

How do you use lego?

Through Traefik

Reproduction steps

1. Have a domain with Beget, have the wildcard subdomain set to CNAME with value of the root domain
2. Add the following to the Traefik config:

     beget:
       acme:
         email: "hidden"
         storage: /var/traefik/certs/beget-acme.json
         caServer: "https://acme-v02.api.letsencrypt.org/directory"
         dnsChallenge:
           provider: beget
           resolvers:
             - "1.1.1.1:53"
             - "8.8.8.8:53"

3. Create an API Password in Beget account, set BEGET_USERNAME and BEGET_PASSWORD.
4. Start Traefik
5. Check DNS records in Beget panel - the A, MX records are erased.
6. Reset DNS records, change wildcard subdomain to A record.
7. Start Traefik
8. Get the error

Effective version of lego

v4.30.1 (bundled with Traefik)

Logs

Details

2025-12-30T02:17:43+03:00 ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [immich.hidden]: error: one or more domains had a problem:\n[immich.hidden] [immich.hidden] acme: error presenting token: beget: get TXT records: API answer error: METHOD_FAILED: Failed to get DNS records\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["immich.hidden"] providerName=beget.acme routerName=immich@docker rule=Host(`immich.hidden`)

Go environment (if applicable)

Details

$ go version && go env
# paste output here

[ldez]

Lego doesn't change records for the root domain unless you are playing with CNAME.
Are you using a CNAME or a CNAME wildcard?

For your information, the API documentation is wrong, so this is difficult to work with.

For example, the response to getData.

The documentation:

Details

[
      "is_under_control": 1,
      "is_beget_dns": 1,
      "is_subdomain": 0,
      "fqdn": "beget.ru",
      "records": {
        "DNS": [
          {
            "value": "ns1.beget.ru",
            "priority": 10
          },
          {
            "value": "ns2.beget.ru",
            "priority": 20
          }
        ],
        "DNS_IP": [
          {
            "value": null,
            "priority": 10
          },
          {
            "value": null,
            "priority": 20
          }
        ],
        "A": [
          {
            "value": "91.106.201.65",
            "priority": "0"
          }
        ],
        "MX": [
          {
            "value": "mx1.beget.ru",
            "priority": "10"
          },
          {
            "value": "mx2.beget.ru",
            "priority": "20"
          }
        ],
        "TXT": [
          {
            "value": "",
            "priority": 0
          }
        ]
      },
      "set_type": 1
]

the real response:

Details

{
  "status": "success",
  "answer": {
    "status": "success",
    "result": {
      "is_under_control": true,
      "is_beget_dns": true,
      "is_subdomain": false,
      "fqdn": "example.com",
      "records": {
        "MX": [
          {
            "ttl": 300,
            "exchange": "mx2.beget.com.",
            "preference": 20
          },
          {
            "ttl": 300,
            "exchange": "mx1.beget.com.",
            "preference": 10
          }
        ],
        "TXT": [
          {
            "ttl": 300,
            "txtdata": "v=spf1 redirect=beget.com"
          }
        ],
        "A": [
          {
            "ttl": 300,
            "address": "1.2.3.4"
          }
        ],
        "DNS": [
          {
            "value": "ns1.beget.pro"
          },
          {
            "value": "ns2.beget.pro"
          },
          {
            "value": "ns1.beget.com"
          },
          {
            "value": "ns2.beget.com"
          }
        ],
        "DNS_IP": [
          {
            "value": ""
          },
          {
            "value": ""
          },
          {
            "value": ""
          },
          {
            "value": ""
          }
        ]
      },
      "set_type": 1
    }
  }
}

You can see that the field value doesn't exist in the reality for A, MX, and TXT, instead there are several other fields (ex: txtdata,, preference, exchange, ...).

But the changeRecords endpoint seems to only use value, and this is a problem because the response of getData cannot be used with changeRecords.
Also multiple fields (ex: preference, exchange) cannot become one field (value), so maybe there is a rule to handle that but the documentation doesn't explain it.

Note: lego is not a plugin and doesn't have plugins.

[ldez]

Maybe my previous comment was not clear.

1. Are you using CNAMEs?
2. The API documentation is impossible to use because it is wrong, so can you ask to Beget to provide the right documentation?

[tannisroot]

1. Yes, I am using it for the Wildcard subdomain, (*.MYDOMAIN), for which I set CNAME to the root domain (MYDOMAIN). That's what triggers overwrite issue.
   When setting wildcard to the A record with my server's IP, I just get the METHOD_FAILED: Failed to get DNS records error.
2. I'm going to contact them again to provide accurate documentation.

[ldez]

yes, I am using it for the Wildcard subdomain, for which I set CNAME to the root domain

So you have to use LEGO_DISABLE_CNAME_SUPPORT.

https://go-acme.github.io/lego/usage/cli/options/index.html#lego_disable_cname_support

[tannisroot]

LEGO_DISABLE_CNAME_SUPPORT

Sure, I will try that, but what about the usecase when CNAME is not used and wildcard subdomain just points to an A record, causing the METHOD_FAILED: Failed to get DNS records? Traefik's error is not exactly verbose, please let me know if I should run lego directly and get a more detailed response from it, haven't had the opportunity with the holidays and all.

[ldez]

beget: get TXT records: API answer error: METHOD_FAILED: Failed to get DNS records

The part beget: get TXT records: API answer error: is from lego.

The part METHOD_FAILED: Failed to get DNS records is from the API of Beget, so I don't know the meaning because there is no API documentation about that.

wildcard subdomain just points to an A record

"wildcard (sub)domain" (this notion doesn't exist) cannot have an A record, because an A record is defined on a domain and a domain name cannot contains *.

A CNAME wildcard is a real thing (this is redirection), but as I said, in this context you must disable the CNAME support with the env var LEGO_DISABLE_CNAME_SUPPORT.

[ldez]

Just to be clear: the records are created and get on _acme-challenge.example.com and not example.com (unless a CNAME interferes with the process).

So there is no existing A or MX records on this domain.

[ldez]

Do you have some news from Beget?

[tannisroot]

No, no response yet, but it should be noted that since this company seems to be Russia based, they are probably still on holidays