Let's Encrypt DNS challenge with Porkbun for subdomain fails without an ALIAS record

[andrechalella]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • No
• Are you sure you're not using someone else's docker image?
  • No
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug
I bought a domain with Porkbun. I configured ACME DNS challenge in Proxmox with the Porkbun plugin for a random subdomain of my domain and it worked like a charm. Then I tried to do the same in NPM, and it failed with "Invalid domain".

I checked API keys, I tried other subdomains, it always failed. Then I tried with mydomain.com and it worked! So I went to Porkbun DNS and noticed there was a wildcard CNAME (*.mydomain.com -> uixie.porkbun.com). To test, I made a specific CNAME for my subdomain (sub.mydomain.com -> mydomain.com) and it failed again.

Then I noticed the my domain had an ALIAS record (mydomain.com -> uixie.porkbun.com). So I made an ALIAS for my subdomain (sub.mydomain.com -> uixie.porkbun.com) and it worked!

I think it's a bug because Proxmox works without needing to meddle with DNS records.

Nginx Proxy Manager Version
v2.12.3 (TrueNAS community repo)

To Reproduce
Steps to reproduce the behavior:

1. Go to "SSL Certificates"
2. Click on "Add SSL Certificate"
3. Click on "Let's Encrypt"
4. Insert your domain name (must be a subdomain without an ALIAS record)
5. Select "Use a DNS Challenge"
6. Select DNS provider Porkbun
7. Input your API keys
8. Agree to the Terms of Service
9. Click "Save"

Expected behavior
Success.

Operating System
TrueNAS

Additional context
Here is the relevant log part:

2025-06-15 01:01:06,244:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.porkbun.com:443
2025-06-15 01:01:08,216:DEBUG:urllib3.connectionpool:https://api.porkbun.com:443 "POST /api/json/v3/dns/retrieveByNameType/porkbun.com/TXT/uixie HTTP
/1.1" 400 None
2025-06-15 01:01:08,217:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
    resps = self.auth.perform(achalls)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/plugins/dns_common.py", line 80, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/tmp/npmuserhome/.local/lib/python3.11/site-packages/certbot_dns_porkbun/cert/client.py", line 134, in _perform
    challenge_dns_records = client.get_all_dns_records(
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/npmuserhome/.local/lib/python3.11/site-packages/pkb_client/client/client.py", line 368, in get_all_dns_records
    raise PKBClientException(
pkb_client.client.client.PKBClientException: ERROR: Invalid domain.

[andrechalella]

Update: it worked after I deleted all the ALIAS records (figured I didn't need ALIAS records for my domain pointing to uixie.porkbun.com anyway). Now I can create certificates for any random subdomain directly from Nginx Proxy Manager UI.