ACME DNS Timeout - Manual tries get successful result

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
planetkimsmith.com

I ran this command:
certbot certonly --manual --preferred-challenges dns --cert-name planetkimsmith.com --key-type ecdsa -d planetkimsmith.com,*.planetkimsmith.com

It produced this output:
IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: planetkimsmith.com
  Type: dns
  Detail: DNS problem: query timed out looking up TXT for
  _acme-challenge.planetkimsmith.com

  Domain: planetkimsmith.com
  Type: dns
  Detail: DNS problem: query timed out looking up TXT for
  _acme-challenge.planetkimsmith.com

My web server is (include version):
n/a

The operating system my web server runs on is (include version):
CEntOS 8

My hosting provider, if applicable, is:
n/a

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

From the server I type:
dig _acme-challenge.planetkimsmith.com TXT
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> @8.8.8.8 _acme-challenge.planetkimsmith.com TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42128
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.planetkimsmith.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.planetkimsmith.com. 21599 IN TXT "b0ReAlrQ5PL5hds7Qf4kvMBAX59_cMlzb-tu3N6oV9g"
_acme-challenge.planetkimsmith.com. 21599 IN TXT "sChgJMf_rGaouVAPqk4-f8OsYXmVfrQcQk2MDYCiU5c"

;; Query time: 154 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jun 27 10:01:04 CDT 2021
;; MSG SIZE rcvd: 175

I can also type:
dig -6 _acme-challenge.planetkimsmith.com TXT

; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> -6 _acme-challenge.planetkimsmith.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28426
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.planetkimsmith.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.planetkimsmith.com. 21599 IN TXT "b0ReAlrQ5PL5hds7Qf4kvMBAX59_cMlzb-tu3N6oV9g"
_acme-challenge.planetkimsmith.com. 21599 IN TXT "sChgJMf_rGaouVAPqk4-f8OsYXmVfrQcQk2MDYCiU5c"

;; Query time: 113 msec
;; SERVER: ::ffff:8.8.8.8#53(::ffff:8.8.8.8)
;; WHEN: Sun Jun 27 10:03:01 CDT 2021
;; MSG SIZE rcvd: 175

Welcome to the Let's Encrypt Community, Kenny

The results from unboundtest.com might give a better picture of what's happening:

https://unboundtest.com/m/TXT/planetkimsmith.com/YXVHBXWC

Ok, that is a really awesome tool. I've never seen any TCP connections on port 53 on my DNS servers. I plugged the hole thinking it was unused. I enjoy being wrong. Thank you for the help and the tool!

Glad it worked out!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.