Certbot renewal dns-01 challenge failure, During secondary validation: DNS problem

You could also CNAME to another DNS zone that has only one global zone.

4 Likes

Well, multi-perspective validation has been around for some time now, but they did fairly recently make changes to their transit for validation, so that might be related.

But in any event, as you've discovered in order to work reliably you need to ensure that your DNS servers give consistent answers worldwide.

I don't think you can have certbot run multiple DNS plugin directly. If you can script all the updates needed yourself, you could use the manual hooks to run your own script that does what you need. Though it may be easier to take @rg305's suggestion and have all your _acme-challenge zones CNAME (or delegate via NS) to one place, where that one place is somewhere that you can update easily. There are systems designed for being delegated to in this way, like acme-dns, too, though if you already have a DNS system with dynamic updates you might not need to add that.

4 Likes

Thank you guys for the help

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.