It's quite strange.. Let's Encrypt uses the DNS resolver unbound, so a crewmember of LE has set up unboundtest.com to debug resolver issues by matching the LE production servers unbound-configuration pretty well. It fails with the message "message contains bad rrsets" (https://unboundtest.com/m/A/eleo.komma.dev/QSKJHADJ) However, I don't understand why. Many times SERVFAIL errors are due to DNSSEC problems, but two independent sites report no DNSSEC issues (eleo.komma.dev | DNSViz and DNSSEC Analyzer - eleo.komma.dev).
That DNSViz has a line of "NSEC proving non-existence of eleo.komma.dev/A", which makes me think that DNSSEC simultaneously thinks eleo. doesn't exist even though it also knows *. does exist? Wildcard DNS along with a non-wildcard certificate seems like a weird use case, anyhow, though I don't know why it wouldn't work. Is there some reason you're going about what you're doing this way, and maybe there's a better one that your DNS server will like better? I really need to dive deep and learn the intricacies of how DNSSEC works at some point, so I'm not sure I'm being all that helpful, but it sounds like there's something in your setup which is misconfigured (or your DNS server has some kind of bug when dealing with wildcard records?).
Depending on what kind of interface your DNS provider gives you, can you maybe disable DNSSEC and re-enable it, or have them re-sign your zone, or something like that? Or maybe add an explicit eleo. record, even if you're going to have a wildcard result for some other names?
That's a common (even expected?) result for wildcard DNS. I can confirm a similar result with one of my own domains and I don't have any trouble getting LE certs at that zone.
I need this setup due to automatic development site creation. So i removed the DNSSEC signing on DNS sevrer and on the domainname. Let's see tomorrow if renewal works again. Will update this post tomorrow!
Which is odd, as two independent sites did not find any issue. Glad it's working now though. Perhaps if you'd add DNSSEC again, hopefully it'll keep working!