DNS-01 challenge failure (log attached)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
nasm.zytor.com

I ran this command:
certbot --debug-challenge -vv certonly -d nasm.zytor.com

It produced this output:
real.log.txt (22.6 KB)

With --dry-run it produced:
dry.log.txt (40.4 KB)

My DNS server is (include version):
BIND 9.18.28

The operating system my web server runs on is (include version):
Linux Fedora 40

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
3.1.0

I am using CNAMEs to point to a single short-TTL DNS server to avoid DNS propagation problems. The CNAME in question has had over 24 hours to propagate.

Is this expected?:
_acme-challenge.nasm.zytor.com canonical name = nasm.zytor.com.acme.zytor.com

nslookup -q=ns acme.zytor.com
acme.zytor.com  nameserver = ns1.zytor.com
ns1.zytor.com   internet address = 198.137.202.136
ns1.zytor.com   AAAA IPv6 address = 2607:7c80:54:3::136

nslookup -q=ns nasm.zytor.com.acme.zytor.com ns1.zytor.com
Address:  198.137.202.136
*** UnKnown can't find nasm.zytor.com.acme.zytor.com: Non-existent domain

Yes, it is exactly what is expected (as there is no challenge in progress)

Here is a visual form _acme-challenge.nasm.zytor.com | DNSViz

image1097×818 36.2 KB

Maybe you could place a challenge response there and check if it can be seen from the world.

It is there now; I replayed one of the previous challenge DNS changes and left it in place:

nslookup -q=txt _acme-challenge.nasm.zytor.com
Server: 127.0.0.1
Address: 127.0.0.1#53

_acme-challenge.nasm.zytor.com canonical name = nasm.zytor.com.acme.zytor.com.
nasm.zytor.com.acme.zytor.com text = "cLPC-j5sWT8d9mLz9uwfPG_IToJQ74HuhSHKk5td2-Q"

And this is https://unboundtest.com/m/TXT/_acme-challenge.nasm.zytor.com/45DA5RU4.

Query results for TXT _acme-challenge.nasm.zytor.com

Response:
;; opcode: QUERY, status: NOERROR, id: 32260
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;_acme-challenge.nasm.zytor.com.	IN	 TXT

;; ANSWER SECTION:
_acme-challenge.nasm.zytor.com.	0	IN	CNAME	nasm.zytor.com.acme.zytor.com.
nasm.zytor.com.acme.zytor.com.	0	IN	TXT	"cLPC-j5sWT8d9mLz9uwfPG_IToJQ74HuhSHKk5td2-Q"

----- Unbound logs -----

That should be correct, no?

Yes; that looks correct to me. :

OK, going to try it again...

From the log it looks like the DNS update of the CNAME for delegated challenge response is ok

2025-04-23 16:42:20,587:WARNING:certbot.display.ops:Hook '--manual-auth-hook' for 
...
...
 + cnamecheck='_acme-challenge.nasm.zytor.com is an alias for nasm.zytor.com.acme.zytor.com.'
 + '[' '_acme-challenge.nasm.zytor.com is an alias for nasm.zytor.com.acme.zytor.com.' '!=' '_acme-challenge.nasm.zytor.com is an alias for nasm.zytor.com.acme.zytor.com.' ']'
 + echo 'update add nasm.zytor.com.acme.zytor.com. 60 IN TXT "XcWye8h4JQu1xG0tqBoBfYdaaelb07hOKesZejDSp6A"'
...
...

However the challenge is then submitted to Let's Encrypt for validation very quickly afterwards:

2025-04-23 16:42:20,618:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall/32050082/510167090007/adC6yg:

DNS TTL values don't generally matter for DNS validation because Let's Encrypt is directly checking the authoritative name servers, however you do still need to allow enough time for all of your responding nameservers to give the same answer and currently it's submitting the challenge response within 100ms. You need at delay of at least 30 seconds from updating DNS to asking LE to verify (up to 5 mins for some DNS systems).

So if you are using the dns-rfc2136 plugin then the option is like --dns-rfc2136-propagation-seconds 30 as per Welcome to certbot-dns-rfc2136’s documentation! — certbot-dns-rfc2136 0 documentation

If you look in real.log, you will see there is a 10-minute delay between updating DNS and submitting the request; it is just part of an external script so certbot doesn't quite understand it:

2025-04-23 16:32:20,416:INFO:certbot.compat.misc:Running manual-auth-hook command: /etc/letsencrypt/certbot-auth.sh auth
2025-04-23 16:42:20,587:WARNING:certbot.display.ops:Hook '--manual-auth-hook' for nasm.zytor.com ran with error output:
[...]

• sleep 600

The "error output" is simply because I enabled the -x option in the script to make debugging easier.

Also, there ARE no secondary servers for the acme.zytor.com zone, explicitly to avoid the problem with DNS delays.

Ah yes I see that now.

Okay, I have a hypothesis (not yet confirmed) that one of the zytor.com secondaries -- specifically the anycast cloud ns-global.kjsl.com -- might have thought it was supposed to be a secondary for acme.zytor.com. As it is a legitimate secondary for zytor.com which also has ns1.zytor.com as master, it was permitted to AXFR the zone. It then returned the TXT record to go with the CNAME as a "courtesy".

Apparently, though, this only happened to some members of that cloud, so I could not see it from my horizon.

Going to try to verify that hypothesis now...

It appears that that might indeed have been the issue at hand.