Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
superior.boulder.noaa.gov
I ran this command:
certbot certonly --manual --manual-auth-hook "/home/eugene/api/scripts/letsencrypt/update/auth.sh auth"
--manual-cleanup-hook "/home/eugene/api/scripts/letsencrypt/update/auth.sh cleanup" --preferred-challenges d
ns
-d superior.boulder.noaa.gov
It used to work %100, now it fails with CAA or DNS lookup issues. But it works, then it doesn't work.
The operating system my web server runs on is (include version):
Debian 9
certbot --version
certbot 0.28.0
I have a coworker and they see the same flakiness. They are probably RedHat, using the same script.
auth.sh is just a way to insert the record using nsupdate. If it makes a difference, we initially create a CNAME to a dynamic zone. We leave the CNAME but then we point it to a DNS TXT record.
So _acme-challenge.superior.boulder.noaa.gov CNAMES to _acme-challenge.superior.boulder.noaa.gov.letsencrypt.boulder.noaa.gov, a zone I control and has dynamic update.
I'll leave the last update TXT string, because it worked.
Noaa.gov is signed, my zone is not, if that makes a difference.
For the last few days, we get DNS timeouts on the TXT record or CAA lookup failures. Yet I do a TXT search at some world-wide DNS queries and it is there.
It just seems to be flakey.