We have tried requesting a cert for this domain for a few days now and have verified that the DNS is setup and working fine for this domain, yet from the letsencrypt side, the DNS appears to be failing.
Algorithm: 8, 2 Labels, original TTL: 86400 sec, Signature-expiration: 20.05.2019, 05:29:22, Signature-Inception: 13.05.2019, 04:19:22, KeyTag 3800, Signer-Name: com
• Status: Good - Algorithmus 8 and DNSKEY with KeyTag 3800 used to validate the DS RRSet in the parent zone
0 DNSKEY RR found
Fatal error: Parent zone has a signed DS RR (Algorithm 8, KeyTag 2716, DigestType 2, Digest XI8Tv3rf0x5rbtaiEHAIM3zHNBVYBMsIwLz/X7LC9nA=), but the destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set. No chain of trust created.
The parent zone (the com zone) has a DS RR, that says: ~~ "DNSSEC is configured".
But there is no DNSKEY with the values of the parent DS, so your zone isn't signed.
That's a fatal error, so your ip addresses aren't signed, so they are invalid.
So Letsencrypt can't find a valid ip address.
Fix your DNSSEC or remove the DS in the parent zone. But fixing is better, DNSSEC is a great feature.
PS: Your nameservers are terrible:
X
Fatal error: Nameserver isn't defined or has timeout
X
Fatal error: Nameserver doesn't support TCP connection: ns1.mywahosting.com: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 107.21.5.109:53
X
Fatal error: Nameserver doesn't support TCP connection: ns1.mywahosting.com / 107.21.5.109: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 107.21.5.109:53
X
Fatal error: Nameserver doesn't support TCP connection: ns2.mywahosting.com: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 107.23.117.42:53
X
Fatal error: Nameserver doesn't support TCP connection: ns2.mywahosting.com / 107.23.117.42: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 107.23.117.42:53
Authoritative nameservers must support TCP-connections.
Looks like there is no DNSSEC validation.
PS: My internet provider (Deutsche Telekom) uses a validating Nameserver.
So I can't visit your website: Site not found.
A wrong DNSSEC blocks users with validating nameservers, that's good.
I’m pretty sure that if your DNS issues are fixed, getting a certificate will go without a hitch. This obviously is where DNSSEC is for. Let’s Encrypt, if implemented somewhere in the DNS query path, will enforce DNSSEC and with good reason. DNS poisoning/spoofing is a method to get a certificate illegitimate.
It is now clear what happened. The owner of this domain recently changed nameservers and now the new nameservers do not have the DNSSEC keys setup. Thanks for your help.