This is where we need the DNS experts (an I’m not one ). I’ll try and expand on my comments from before though, as I was rather brief in saying " I couldn’t verify with an authoritative DNS server for that domain name". My understanding is;
Let’s Encrypt needs to verify that you have control of the specific domain / subdomain ( listen.bitcorner.de in this case ), so it doesn’t just go to google (or any other DNS provider) and ask for the IP address for the domain, because someone could be doing DNS spoofing or some other issue, so it asks your domain where the authoritative DNS servers are, so it can ask the appropriate, valid, authoritative DNS servers for your IP address.
Once it has the authoritative DNS servers, it checks with those for the IP address.
It is the stage where it’s trying to determine the authoritative DNS servers that it was failing for me. I can go to root-dns.netcup.net and get your IP, but I couldn’t obtain proof that root-dns.netcup.net was an authoritative DNS server for your domain.
A graphical representative of the issue (if that helps ) … http://dnsviz.net/d/listen.bitcorner.de/dnssec/
My understanding is that if Let’s Encrypt can’t identify your authoritative DNS servers, and get the IP from them, it will fail. I’ve run checks in various places, and some succeed in getting an IP using a simple dig, whilst others fail. I suspect this is all to do with the same issue, and if the DNS providers that are checked just accept any answer ( and hence are liable to spoofing ) or if they check that everything is authoritative (like Let’s Encrypt does, amongst others) and hence fail to obtain the IP address.