Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
*.soft-land.org: Certificate on remote domain does not match, ignoring remote certificate (*.davidebianchi.net != soft-land.org)
Domain list in existing certificate (*.soft-land.org,soft-land.org) does not match domains requested (*.soft-land.org), so recreating certificate
Registering account
Verify each domain
Verifying *.soft-land.org
checking DNS at gigan.onlyforfun.net
sleeping 60 seconds before asking the ACME server to check the dns
sending request to ACME server saying we're ready for challenge
checking if challenge is complete
Pending
checking if challenge is complete
Pending
checking if challenge is complete
Pending
checking if challenge is complete
Pending
checking if challenge is complete
Pending
checking if challenge is complete
getssl: *.soft-land.org:Verify error: "detail": "DNS problem: query timed out looking up TXT for _acme-challenge.soft-land.org",
My web server is (include version):
Apache/2.4.58 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 24.04.1 LTS
My hosting provider, if applicable, is:
Hetzner
I can login to a root shell on my machine (yes or no, or I don't know):
Yep
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Nope
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
DNS is tricky to debug, because nameservers are chosen at random when doing the querying, so queries might work just fine, but the next time fail.
Anyway, if I run a dig +trace with the -6 option to force IPv6, I'm seeing some timeouts (and the authorative DNS server doesn't accept IPv6 either, but that's not a timeout):
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
;; Received 795 bytes from 2001:500:2d::d#53(d.root-servers.net) in 11 ms
;; communications error to 2001:500:40::1#53: timed out
;; communications error to 2001:500:40::1#53: timed out
;; communications error to 2001:500:40::1#53: timed out
;; communications error to 2001:500:48::1#53: timed out
;; communications error to 2001:500:e::1#53: timed out
soft-land.org. 3600 IN NS gigan.onlyforfun.net.
;; Received 593 bytes from 2001:500:c::1#53(b0.org.afilias-nst.org) in 13 ms
;; communications error to 2a01:4f8:1c1e:dc3c::1#53: connection refused
;; no servers could be reached
(DNSSEC RR removed for clarity.)
I'm not sure if this is the exact reason why you got a timeout earlier, but it might, as if I remove the -6 option so dig uses IPv4 as well as IPv6, I'm also seeing timeouts for 2001:500:48::1.
And 2001:500:48::1 is one of the .org. nameservers, so out of your controle..
Let's Debug also currently sees no issues with the dns-01 challenge, which includes a test using the staging environment: Let's Debug. If the staging environment would return a timeout, Let's Debug should have picked that up.
So if this timeout indeed is caused by just a single .org. nameserver not responding to IPv6, trying again until it works could be a solution. (Just make sure you don't hammer the ACME server so you run into the Authorization Failures per Hostname per Account rate limit.)
in your trace I see errors reported for at least 3 servers:
;; communications error to 2001:500:40::1#53: timed out
;; communications error to 2001:500:48::1#53: timed out
;; communications error to 2001:500:e::1#53: timed out
And 2a01:4f8:1c1e:dc3c::1 is my server, and I'm pretty sure that works, so it seems an issue with IPv6. Is there any way to 'force' ipv4 ?
This is usually related to your DNS service provider, which did not push TXT records on all name servers in time. I have encountered similar issues on CloudFlare before
You're correct, I glanced over the last few address bytes after the first few were the same.
There is not.
But not over IPv6, as I'm getting a "connection refused". It seems to be listening on IPv4 only.
That said, as mentioned earlier, I don't think your DNS server is the issue, but those of the .org. TLD. And those are outside of your control. You could complain to your registrar which then perhaps could complain to the people managing the .org. TLD to fix their IPv6 reachability.
Ok, in the meantime I tried using Certbot (that normally I don't use because it gave me a lot of issues with my old server, but I never tried with this one) and it worked. Still unclear what the issue was. Btw I've another domain to renew in a few days, so ... we'll see...
In the mean time, you can close this issue (even if it's not really 'resolved').
The error came from the ACME server and not from the client (getssl or Certbot), so I guess you just got lucky this time when using Certbot.
Might still help to complain to your registrar though.
We don't close threads manually if we don't need to (that's for abuse/spam et c.). You can select a post as solution using the check mark logo, which marks the thread as "solved". Stale threads will get closed eventually after 30 days of idling though.
