DNS resolution problem during issuance for one domain


#1

Hey all,

yesterday I set a new A record for a domain (prost-mahlzeit.de). I also set same A record for www of that domain.
Just as I always do.

Waited a little, then tried to use le script to issue an ssl cert, just like I always do. And usually it works fine, unless I accidently mistype in my A records.

But with this domain, it just doesnt work.

I checked using dnschecker.org if the new routing has already propagated, used dig in my console and it seems to be resolving to the desired IP - for www and non www.

I tried again this morning, because I thought, ok maybe this domain just needs a little bit more time or something. But same result: unable to verify www resolution.

Hm, so I went back to my DNS settings, and changed setup a little removing the A record for www.prost-mahlzeit.de and instead adding a CNAME entry which resolves to prost-mahlzeit.de

I am using another Domain on same server with exactly this setup and there is no issue running letsencrypt for that domain. It is the only Domain which is setup with cname for www version instead of separate A record.

I thought, I’d give it a try, if le just doesnt want to see my A record for www, but same result. I can’t get le to issue a cert for that domain. pulling my hair out. Is this some kind of cache issue on le side of ways?
Is there a way to push a cache clear request for a certain domain towards le system?

EDIT: ok and now I am seeing a new message from le in my console:

An unexpected error occurred:

There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

lol. thanks bot! I tried it about 26 times over the last 24 hours - so roughly tried it once per hour. Why is this too much? DNS is set correctly. I can’t help if you are using cached values, you bot. TTL is set to 1hour hostwise; so why should I not try roughly once per hour??


LE Using Chached DNS lookups during DV process
#2

Please create your own topic to address this issue instead of resurrecting ancient threads, this one was dead for two and a half years.

Any mods want to split into a new topic?


#3

@lestaff

20chars…


#4

Unfortunately that took long enough that many forum users might still not notice this thread because it’s not going to be very high up in the threads list.


#6

Let’s Encrypt doesn’t use cached DNS, but rather checks your authoritative DNS servers. Could you provide the exact and complete output from the attempts before the rate limits? That will give us some really important context.

As for the rate limits, you get five failed validations per hour, and that’s a rolling window. So, if you attempt to issue a certificate less frequently than once every 12 minutes, you should be fine.

There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.