Facing this issue for the past 4 days and couldn't get any clue to resolve this.
Kindly help us in debugging this issue ASAP as these sites were facing Certificate exception.
Let's Encrypt decreased the EDNS size from 4096 to 512 bytes two weeks ago, making TCP fallback more common.
I'm not sure why TCP fallback would happen in this case, but https://unboundtest.com/ -- which is similar to the Let's Encrypt resolvers -- seems to be doing it regardless.
Try fixing TCP?
Edit: Ah-ha, the culprit is ginormous (okay, ~1100 byte) authority and additional sections in the CNAME response, demonstrated by "dig +norecurse support.cologlobal.com @ns2.hspheredns.com".
Thanks @mnordhoff, @_az - I thoroughly appreciate your DNS debugging! It's a huge help.
@Devarajan Issuing a certificate for these names will require the authoritative nameserver providers to support TCP fallback or to reduce the size of the responses being returned. Do you operate these nameservers yourself or is it a customer?
Issuing a certificate for these names will require the authoritative nameserver providers to support TCP fallback or to reduce the size of the responses being returned. Do you operate these nameservers yourself or is it a customer?
@cpu those domains are our customer domains and we have informed them about the issue..
Is your system attempting renewals with enough lead-time?
yes.. we are renewing certificates before 30 days of their expiry.. Since these domains failed DCV during renewal schedule, they are deleted and certificate reissued and pushed to SSL offloader for deployment. So the certificate exception for those domains.