Error: one or more domains had a problem

Hi there!
I have an problem when i try to give an SSL certificate to my own website i got this error:

Found wildcard domain name and http challenge type, switching to dns-01 validation.
2023/10/11 12:52:29 [INFO] [webhostmost.com, *.webhostmost.com] acme: Obtaining SAN certificate
2023/10/11 12:52:30 [INFO] [*.webhostmost.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/272823402876
2023/10/11 12:52:30 [INFO] [webhostmost.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/272840448256
2023/10/11 12:52:30 [INFO] [webhostmost.com] acme: authorization already valid; skipping challenge
2023/10/11 12:52:30 [INFO] [*.webhostmost.com] acme: use dns-01 solver
2023/10/11 12:52:30 [INFO] [*.webhostmost.com] acme: Preparing to solve DNS-01
2023/10/11 12:52:36 2023/10/11 12:52:30  info executing task            task=action=dns&do=delete&domain=webhostmost.com&name=_acme-challenge&type=TXT
2023/10/11 12:52:33  info executing task            task=action=dns&do=add&domain=webhostmost.com&name=_acme-challenge&named_reload=yes&ttl=5&type=TXT&value=%222mgR5Le3VaNDOuogM08YYeieeX61u534h1YqHjFuPOU%22

2023/10/11 12:52:36 [INFO] [*.webhostmost.com] acme: Trying to solve DNS-01
2023/10/11 12:52:36 [INFO] [*.webhostmost.com] acme: Checking DNS record propagation using [[2001:4860:4860::8888]:53]
2023/10/11 12:53:06 [INFO] Wait for propagation [timeout: 5m0s, interval: 30s]
2023/10/11 12:53:16 [INFO] [*.webhostmost.com] acme: Waiting for DNS record propagation.
2023/10/11 12:53:56 [INFO] [*.webhostmost.com] acme: Waiting for DNS record propagation.
2023/10/11 12:54:36 [INFO] [*.webhostmost.com] acme: Waiting for DNS record propagation.
2023/10/11 12:55:16 [INFO] [*.webhostmost.com] acme: Waiting for DNS record propagation.
2023/10/11 12:55:56 [INFO] [*.webhostmost.com] acme: Waiting for DNS record propagation.
2023/10/11 12:56:36 [INFO] [*.webhostmost.com] acme: Waiting for DNS record propagation.
2023/10/11 12:57:16 [INFO] [*.webhostmost.com] acme: Waiting for DNS record propagation.
2023/10/11 12:57:56 [INFO] [*.webhostmost.com] acme: Waiting for DNS record propagation.
2023/10/11 12:58:26 [INFO] [*.webhostmost.com] acme: Cleaning DNS-01 challenge
2023/10/11 12:58:29 2023/10/11 12:58:26  info executing task            task=action=dns&do=delete&domain=webhostmost.com&name=_acme-challenge&type=TXT

2023/10/11 12:58:29 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/272823402876
2023/10/11 12:58:29 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/272840448256
2023/10/11 12:58:30 Could not obtain certificates:
	error: one or more domains had a problem:
[*.webhostmost.com] time limit exceeded: last error: read udp [2600:1900:4000:e094:0:b::]:38864->[2600:1900:4010:66db:0:5::]:53: i/o timeout
Certificate generation failed.

My config: 2 servers (server1.webhostmost.com / server2.webhostmost.com)
and TLD webhostmost.com
All needed ports is already opened, idk what to do(

It would have been helpful to have more answers to the form you were shown.

But, that looks like you are using lego. In that case lego makes a test query for the _acme-challenge.webhostmost.com TXT record in your DNS. In this case it is timing out after its default 5min period. You might try just making it wait longer.

I see that TXT record now on unboundtest. I am a little surprised to see it because it looks like lego deleted it at the end. You can see it here using https://unboundtest.com

https://unboundtest.com/m/TXT/_acme-challenge.webhostmost.com/ZGCPMJ3C

You could also try disabling that check. It is just something lego does before actually requesting the cert. Perhaps there is some problem with your system that Let's Encrypt itself would not run into.

I see you recently got certs so did you get this working?

image2013×762 147 KB

Hello, thanks for answer, i got certs one by one, its log from wildcard i will try your ideas.
UPD: But how i disable that check or change default time in this case?

You can see the DNS solver settings at the lego docs (link here)

But, you might just have a general problem with your IPv6 comms. What do these show?

curl -4 -m5 https://ifconfig.io
curl -6 -m5 https://ifconfig.io

Hi, i think that it is really some troubles with ipv6, but i cant find the problem. Command above shows correct ip-s like :

I thought IPv6 might not even work outbound but it does. I am not sure exactly what to suggest. Perhaps others will.

What I noticed, apart from the IPv6 address in the error message, is that requests to your root domain respond differently between IPv4 and v6.

Something is wrong either with the IPv6 address or perhaps the LiteSpeed config. This isn't directly related to why lego's DNS query fails. But, this should be fixed also and probably is related somehow.

IPv6 request to your root domain sees a cert for server1
echo | openssl s_client -6 -connect webhostmost.com:443 | head

 0 s:CN = server1.webhostmost.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct 11 11:07:55 2023 GMT; NotAfter: Jan  9 11:07:54 2024 GMT

But, an IPv4 request sees the correct cert
echo | openssl s_client -4 -connect webhostmost.com:443 | head

 0 s:CN = webhostmost.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct 11 15:45:23 2023 GMT; NotAfter: Jan  9 15:45:22 2024 GMT

Hi Mike, i resolved my problem.
Problem was inside firewall on the vps owner, exactly for my 2nd server. I opened necessary ports, like 53,80,443 and it solves. Thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.