LEGO DNS-01 times out, if I use --dns.disable-cp, it doesn't find the TXT record

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

 sudo NAMECHEAP_API_USER=XXXX NAMECHEAP_API_KEY=XXXX /usr/local/bin/lego --email="<email>" --accept-tos  --path="/etc/lego" --domains="*.itismyexperience.com" --dns="namecheap"   --dns.disable-cp renew

It produced this output:

2022/04/25 08:51:35 [INFO] [*.itismyexperience.com] acme: Trying renewal with -36 hours remaining
2022/04/25 08:51:35 [INFO] [*.itismyexperience.com] acme: Obtaining bundled SAN certificate
2022/04/25 08:51:36 [INFO] [*.itismyexperience.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/101898683587
2022/04/25 08:51:36 [INFO] [*.itismyexperience.com] acme: use dns-01 solver
2022/04/25 08:51:36 [INFO] [*.itismyexperience.com] acme: Preparing to solve DNS-01
2022/04/25 08:51:37 [INFO] [*.itismyexperience.com] acme: Trying to solve DNS-01
2022/04/25 08:51:37 [INFO] [*.itismyexperience.com] acme: Checking DNS record propagation using [172.31.0.2:53]
2022/04/25 08:51:37 [INFO] Wait for propagation [timeout: 1h0m0s, interval: 15s]
2022/04/25 08:51:40 [INFO] [*.itismyexperience.com] acme: Cleaning DNS-01 challenge
2022/04/25 08:51:41 acme: Error -> One or more domains had a problem:
[*.itismyexperience.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.itismyexperience.com - check that a DNS record exists for this domain, url:

Then I ran this command:

 sudo NAMECHEAP_API_USER=XXXXX NAMECHEAP_API_KEY=XXXXXX /usr/local/bin/lego --email="<email> --accept-tos  --path="/etc/lego" --domains="*.itismyexperience.com" --dns="namecheap"   renew

without --dns.disable-cp
And got this output:

2022/04/25 14:03:02 [INFO] [*.itismyexperience.com] acme: Trying renewal with -40 hours remaining
2022/04/25 14:03:02 [INFO] [*.itismyexperience.com] acme: Obtaining bundled SAN certificate
2022/04/25 14:03:02 [INFO] [*.itismyexperience.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/101969948747
2022/04/25 14:03:02 [INFO] [*.itismyexperience.com] acme: use dns-01 solver
2022/04/25 14:03:02 [INFO] [*.itismyexperience.com] acme: Preparing to solve DNS-01
2022/04/25 14:03:03 [INFO] [*.itismyexperience.com] acme: Trying to solve DNS-01
2022/04/25 14:03:03 [INFO] [*.itismyexperience.com] acme: Checking DNS record propagation using [172.31.0.2:53]
2022/04/25 14:03:03 [INFO] Wait for propagation [timeout: 1h0m0s, interval: 15s]
2022/04/25 14:03:03 [INFO] [*.itismyexperience.com] acme: Waiting for DNS record propagation.
2022/04/25 14:03:18 [INFO] [*.itismyexperience.com] acme: Waiting for DNS record propagation.
2022/04/25 14:03:33 [INFO] [*.itismyexperience.com] acme: Waiting for DNS record propagation.
2022/04/25 14:03:48 [INFO] [*.itismyexperience.com] acme: Waiting for DNS record propagation.
2022/04/25 14:04:03 [INFO] [*.itismyexperience.com] acme: Waiting for DNS record propagation.
2022/04/25 14:04:18 [INFO] [*.itismyexperience.com] acme: Waiting for DNS record propagation.
2022/04/25 14:04:33 [INFO] [*.itismyexperience.com] acme: Waiting for DNS record propagation.

timed out after an hour.

If I verify that the TXT record is set and then cancel this and try again with the --dns.disable-cp flag, it works and I get a new certificate.

However I suspect that this is why my renewal scripts are not working. It seems like the Namecheap API isn't setting the TXT record fast enough for LEGO. Is there a way to make LEGO a little more patient?

My web server is (include version):
Bitnami Apache2

The operating system my web server runs on is (include version):
Ubuntu 16.04.7 LTS

My hosting provider, if applicable, is:
AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Lego 4.5.3

Maybe this?

--dns-timeout value

Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name servers queries. (default: 10)

From here:
https://go-acme.github.io/lego/usage/cli/

3 Likes

Thanks! I'll try resurrecting an old cert and see if that works.

1 Like

Nope. :slightly_frowning_face: Set it to 30 seconds and in failed in 5 seconds.

2022/04/25 19:25:19 [INFO] [*.itismyexperience.com] acme: Trying renewal with 17 hours remaining
2022/04/25 19:25:19 [INFO] [*.itismyexperience.com] acme: Obtaining bundled SAN certificate
2022/04/25 19:25:20 [INFO] [*.itismyexperience.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/102045836817
2022/04/25 19:25:20 [INFO] [*.itismyexperience.com] acme: use dns-01 solver
2022/04/25 19:25:20 [INFO] [*.itismyexperience.com] acme: Preparing to solve DNS-01
2022/04/25 19:25:21 [INFO] [*.itismyexperience.com] acme: Trying to solve DNS-01
2022/04/25 19:25:21 [INFO] [*.itismyexperience.com] acme: Checking DNS record propagation using [172.31.0.2:53]
2022/04/25 19:25:21 [INFO] Wait for propagation [timeout: 1h0m0s, interval: 15s]
2022/04/25 19:25:24 [INFO] [*.itismyexperience.com] acme: Cleaning DNS-01 challenge
2022/04/25 19:25:25 acme: Error -> One or more domains had a problem:
[*.itismyexperience.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.itismyexperience.com - check that a DNS record exists for this domain, url:

30 seconds can be too low, try for 5 or even 10 minutes. (There even are DNS providers requiring absurd delays like 24 hours...)

3 Likes

It's failing well before the default time out value of 10 seconds....

Has this exact command syntax ever worked?
[is this the first time?]

I'm not familiar with lego, but it seems to be missing some things.

2 Likes

I don't think so. When I first requested the wildcard cert about 3 months ago, I ran into the time out issue and only afterwards found --dns.disable-cp so by the time I got around to using it, the TXT record had been there for a while.

I just tried with 300 seconds and it failed in 5 seconds.

Weird, why would it do that?

I don't have any lego experience, so I don't have the answer. Lego shouldn't just quite like that IMO.

2 Likes

Am I in the right place to get Lego advice?

Something is amiss, four certs have been issued today:

1 Like

Exactly why I asked about the command syntax - but the answer failed to clear my suspicion.

1 Like

I'm sorry if my original post wasn't clear. Yes, I successfully received 4 certs today. I have 4 servers on 4 subdomains and sometimes swap the staging and production servers so I give them all the same wildcard cert.

I only managed to get them by hacking Lego, first running it without --dns.disable-cp for a few seconds. That set the TXT record. Then canceling and rerunning with --dns.disable-cp.

1 Like

Now you are way of course (for this forum).
If increasing the wait time doesn't do the trick, then I'm out of ideas.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.