Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

• itismyexperience.com

I ran this command:

 sudo NAMECHEAP_API_USER=XXXX NAMECHEAP_API_KEY=XXXX /usr/local/bin/lego --email="<email>" --accept-tos  --path="/etc/lego" --domains="*.itismyexperience.com" --dns="namecheap"   --dns.disable-cp renew

It produced this output:

2022/04/25 08:51:35 [INFO] [*.itismyexperience.com] acme: Trying renewal with -36 hours remaining
2022/04/25 08:51:35 [INFO] [*.itismyexperience.com] acme: Obtaining bundled SAN certificate
2022/04/25 08:51:36 [INFO] [*.itismyexperience.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/101898683587
2022/04/25 08:51:36 [INFO] [*.itismyexperience.com] acme: use dns-01 solver
2022/04/25 08:51:36 [INFO] [*.itismyexperience.com] acme: Preparing to solve DNS-01
2022/04/25 08:51:37 [INFO] [*.itismyexperience.com] acme: Trying to solve DNS-01
2022/04/25 08:51:37 [INFO] [*.itismyexperience.com] acme: Checking DNS record propagation using [172.31.0.2:53]
2022/04/25 08:51:37 [INFO] Wait for propagation [timeout: 1h0m0s, interval: 15s]
2022/04/25 08:51:40 [INFO] [*.itismyexperience.com] acme: Cleaning DNS-01 challenge
2022/04/25 08:51:41 acme: Error -> One or more domains had a problem:
[*.itismyexperience.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.itismyexperience.com - check that a DNS record exists for this domain, url:

Then I ran this command:

 sudo NAMECHEAP_API_USER=XXXXX NAMECHEAP_API_KEY=XXXXXX /usr/local/bin/lego --email="<email> --accept-tos  --path="/etc/lego" --domains="*.itismyexperience.com" --dns="namecheap"   renew

without --dns.disable-cp
And got this output:

2022/04/25 14:03:02 [INFO] [*.itismyexperience.com] acme: Trying renewal with -40 hours remaining
2022/04/25 14:03:02 [INFO] [*.itismyexperience.com] acme: Obtaining bundled SAN certificate
2022/04/25 14:03:02 [INFO] [*.itismyexperience.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/101969948747
2022/04/25 14:03:02 [INFO] [*.itismyexperience.com] acme: use dns-01 solver
2022/04/25 14:03:02 [INFO] [*.itismyexperience.com] acme: Preparing to solve DNS-01
2022/04/25 14:03:03 [INFO] [*.itismyexperience.com] acme: Trying to solve DNS-01
2022/04/25 14:03:03 [INFO] [*.itismyexperience.com] acme: Checking DNS record propagation using [172.31.0.2:53]
2022/04/25 14:03:03 [INFO] Wait for propagation [timeout: 1h0m0s, interval: 15s]
2022/04/25 14:03:03 [INFO] [*.itismyexperience.com] acme: Waiting for DNS record propagation.
2022/04/25 14:03:18 [INFO] [*.itismyexperience.com] acme: Waiting for DNS record propagation.
2022/04/25 14:03:33 [INFO] [*.itismyexperience.com] acme: Waiting for DNS record propagation.
2022/04/25 14:03:48 [INFO] [*.itismyexperience.com] acme: Waiting for DNS record propagation.
2022/04/25 14:04:03 [INFO] [*.itismyexperience.com] acme: Waiting for DNS record propagation.
2022/04/25 14:04:18 [INFO] [*.itismyexperience.com] acme: Waiting for DNS record propagation.
2022/04/25 14:04:33 [INFO] [*.itismyexperience.com] acme: Waiting for DNS record propagation.

timed out after an hour.

If I verify that the TXT record is set and then cancel this and try again with the --dns.disable-cp flag, it works and I get a new certificate.

However I suspect that this is why my renewal scripts are not working. It seems like the Namecheap API isn't setting the TXT record fast enough for LEGO. Is there a way to make LEGO a little more patient?

My web server is (include version):
Bitnami Apache2

The operating system my web server runs on is (include version):
Ubuntu 16.04.7 LTS

My hosting provider, if applicable, is:
AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Lego 4.5.3

Maybe this?

--dns-timeout value

Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name servers queries. (default: 10)

From here:
https://go-acme.github.io/lego/usage/cli/

Thanks! I'll try resurrecting an old cert and see if that works.

Nope. Set it to 30 seconds and in failed in 5 seconds.

2022/04/25 19:25:19 [INFO] [*.itismyexperience.com] acme: Trying renewal with 17 hours remaining
2022/04/25 19:25:19 [INFO] [*.itismyexperience.com] acme: Obtaining bundled SAN certificate
2022/04/25 19:25:20 [INFO] [*.itismyexperience.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/102045836817
2022/04/25 19:25:20 [INFO] [*.itismyexperience.com] acme: use dns-01 solver
2022/04/25 19:25:20 [INFO] [*.itismyexperience.com] acme: Preparing to solve DNS-01
2022/04/25 19:25:21 [INFO] [*.itismyexperience.com] acme: Trying to solve DNS-01
2022/04/25 19:25:21 [INFO] [*.itismyexperience.com] acme: Checking DNS record propagation using [172.31.0.2:53]
2022/04/25 19:25:21 [INFO] Wait for propagation [timeout: 1h0m0s, interval: 15s]
2022/04/25 19:25:24 [INFO] [*.itismyexperience.com] acme: Cleaning DNS-01 challenge
2022/04/25 19:25:25 acme: Error -> One or more domains had a problem:
[*.itismyexperience.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.itismyexperience.com - check that a DNS record exists for this domain, url:

30 seconds can be too low, try for 5 or even 10 minutes. (There even are DNS providers requiring absurd delays like 24 hours...)

It's failing well before the default time out value of 10 seconds....

Has this exact command syntax ever worked?
[is this the first time?]

I'm not familiar with lego, but it seems to be missing some things.

I don't think so. When I first requested the wildcard cert about 3 months ago, I ran into the time out issue and only afterwards found --dns.disable-cp so by the time I got around to using it, the TXT record had been there for a while.

I just tried with 300 seconds and it failed in 5 seconds.

Weird, why would it do that?

I don't have any lego experience, so I don't have the answer. Lego shouldn't just quite like that IMO.

Am I in the right place to get Lego advice?

Something is amiss, four certs have been issued today:

image808×85 16.7 KB

Exactly why I asked about the command syntax - but the answer failed to clear my suspicion.

I'm sorry if my original post wasn't clear. Yes, I successfully received 4 certs today. I have 4 servers on 4 subdomains and sometimes swap the staging and production servers so I give them all the same wildcard cert.

I only managed to get them by hacking Lego, first running it without --dns.disable-cp for a few seconds. That set the TXT record. Then canceling and rerunning with --dns.disable-cp.

Now you are way of course (for this forum).
If increasing the wait time doesn't do the trick, then I'm out of ideas.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.