In the thread linked above there is a discussion that it seems that the DNS servers that LE uses are slow to update when changes are made. The net result of the discussion is that LE uses the authoritative name servers for the actual domain and there is no delay.
I don’t believe that is the case … has that changed since last year?
Over the past several weeks I have been helping people set up their email service, of which a part of is creating CNAME records then provisioning SSL certs for the subdomains. VERY often the certificate request fails for reasons such as
Error: http://mail.domain.tld/.well-known/acme-challenge/letsencrypt_1572998795 is not reachable. Aborting the script.
dig output for mail.domain.tld:
Please make sure /.well-known alias is setup in WWW server.
Now, in this specific case … there was an earlier error with the CNAME entry but this was fixed BEFORE this particular LE request was made. I also did a dig @ the authoritative name server, and the record was correct …
So, why is this??? Are DNS records being cached rather than looked up for each attempt? If so, what is the expiration time on the cache so we know how long it is necessary to wait after a failure due to DNS issues? Any guidance would be appreciated! Thanks in advance.
I am sorry that the domain is masked - the domain used for this example is not mine to share and I have not received permission to do so.