i recently ran into a problem with creating new certificates, and found a strange behaviour in DNS lookup from LE side. (certificate creation through HTTP-01 (acme-challenge)).
When domain has wildcard CNAME - like *.somedomain.com CNAME somedomain.com, and you try create certificate for www.somedomain.com - it will fail with error: “Verify error:DNS problem: query timed out looking up A for www.somedomain.com”
(Even with everything reporting correct - DNSSEC [dnsviz], letsdebug, etc…)
Then everything works out perfectly - does something changed in Let’s Encrypt policy or am i doing something wrong?