Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wkind.de

I ran this command: certbot renew

It produced this output: The given domain "wkind.de" is neither a duckdns subdomain nor delegates _acme-challenge.wkind.de to a duckdns subdomain

My web server is (include version): NextcloudPi 31.0.5

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Fedora Bookworm

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0

I found no editing button. Sorry.
My hosting provider is strato.de and there I have a CNAME for _acme-challenge.wkind.de. to wkind.duckdns.org

dig _acme-challenge.wkind.de

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> _acme-challenge.wkind.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4347
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c9190e0c54fb3cae0198df0c6836dfb70986266f3865f277 (good)
;; QUESTION SECTION:
;_acme-challenge.wkind.de. IN A

;; ANSWER SECTION:
_acme-challenge.wkind.de. 150 IN CNAME wkind.duckdns.org.
wkind.duckdns.org. 60 IN A 93.233.13.163

;; Query time: 117 msec
;; SERVER: 85.214.7.22#53(85.214.7.22) (UDP)
;; WHEN: Wed May 28 12:04:39 CEST 2025
;; MSG SIZE rcvd: 128

So, that sounds like you're using some sort of duckdns plugin for certbot; could you post more information about its version and how you've configured certbot to use it?

And while it might not be related to your problem, you may want to make sure you're on the latest version of Certbot and that plugin.

Yeah, there were a lot of cases of spambots posting something and then editing a spam link in after, so edits are disabled for new users. Sorry about that. If you hang out and contribute, at some trust level the editing feature will get enabled for you. Welcome to the community!

I think you might just be running into duckdns having issues and not always responding. Here's one DNS analysis tool, showing several warnings for nameservers not replying consistently.

You might just want to try again a bit later. Or maybe change to using HTTP-01 instead (if your system can expose port 80 publicly, and you don't need a wildcard) or some other DNS service.

This is the content of renewal/wkind.conf:

renew_before_expiry = 30 days

version = 2.1.0
archive_dir = /etc/letsencrypt/archive/wkind.de
cert = /etc/letsencrypt/live/wkind.de/cert.pem
privkey = /etc/letsencrypt/live/wkind.de/privkey.pem
chain = /etc/letsencrypt/live/wkind.de/chain.pem
fullchain = /etc/letsencrypt/live/wkind.de/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 0577a86a9f3dacbbxxxxxxxxxxxxxxxxxx
pref_challs = dns-01,
authenticator = dns-duckdns
dns_duckdns_propagation_seconds = 160
dns_duckdns_token = 3c6adea6-b1dd-49d5-af19-0xxxxxxxxxxxxxxx
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

apt update shows no newer version of certbot or the dns-duckdns-plugin.

A temporary failure of duckdns.org may be, but since I was warned that my certificates expire in 19 days. So the logs show since several days that the automatic renewal is not working.

I have a second certificate for *.wkind.duckdns.org which is not due for renewal, but when I dry-run it. it works.

Your OS's built-in package store is probably not updated as often as the upstream projects have releases. If you want to try upgrading (which I don't know if it'll fix the problem, to be clear, but it's something you might want to try), you'd need to uninstall that version and then install either the snap or pip versions of both certbot and certbot-dns-duckdns. Though certbot recommends using snap, and the certbot-dns-duckdns project recommends using pip.

Hmm. That is interesting. I'm not very familiar with duckdns, though I know other people here have used it, so hopefully someone here has a better idea to help you than I do.

If that's even partially the real token used to authenticate to duckdns, I would recommend changing it. I don't know as you've masked out enough bits to make it not susceptible to brute-forcing the rest of it.

To wrap up the things.
I managed to update certbot to version 4.0.0 but no change.
Then I realized, that after the last renewal I had installed pi-hole. I could not get pi-hole in a configuration to really work with certbot but this was the direction to go.
I then set up a spare raspi not to use the pi-hole dns system and tried to get certificates with the usual configuration with success.
Now it is clear the problem is not with let's encrypt. It is the correct configuration of pi-hole.
Thank you for your help in pushing me to the right direction.