during re-verification of a domain I get this error repeatedly for some days:
[Di 29. Sep 00:00:05 CEST 2020] Getting webroot for domain='mydomain.com'
[Di 29. Sep 00:00:05 CEST 2020] Getting token for domain='mydomain.com'
[Di 29. Sep 00:00:11 CEST 2020] Getting webroot for domain='www.mydomain.com'
[Di 29. Sep 00:00:11 CEST 2020] Getting token for domain='www.mydomain.com'
[Di 29. Sep 00:00:21 CEST 2020] Verifying:mydomain.com
[Di 29. Sep 00:00:33 CEST 2020] Pending
[Di 29. Sep 00:00:39 CEST 2020] Pending
[Di 29. Sep 00:00:45 CEST 2020] Pending
[Di 29. Sep 00:00:50 CEST 2020] Pending
[Di 29. Sep 00:00:56 CEST 2020] Pending
[Di 29. Sep 00:01:02 CEST 2020] Pending
[Di 29. Sep 00:01:07 CEST 2020] Pending
[Di 29. Sep 00:01:13 CEST 2020] mydomain.com:Verify error:During secondary validation: DNS problem: networking error looking up A for mydomain.com
When checking the DNS-A-records with an external tool or one of the online-services, everything works well and the domain can be resolved without any problems.
I have had similar problems with an other domain on the same server previously, but this issue is gone after a few tries. Now with this domain it seems to be permanent.
My hosting provider, if applicable, is: Hetzner
So as this looks like a problem that appears on LetsEncrypt-side: any idea what is wrong here and how can one fix that?
This has been a very common issue lately. I believe it is based on the secondary validation servers being overwhelmed at midnight. Please try changing the time the process runs to a somewhat random time several hours and minutes earlier or later.
We’re working to fix this soon. As @griffin mentioned, renewing at any other time should work well.
@Elmi77 Could you please let us know what OS you’re running, and how your ACME client was installed? I’d like to reach out to the developer/integrator and make sure that they randomize the time for future users, so that our traffic at the top of the hour isn’t so much higher than other times.
Thanks for looking into this. I see the error for eissing.org hourly reported from my apache/mod_md setup. In case this helps, the response is always like:
Exact response was: {"identifier":{"type":"dns","value":"www.eissing.org"},"status":"invalid","expires":"2020-10-11T22:00:18Z",
"challenges":[{"type":"http-01","status":"invalid",
"error":{"type":"urn:ietf:params:acme:error:dns",
"detail":"During secondary validation: No valid IP addresses found for www.eissing.org","status":400},
"url":"https://acme-v02.api.letsencrypt.org/acme/chall-BLA/-BLUBB",
"token":"GIBBERISH",
"validationRecord":[
{"url":"http://www.eissing.org/.well-known/acme-challenge/XXX",
"hostname":"www.eissing.org","port":"80",
"addressesResolved":["217.91.35.233"],"addressUsed":"217.91.35.233"
}]}]}
In case I can help with more details or test from my end by wiggling things a bit, just let me know.
It runs hourly, whenever it was first started. I will add some random wiggling in future releases, so that it is not exactly an hour each time and spread around.
However, as I saw on twitter, you managed to resolve the secondary dns lookup problem and, indeed, my domain has been successfully renewed. Thanks for that!
