Successfully issued for www.myelement.org. Tremendous relief for us. Thanks for the help cpu and team!
Indeed, without any changes in production, lookups for the examples submitted here are working normally now.
I spent some time with the example domains submitted here (thanks for contributions!). Unbound's dump_infra control command was very unambiguous about not being able to reach IP addresses critical to these lookups.
Specifically, unbound could not reach the following pertinent remote hosts:
2 x IPs for abac.com.
2 x IPs for aplus.net.
3 x IPs for meganameservers.eu.
Yet today, it can. Signs pointed to routing issues 5 hops away, but results weren't definitive.
I've brought this up with more of the team and we are looking at additional ways to monitor IP addresses which unbound cannot reach for prolonged periods.
1 Like
For three days straight now, we’ve seen successful issuances after 4am UTC for hostnames that had failed tens of issuances prior to 4am UTC.
I have no idea if that correlation is relevant or a red herring, or why LE might have better success not timing out after that time, but I wanted to share in case it means something to someone. 
Sorry, that was probably because of me. I removed qname-minimisation from its libunbound options after cpu announced the same.
1 Like
Checking Pantheon’s service logs, we haven’t seen this type of issue since ~4am UTC Friday.
Did LE take some action to prevent further issues? Should this thread be closed out?
No action was taken. Whatever network instability between Let's Encrypts datacentres and the affected authoritative DNS providers resolved itself.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.