There are some issues reported by DNSViz (you can ignore the unknown RRSIG warnings; I think that's something weird about DNSViz's setup, but there are some actual issues too):
stevelanglois.org/CAA (NODATA): An SOA RR with owner name (.) not matching the zone name (stevelanglois.org) was returned with the NODATA response. (66.228.40.6, 142.4.204.181, 2600:3c03::f03c:91ff:fe93:e369, 2607:5300:60:34bf::1, UDP_-_EDNS0_4096_D_KN)
org to stevelanglois.org: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the org zone): ns2.r4l.com, ns1.r4l.com
org to stevelanglois.org: The following NS name(s) were found in the delegation NS RRset (i.e., in the org zone), but not in the authoritative NS RRset: ns1.studioazura.com, ns2.studioazura.com
So, make sure that the delegation to your nameserver is set up correctly.
I'm not sure if it's related, but Let's Encrypt did upgrade the version of Unbound they use within the last few weeks, and I think it may be pickier about ensuring that DNS delegations are set up correctly.
Unboundtest seems to be getting NOERROR, but I think it's still on the previous version of Unbound.
You might also want to update to newer DNS-serving software. (Or use one of the many hosted options out there, though of course there are good reasons to want to host things oneself as well.)
Hey @jsha, when you get a chance, if you could update Unboundtest to the 1.18 version that LE production is using now, I think it might be helpful. It seems… pickier than prior versions about NS delegations matching and AA flags and SOA responses being standard and so forth. (Honestly having the option to try testing with both the old as well as the current version might be neat too, just so we can confirm that people aren't crazy and in fact the DNS server did use to "work" at least as far as Let's Encrypt validation was concerned.)
