Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
The DNS response does not contain an answer to the question: ghoas.duckdns.org. IN TXT
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.
I'm using Home Assistant's nginx proxy manager to get two subdomains for the above domain, and have had no problem with auto-renewal so far. Now, trying to auto-renew gives an internal error, and trying to obtain a new certificate, whether wildcard or not, also offers the same error as above. I did redact my e-mail from the command.
We have seen several people with problems using duckdns.org subdomains. The duckdns DNS servers are not responding well. The other threads have eventually gotten a cert after retrying. But, just know that too many failed retries gets you rated limited and temporarily blocked.
Note these errors may also affect regular people trying to access your domain. But, Let's Encrypt is especially affected because it needs a response directly from the duckdns authoritive servers and does not rely on cached results.
You can see these duckdns errors with a tool like https://dnsviz.net. Can also see that queries directly to their servers often fail. I did these just now
dig +noall +answer A ghoas.duckdns.org @ns3.duckdns.org.
;; communications error to 35.183.157.249#53: timed out
ghoas.duckdns.org. 60 IN A 90.146.109.116
dig +noall +answer A ghoas.duckdns.org @ns1.duckdns.org.
ghoas.duckdns.org. 60 IN A 90.146.109.116
dig +noall +answer A ghoas.duckdns.org @ns2.duckdns.org.
;; communications error to 35.182.183.211#53: timed out
;; communications error to 35.182.183.211#53: timed out
ghoas.duckdns.org. 60 IN A 90.146.109.116
dig +noall +answer A ghoas.duckdns.org @ns4.duckdns.org.
;; communications error to 3.97.51.116#53: timed out
;; communications error to 3.97.51.116#53: timed out
;; communications error to 3.97.51.116#53: timed out
;; no servers could be reached
dig +noall +answer A ghoas.duckdns.org @ns5.duckdns.org.
;; communications error to 99.79.16.64#53: timed out
;; communications error to 99.79.16.64#53: timed out
;; communications error to 99.79.16.64#53: timed out
;; no servers could be reached
Thank you for the quick response! So the solution is to be patient and retry over the next several days, and hope they get their servers back to normal?
Yes, retry occasionally or switch to a more reliable DNS provider. You could post at the duckdns support forum for a service level explanation.
It is possible some other Certificate Authority will tolerate such DNS query failures. Some examples of other ACME CAs are below. A couple of CAs found out earlier this year they were not in compliance with the DNS query requirements of the ACME standard. It's possible one of those CAs may work today and then soon have the same problem as LE. I mention this only as a caution. I don't track other CAs in detail.
Personally I would look at changing to a more reliable DNS provider as the long-term solution.
I don't know how you specify alternate CA in NPM. With Certbot, it is the --server option. Some CA require EAB so see Certbot docs for that. Again, don't know how NPM manage Certbot for that.