Hi,
I am trying to generate TLS certificates for the domain bal.byteful.agency
. I do not own the domain byteful.agency
but NS
entries are set for bal.byteful.agency
to be managed by myself on Hetzner DNS
:
bal.byteful.agency. 86400 IN NS helium.ns.hetzner.de.
bal.byteful.agency. 86400 IN NS oxygen.ns.hetzner.com.
bal.byteful.agency. 86400 IN NS hydrogen.ns.hetzner.com.
I am using traefik v2.8.5 which internally obviously uses lego. After letting traefik/lego try to generate the certificates, I receive the following error/timeout:
backend-traefik-1 | time="2023-04-25T17:02:48Z" level=error msg="Unable to obtain ACME certificate for domains \"bal.byteful.agency\": unable to generate a certificate for the domains [bal.byteful.agency]: error: one or more domains had a problem:\n[bal.byteful.agency] time limit exceeded: last error: NS ns3.digitalocean.com. did not return the expected TXT record [fqdn: _acme-challenge.bal.byteful.agency., value: T_5JoLMUrLsYHjG9KIJ9rPnpll9kWtmbV6VxlORcMFo]: \n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=web-secure-router-byteful@docker rule="Host(`bal.byteful.agency`)" providerName=hetznercert.acme
I've made sure the TXT entries exist on Hetzner DNS. They are automatically created, here is even the result of an unboundtest (which should simulate the letsencrypt resolving):
https://unboundtest.com/m/TXT/_acme-challenge.bal.byteful.agency./ETQVSIHO
In case the link expires, I receive the following:
Query results for TXT _acme-challenge.bal.byteful.agency.
Response:
;; opcode: QUERY, status: NOERROR, id: 22297
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_acme-challenge.bal.byteful.agency. IN TXT
;; ANSWER SECTION:
_acme-challenge.bal.byteful.agency. 0 IN TXT "T_5JoLMUrLsYHjG9KIJ9rPnpll9kWtmbV6VxlORcMFo"
The problems seems to be obvious in this log part:
unable to generate a certificate for the domains [bal.byteful.agency]: error: one or more domains had a problem:\n[bal.byteful.agency] time limit exceeded: last error: NS ns3.digitalocean.com. did not return the expected TXT record [fqdn: _acme-challenge.bal.byteful.agency., value: T_5JoLMUrLsYHjG9KIJ9rPnpll9kWtmbV6VxlORcMFo]:
ns3.digitalocean.com
is used as the nameserver, but I am not sure why letsencrypt does this?
In case you need the full logs of unboundtest or traefik, just let me know. I saved them in any case.
Would appreciate any kind of help. Thanks in advance and all the best