Unable to obtain ACME certificate for domains even though unboundtest works

Hi,
I am trying to generate TLS certificates for the domain bal.byteful.agency. I do not own the domain byteful.agency but NS entries are set for bal.byteful.agency to be managed by myself on Hetzner DNS:

bal.byteful.agency.	86400	IN	NS	helium.ns.hetzner.de.
bal.byteful.agency.	86400	IN	NS	oxygen.ns.hetzner.com.
bal.byteful.agency.	86400	IN	NS	hydrogen.ns.hetzner.com.

I am using traefik v2.8.5 which internally obviously uses lego. After letting traefik/lego try to generate the certificates, I receive the following error/timeout:

backend-traefik-1   | time="2023-04-25T17:02:48Z" level=error msg="Unable to obtain ACME certificate for domains \"bal.byteful.agency\": unable to generate a certificate for the domains [bal.byteful.agency]: error: one or more domains had a problem:\n[bal.byteful.agency] time limit exceeded: last error: NS ns3.digitalocean.com. did not return the expected TXT record [fqdn: _acme-challenge.bal.byteful.agency., value: T_5JoLMUrLsYHjG9KIJ9rPnpll9kWtmbV6VxlORcMFo]: \n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=web-secure-router-byteful@docker rule="Host(`bal.byteful.agency`)" providerName=hetznercert.acme

I've made sure the TXT entries exist on Hetzner DNS. They are automatically created, here is even the result of an unboundtest (which should simulate the letsencrypt resolving):
https://unboundtest.com/m/TXT/_acme-challenge.bal.byteful.agency./ETQVSIHO

In case the link expires, I receive the following:

Query results for TXT _acme-challenge.bal.byteful.agency.

Response:
;; opcode: QUERY, status: NOERROR, id: 22297
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.bal.byteful.agency.	IN	 TXT

;; ANSWER SECTION:
_acme-challenge.bal.byteful.agency.	0	IN	TXT	"T_5JoLMUrLsYHjG9KIJ9rPnpll9kWtmbV6VxlORcMFo"

The problems seems to be obvious in this log part:

unable to generate a certificate for the domains [bal.byteful.agency]: error: one or more domains had a problem:\n[bal.byteful.agency] time limit exceeded: last error: NS ns3.digitalocean.com. did not return the expected TXT record [fqdn: _acme-challenge.bal.byteful.agency., value: T_5JoLMUrLsYHjG9KIJ9rPnpll9kWtmbV6VxlORcMFo]:

ns3.digitalocean.com is used as the nameserver, but I am not sure why letsencrypt does this?

In case you need the full logs of unboundtest or traefik, just let me know. I saved them in any case.

Would appreciate any kind of help. Thanks in advance and all the best

I would suggest looking for the option for DNS propagation or delay before check as you need to allow time for all of your nameservers to provide the same response and that's often over a minute, or even up to 5 minutes depending on the DNS provider and how long their nameserver take to sync.

From googling I think it may be --certificatesResolvers.<provider>.acme.dnsChallenge.delayBeforeCheck=60

Thanks, this didn't solve it but put me into the right direction. I checked some other options, and when I enable disablePropagationCheck then it works. So the issue is not with letsencrypt, but with the local propagation check. When I disable the propagation check and add a delay, the certificates get generated successfully.

If the update is happening at hetzner.de, then checking it at digitalocean.com will always fail.
Can you check the logs to see where it is doing the update?

The update at hetzner works and the TXT entry is there during the start. Digitalocean is the authority NS for byteful.agency but not for bal.byteful.agency, and that's why I am confused. Why does it try to do the propagation check through digitalocean's nameservers?

I'm puzzled. Are you asking why LEGO's pre-cert request propagation check is failing? Because you might get better answer on the lego github or maybe even Traefik forum.

@MikeMcQ I realized the pre-cert propagation check is the issue just days after posting here. In my reply I mentioned it's not an issue with letsencrypt. So in any case from my side this can be closed here, and I've already asked the question in the lego discussion section.

Thanks and sorry for the confusion.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.