Recently I find that my acme.sh automatic renewals had been failing over the past monthh, so I manually ran the cron job to find out what is going wrong.
By default, acme.sh waits 20 seconds after setting TXT records on DNS, then do a confirmation using CloudFlare DNS before contacting LE for challenge. However, the process was failing during the verification step with the following error:
original='{
"identifier": {
"type": "dns",
"value": "[redacted-domain]"
},
"status": "invalid",
"expires": "2024-11-27T16:02:48Z",
"challenges": [
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/[redacted]/LL1-zA",
"status": "invalid",
"validated": "2024-11-20T16:03:17Z",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.[redacted-domain] - check that a DNS record exists for this domain",
"status": 400
},
"token": "[redacted]"
}To diagnose the problem, I manually confirmed that:
1) _acme-challenge was added to the right place,
2) both Cloudflare and Google DNS confirmed the existence of _acme-challenge.[redacted-domain],
3) I later try to renew each domain individually, and they can succeed with additional retries.
Observation 3) gives me an idea to allow more time for Let’s Encrypt’s DNS server to properly fetch my DNS records, so I set acme.sh DNS sleep time to 60s. With that, this issue did not reoccur, and all renewal operations completed successfully.
As my domain usually renews every 2 month, judging from my last issued date, it seems this issue began sometime after October, as the cron job runs daily but does not attempt renewal unless the certificate is within one month of expiration.
Disclaimer: While I understand that there is the possibility of my Anycast DNS failing to propagate the server closest to Let’s Encrypt’s DNS server, test results from DNS propagation site shows that my Anycast DNS updated the record instantly, let alone with a 20 second delays. As such, I do not find evidence on this being an issue on my DNS side, yet.
References:
https://community.letsencrypt.org/t/dns01-validation-timeouts/116844/2