I couldn’t find a topic regarding the Let’s Encrypt Add-on so I’m posting this here.
The case:
For my home assistant setup itself I’m using my Nabucasa subscription using a custom domain (works like a charm).
However, I’m also running the Bitwarden (Vaultwarden) Add-on for which I’m using the Let’s Encrypt add-on to periodically renew a certificate for it (i’m using a separate subdomain for that).
This worked well for months, but suddenly it stopped working.
I found out it mainly stopped working due to an expired Login Key in Directadmin, but after fixing that, I still didnt get any certificates.
What’s going well:
The Letsencrypt add-on is succesfully be able to add the DNS txt record to the DNS management system of Directadmin like it always did.
This proves the Let’s encrypt add-on is doing it’s job and my directadmin dns management is also doing well (login key is working with sufficient permissions)
What’s going wrong?
After the propagation time (doesnt matter if I raise this up until 5 minutes) the CA (Let’s Encrypt’s) is reporting it couldnt verify the DNS record.
Anyone struggled upon this and found a solution for it?
After this all fails the Add-On is cleaning up the txt record (so I’m not looking to an old record still standing there or so).
Below some screenshots:
The first 2 are screenshots taken at the same time showing the status during the propagation time with the proof the ACME challenge txt record is in place:
So to me it looks like the Let’s Encrypt (intermediate)CA isn’t able to verify my dns records, but I don’t understand why as expanding the propagation time doesn’t solve the issue (5 minutes should be sufficient) and I would like to know if someone else experienced this and found a solution for it.
EDIT: Just tried with propagation settings set to 15 minutes (900 second) → Same results.
You’re totally true, I’m looking at the domain’s root.
I got something after the _acme-challenge because this is a subdomain
It worked this way for months (1y+), as I’m writing this I realize: Could it be let’s encrypt that blacklisted my (sub) domain due to many failed requests during my expired login key?
Gonna figure out how I can find out if I’m blacklisted.
Thanks for your response it somehow pointed me in a direction
EDIT: I found out the block will endure only 1 hour after 5 failed attempts within 1 hour. So this can’t be the root cause
It is one thing to have the TXT in directadmin DNS, it is another to have that entry actually replicated worldwide. That’s what is actually behind “propagation”.
So 5 minutes was never gonna work at all. However I left the propagation time to 15 minutes which seems to be sufficient…but hey that’s the result of the dns server I’m querying to so probably the DNS server let’s encrypt uses needs somewhat more time.
So after the current job finished, ill set the propagation time to 3600 seconds (1 hour) probably this will solve the issue.
I’ll post the results here.
Thanks again for your response
EDIT: After posting this message I went looking for the results and for some reason it succeeded to retrieve the certificate with the propagation time set to 900seconds so I guess 900 seconds is on the edge of succeeding and failing (depends on how fast the DNS servers are getting in sync with each other).
As My cert request succeeded I cant retry now but I’ll set the propagation time to 1800 seconds (30 minutes). hopefully this will ensure future cert request will be stable.
I Appreciate your help on this one.
For now I’ll mark this one to be solved, hopefully someone else also has some benefits of this thread.
EDIT: I discovered I’m not able to mark the thread as Solved/Closed/Done or so. So I’m leaving the thread as is, I guess the thread will be closed as soon as time strikes