Let's encrypt --> DirectAdmin --> DNS challenge fails

Hi there,

I couldn’t find a topic regarding the Let’s Encrypt Add-on so I’m posting this here.

The case:
For my home assistant setup itself I’m using my Nabucasa subscription using a custom domain (works like a charm).
However, I’m also running the Bitwarden (Vaultwarden) Add-on for which I’m using the Let’s Encrypt add-on to periodically renew a certificate for it (i’m using a separate subdomain for that).
This worked well for months, but suddenly it stopped working.
I found out it mainly stopped working due to an expired Login Key in Directadmin, but after fixing that, I still didnt get any certificates.

What’s going well:
The Letsencrypt add-on is succesfully be able to add the DNS txt record to the DNS management system of Directadmin like it always did.
This proves the Let’s encrypt add-on is doing it’s job and my directadmin dns management is also doing well (login key is working with sufficient permissions)

What’s going wrong?
After the propagation time (doesnt matter if I raise this up until 5 minutes) the CA (Let’s Encrypt’s) is reporting it couldnt verify the DNS record.

Anyone struggled upon this and found a solution for it?

After this all fails the Add-On is cleaning up the txt record (so I’m not looking to an old record still standing there or so).

Below some screenshots:
The first 2 are screenshots taken at the same time showing the status during the propagation time with the proof the ACME challenge txt record is in place:



So to me it looks like the Let’s Encrypt (intermediate)CA isn’t able to verify my dns records, but I don’t understand why as expanding the propagation time doesn’t solve the issue (5 minutes should be sufficient) and I would like to know if someone else experienced this and found a solution for it.

EDIT: Just tried with propagation settings set to 15 minutes (900 second) → Same results.

Why do you have “something” after _acme-challenge?
The other entries do not seem to have any, so I assume you are at the root of your domain.

image

You’re totally true, I’m looking at the domain’s root.
I got something after the _acme-challenge because this is a subdomain

It worked this way for months (1y+), as I’m writing this I realize: Could it be let’s encrypt that blacklisted my (sub) domain due to many failed requests during my expired login key?

Gonna figure out how I can find out if I’m blacklisted.

Thanks for your response it somehow pointed me in a direction :slight_smile:

EDIT: I found out the block will endure only 1 hour after 5 failed attempts within 1 hour. So this can’t be the root cause

Did you actually try a

nslookup -q=txt _acme-challenge.sub.root.nl

during the propagation period?

It is one thing to have the TXT in directadmin DNS, it is another to have that entry actually replicated worldwide. That’s what is actually behind “propagation”.

1 Like

No I didn’t, but I did now :slight_smile: After about 10 minutes the txt record could be retrieved succesfully:

So 5 minutes was never gonna work at all. However I left the propagation time to 15 minutes which seems to be sufficient…but hey that’s the result of the dns server I’m querying to so probably the DNS server let’s encrypt uses needs somewhat more time.
So after the current job finished, ill set the propagation time to 3600 seconds (1 hour) probably this will solve the issue.

I’ll post the results here.

Thanks again for your response

EDIT: After posting this message I went looking for the results and for some reason it succeeded to retrieve the certificate with the propagation time set to 900seconds so I guess 900 seconds is on the edge of succeeding and failing (depends on how fast the DNS servers are getting in sync with each other).

As My cert request succeeded I cant retry now but I’ll set the propagation time to 1800 seconds (30 minutes). hopefully this will ensure future cert request will be stable.

I Appreciate your help on this one.

For now I’ll mark this one to be solved, hopefully someone else also has some benefits of this thread.

EDIT: I discovered I’m not able to mark the thread as Solved/Closed/Done or so. So I’m leaving the thread as is, I guess the thread will be closed as soon as time strikes

1 Like