Let's Encrypt DNS challenge waiting for DNS propagation

I'm using the Namecheap API, Docker Swarm, and Traefik 2.8.4. As others have noted (see, for example, here and here), I have a problem with lego's check on DNS propagation.

When the propagation check is enabled, it seems that lego is checking endlessly (admittedly, I only waited 10 minutes) while I can already see the correct TXT record with dig.

dig _acme-challenge.my.domain TXT @dns1.registrar-servers.com

When I disable the propagation check, it seems that the TXT records are cleaned up before the Let's Encrypt server can validate them and thus no certificate is issued.

The only way I got it to work is to also set a delay before doing the propagation check which also seems to introduce a delay even when propagation is disabled.

So my final working configuration with Docker Swarm:

    command: >
      --certificatesresolvers.certbot.acme.email=${EMAIL?Variable EMAIL is required!}

I hope that this may help others in the same boat or that somebody can suggest better solutions that would actually use the propagation check correctly.

Try the resolvers appended with port :53


When I look in the logs, it seems like port 53 is anyway automatically appended but I'll check if that makes a difference.

As expected, adding the port didn't make any difference.

When running the lego binary (v4.8) directly on the host, the DNS propagation check succeeds after 30 s. However, when running with the exact same settings using the go-acme/lego Docker image, there is a UDP related timeout.

So I suspect that I need to open some UDP port between the host and the Docker container. I'm unsure which one, though.