Problem renewing the cert with DNS-01 challenge

Hello everyone!

I've been using Docker + Traefik + LetsEncrypt for months, but now the certs expired a few days ago. Not sure why but it did not renew automatically. I tried to renew the cert with no success!. My method is the DNS-01 challenge. I tried with DuckDNS and with Dynu, but I always get this error:

{"level":"error","msg":"Unable to obtain ACME certificate for domains \"mydomain.mywire.org,*.mydomain.mywire.org\" : unable to generate a certificate for the domains [mydomain.mywire.org *.mydomain.mywire.org]: error: one or more domains had a problem:\n[*.mydomain.mywire.org] time limit exceeded: last error: NS ns2.dynu.com. returned REFUSED for _acme-challenge.mydomain.mywire.org.\n[mydomain.mywire.org] time limit exceeded: last error: NS ns4.dynu.com. returned REFUSED for _acme-challenge.mydomain.mywire.org.\n","providerName":"letsencrypt.acme","time":"2020-10-23T21:04:11-03:00"}

I was checking many pages, but I did not found any clue about my problem. I truly believe it is a simple problem, but I am just not seeing it.

My static configuration is as follow:

[entryPoints.websecure.http.tls]
certResolver = "letsencrypt"
[[entryPoints.websecure.http.tls.domains]]
main = "mydomain.mywire.org"
sans = ["*.mydomain.mywire.org"]

[certificatesResolvers.letsencrypt.acme]
email = "myemail@gmail.com"
storage = "acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

[certificatesResolvers.letsencrypt.acme.dnsChallenge]
provider = "dynu"
delayBeforeCheck = 30
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]

and the dynamic one is:

labels:
   - traefik.enable=true
   - traefik.http.routers.app.rule=Host(`app.mydomain.mywire.org`)
   - traefik.http.routers.app.entrypoints=websecure
   - traefik.http.services.app.loadbalancer.server.port=8000

Any advice?

Summary

This text will be hidden

Hey, I found a way to resolve this issue. There is a global option in the Lego documentations that works for my:

   --dns.disable-cp             By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.

So I modified my static configuration by adding this line:

disablePropagationCheck = true

New the cert is there and working

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.