Solved LE does not renew on new server, only timeouts

[Richard G]

Recently installed a new server, ipv4 and ipv6 everything working except.... seems LE certs are not renewed due to timouts.
I had this before and ignored it, thought it was only 1 domain, but now the second domain needs to be renewed and runs into the same issue.

All the rest seems to work fine, it only gets timeouts.

Found wildcard domain name and http challenge type, switching to dns-01 validation.
2023/11/07 00:13:53 [INFO] [*.customerdomain.nl, customerdomain.nl] acme: Obtaining SAN certificate
2023/11/07 00:13:54 [INFO] [*.customerdomain.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/281287xxxxxx
2023/11/07 00:13:54 [INFO] [customerdomain.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/281287xxxxxx
2023/11/07 00:13:54 [INFO] [*.customerdomain.nl] acme: use dns-01 solver
2023/11/07 00:13:54 [INFO] [customerdomain.nl] acme: Could not find solver for: tls-alpn-01
2023/11/07 00:13:54 [INFO] [customerdomain.nl] acme: Could not find solver for: http-01
2023/11/07 00:13:54 [INFO] [customerdomain.nl] acme: use dns-01 solver
2023/11/07 00:13:54 [INFO] [*.customerdomain.nl] acme: Preparing to solve DNS-01
2023/11/07 00:13:57 2023/11/07 00:13:54  info executing task            task=action=dns&do=delete&domain=customerdomain.nl&name=_acme-challenge&type=TXT
2023/11/07 00:13:56  info executing task            task=action=dns&do=add&domain=customerdomain.nl&name=_acme-challenge&named_reload=yes&ttl=5&type=TXT&value=%22BkL8Lb9AYvy8wWWFK1KF0pPEx-9TuLh2qUuycMHdFT0%22

2023/11/07 00:19:51 [INFO] [customerdomain.nl] acme: Trying to solve DNS-01
2023/11/07 00:19:51 [INFO] [customerdomain.nl] acme: Checking DNS record propagation using [[2001:4860:4860::8888]:53]
2023/11/07 00:20:21 [INFO] Wait for propagation [timeout: 5m0s, interval: 30s]
2023/11/07 00:20:31 [INFO] [customerdomain.nl] acme: Waiting for DNS record propagation.
2023/11/07 00:21:11 [INFO] [customerdomain.nl] acme: Waiting for DNS record propagation.
2023/11/07 00:21:51 [INFO] [customerdomain.nl] acme: Waiting for DNS record propagation.
2023/11/07 00:22:31 [INFO] [customerdomain.nl] acme: Waiting for DNS record propagation.
2023/11/07 00:23:11 [INFO] [customerdomain.nl] acme: Waiting for DNS record propagation.
2023/11/07 00:23:51 [INFO] [customerdomain.nl] acme: Waiting for DNS record propagation.
2023/11/07 00:24:31 [INFO] [customerdomain.nl] acme: Waiting for DNS record propagation.
2023/11/07 00:25:11 [INFO] [customerdomain.nl] acme: Waiting for DNS record propagation.
2023/11/07 00:25:41 [INFO] [customerdomain.nl] acme: Cleaning DNS-01 challenge
2023/11/07 00:25:42 2023/11/07 00:25:41  info executing task            task=action=dns&do=delete&domain=customerdomain.nl&name=_acme-challenge&type=TXT

2023/11/07 00:25:42 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/281287xxxxxx
2023/11/07 00:25:43 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/281287xxxxxx
2023/11/07 00:25:43 Could not obtain certificates:
   error: one or more domains had a problem:
[*.customerdomain.nl] time limit exceeded: last error: dial udp: i/o timeout
[customerdomain.nl] time limit exceeded: last error: dial udp: i/o timeout
Certificate generation failed.

Everything else in the message seems to run fine.
My /etc/resolv.conf both contains 127.0.0.1 and 1.1.1.1 and ip from the datacenter which is default in there.
Named is working on both ipv4 and ipv6 on port 53 (tested)

What is going wrong here? How can I fix this?

 

[Richard G]

I might have solved it, but I'm not sure, would be very odd that this would have caused it.
In spite of the fact that I did check the Restore with Local NameServers. (unchecked: Use NS values from backup) box, for some reason during restore (few weeks ago) the nameservers from the backup were used in the user accounts themselves. So in dns administration of the users themselves the old NS records were present.

However from outside (the internet) the DNS was working fine anyway.

I fix this with some commands to change the NS records for all users to the correct records.

After that I tried manually renewing and this has worked without problems.

I'm just wondered now, there is another domain which has been trying to renew today and got the same problem. His certificate will run out at december 11th.
So I would like to know I can find out somehow if another retry will be done before that time or not. Otherwise I have to do a manual renew for that domain too.

 

[Richard G]

Still don't understand as to why the local NS entry for a customer domain is important or why the restore did not use the local NS records this time.
But well... the second domain has updated now automatically so this must have been the cause of the timeouts.