new cert setup not finishing

linuxlover2

I just setup ACME to renew certificates and have a test cert configured.
I have a valid Letsencrypt account as I have been renewing certificates manually.
Now with a new DNS provised (Cloudflare) I want to automate the certificate renewal.

Seems the order processing is taking more time than expected and the acme_challenge is deleted, before the certificate creation is completed.
Is this a bug in the processing?

server.my.domain
Renewing certificate 
account: Letsencrypt-Test 
server: letsencrypt-staging-2 

/usr/local/pkg/acme/acme.sh  --issue  --domain 'server.my.domain' --dns 'dns_cf'  --home '/tmp/acme/server.my.domain/' --accountconf '/tmp/acme/server.my.domain/accountconf.conf' --force --always-force-new-domain-key --reloadCmd '/tmp/acme/server.my.domain/reloadcmd.sh' --log-level 3 --log '/tmp/acme/server.my.domain/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [CF_Key] => <removed>
    [CF_Email] => <removed>
    [CF_Token] => <removed>
    [CF_Account_ID] => <removed>
    [CF_Zone_ID] => <removed>
)
[Sun Nov 12 20:07:43 EST 2023] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Sun Nov 12 20:07:43 EST 2023] Using pre generated key: /tmp/acme/server.my.domain/server.my.domain/server.my.domain.key.next
[Sun Nov 12 20:07:43 EST 2023] Generate next pre-generate key.
[Sun Nov 12 20:07:43 EST 2023] Single domain='server.my.domain'
[Sun Nov 12 20:07:43 EST 2023] Getting domain auth token for each domain
[Sun Nov 12 20:07:45 EST 2023] Getting webroot for domain='server.my.domain'
[Sun Nov 12 20:07:45 EST 2023] Adding txt value: lDFgNZcNRmGZ4fKiSJHqpQk6ycsF-qd_B7JJwVaqNkY for domain:  _acme-challenge.server.my.domain
[Sun Nov 12 20:07:45 EST 2023] Adding record
[Sun Nov 12 20:07:46 EST 2023] Added, OK
[Sun Nov 12 20:07:46 EST 2023] The txt record is added: Success.
[Sun Nov 12 20:07:46 EST 2023] Let's check each DNS record now. Sleep 20 seconds first.
[Sun Nov 12 20:08:06 EST 2023] You can use '--dnssleep' to disable public dns checks.
[Sun Nov 12 20:08:06 EST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Sun Nov 12 20:08:06 EST 2023] Checking server.my.domain for _acme-challenge.server.my.domain
[Sun Nov 12 20:08:06 EST 2023] Domain server.my.domain '_acme-challenge.server.my.domain' success.
[Sun Nov 12 20:08:06 EST 2023] All success, let's return
[Sun Nov 12 20:08:06 EST 2023] Verifying: server.my.domain
[Sun Nov 12 20:08:06 EST 2023] Pending, The CA is processing your order, please just wait. (1/30)
[Sun Nov 12 20:08:09 EST 2023] Removing DNS records.
[Sun Nov 12 20:08:09 EST 2023] Removing txt: lDFgNZcNRmGZ4fKiSJHqpQk6ycsF-qd_B7JJwVaqNkY for domain: _acme-challenge.server.my.domain
[Sun Nov 12 20:08:09 EST 2023] Removed: Success
[Sun Nov 12 20:08:09 EST 2023] server.my.domain:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.server.my.domain - check that a DNS record exists for this domain
[Sun Nov 12 20:08:09 EST 2023] Please check log file for more details: /tmp/acme/server.my.domain/acme_issuecert.log

Gertjan

@linuxlover2 said in new cert setup not finishing:

Sleep 20 seconds first

During the waiting period, the 'sleep seconds 20', the slave DNS(es) have all to sync with the DNS master.
If this didn't happen in within these 20 seconds, this

server.my.domain:Verify error:DNS problem:
is a typical error, as LE can check any (= salve) domain name server, not only the master. If the DNS domain slave didn't synced yet, it will fail.

So : easy fix : give it more time. Mine is set to "120".

linuxlover2

@Gertjan Thank you for the quick response.
Will give that a try. It did eventually succeed, so now have to wait 2 weeks to renew.

Gertjan

@linuxlover2 said in new cert setup not finishing:

so now have to wait 2 weeks to renew.

One week, or even right away, check here Rate Limits.