You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've had an issue for a while (a few months) where dehydrated fails to renew the certificates due to issues with Let's Encrypt's own DNS resolver, that randomly fails to resolve CAA records (even for top-level domains sometimes).
The definitive fix is implementing a retry logic. This is not something I would write naively, it needs at the very least to be considerate with rate limits.
Here is a partial result output, so that this issue appears in searches.
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "During secondary validation: DNS problem: query timed out looking up CAA for xyz",
"status": 400
}
}
The wordaround I have is to run dehydrated more often than before, hoping a next run will have more luck.
Dehydrated currently doesn't have retry logic and just aborts after a single failure (or just continues with the next certificate).
There have been several tickets about this issue, this one should consolidate those tickets and serve as a reference point for future quick-closes.
The text was updated successfully, but these errors were encountered: