Letsencrypt cert renewal with lego

Hi, get an error trying to renew a letsencrypt certificate with lego.

Oct 02 09:29:31 acme lego[1798063]: [*.sub.example.com] [*.sub.example.com] acme: error presenting token: desec: could not find zone for domain "sub.example.com" and fqdn "_acme-challenge.sub.example.com." : could not find the start of authority for _acme-challenge.sub.example.com.: NOERROR
Oct 02 09:29:31 acme lego[1798063]: [sub.example.com] [sub.example.com] acme: error presenting token: desec: could not find zone for domain "sub.example.com" and fqdn "_acme-challenge.sub.example.com." : could not find the start of authority for _acme-challenge.sub.example.com.: NOERROR

The error message seems to come from the desec api. Does anyone have a clue whats going on? I’ve generated the cert some months ago using the same setup without errors.

Thanks

Hi spiff,

welcome to deSEC!

The error message indicates that the account that lego is using to publish the acme challenge does not contain a domain suitable to publish the challenge in the DNS. (For example, your challenge should be at sub.example.com but the account only contains the domains example.net and example.org.)

Has the domain be deleted or moved to a different account?

Best,
Nils

Thanks, nils. The domain hasn’t been deleted or moved. I might have deleted some records for sub.example.com in the past because I use it only for internal purposes but I’m not sure.

I already tried adding _acme-challenge.sub & _acme-challenge as TXT and an A record for sub and instructed lego to use one of desecs ns server directly (DNS_RESOLVERS='45.54.76.1:53') to avoid any caching. I’ve also tried a new token. Same results.

Please contact support@desec.io with your domain name so that they can assess the situation directly. Thanks!

Best,
Nils