Please set the default --dns-netcup-propagation-seconds >= 630

[bernhardkaindl]

Hi @coldfix, please have a look at:

• Internal Error with netcup and DNS Challenge NginxProxyManager/nginx-proxy-manager#1706
• DNS challenge with netcup api home-assistant/addons#3016
• https://www.reddit.com/r/nginxproxymanager/comments/xdf7d7/creating_certificate_with_challenge_netcup_fails/

and especially the netcup forum, for example, most clearly:

https://forum.netcup.de/netcup-applications/ccp-customer-control-panel/p168229-nxdomain-looking-up-txt-for-acme-challenge-subdomain-lokale-ip/#post168229

Zwischen des Eintrags der challenge als TXT und dem Verifizierungsvorgang habe ich 300 Sekunden gewartet. Sind hier 5min zu wenig Zeit?

Definitiv, da der Reload der DNS-Zonen immer nur alle 10 Minuten stattfindet. In Ausnahmefällen dauert es manchmal auch 20 Minuten.

So the absolute bare minimum for netcup would be 10 minutes, but to give DNS 5 minutes to propagate, you need 900 seconds.

I needed to use 900 to make the DNS challenge it work. You can check the DNS output of the netcups DNS using:

$ while true;do dig +short -t txt _acme-challenge.subdomain.yourdomain.at root-dns.netcup.net;sleep 10;done

DerRene (with bonn13 confirming) reports that he uses 630 seconds since a long time, but their messages are from 2021, so you may want to confirm that it really works (and it likely only works when DNSSEC is not enabled for the zone), like m_ueberall wrote above it:
https://forum.netcup.de/netcup-applications/ccp-customer-control-panel/p168232-nxdomain-looking-up-txt-for-acme-challenge-subdomain-lokale-ip/#post168232

[coldfix]

Hey,
fair enough, let's do it.