From 3d606b20bc841a97c5912c756827be35ead68083 Mon Sep 17 00:00:00 2001 From: eskimo Date: Mon, 22 Jun 2026 02:14:48 -0400 Subject: [PATCH] v3.0.1: default propagation 20s -> 60s for edge-replica convergence 20s was too tight: yeil serves DNS from edge replicas fed by a replication log, so a freshly-written _acme-challenge TXT takes a bit to appear on every authoritative nameserver. Let's Encrypt's secondary (multi-perspective) validation hit a not-yet-converged replica and saw a stale value -> 'incorrect TXT record found'. 60s lets all replicas catch up (matches what already works in practice for wildcard certs). Co-Authored-By: Claude Opus 4.8 (1M context) --- certbot_dns_yeil/dns_yeil.py | 7 ++++++- setup.py | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/certbot_dns_yeil/dns_yeil.py b/certbot_dns_yeil/dns_yeil.py index 6712038..116eae0 100644 --- a/certbot_dns_yeil/dns_yeil.py +++ b/certbot_dns_yeil/dns_yeil.py @@ -39,8 +39,13 @@ class Authenticator(dns_common.DNSAuthenticator): @classmethod def add_parser_arguments(cls, add): + # yeil serves DNS from edge replicas fed by a replication log, so a + # freshly-written TXT takes a little time to appear on every + # authoritative nameserver. 20s was too tight and tripped Let's + # Encrypt's secondary (multi-perspective) validation against a + # not-yet-converged replica; 60s gives all replicas time to catch up. super(Authenticator, cls).add_parser_arguments( - add, default_propagation_seconds=20 + add, default_propagation_seconds=60 ) add("credentials", help="Path to your yeil credentials INI file.") diff --git a/setup.py b/setup.py index f14ff8f..7931cf3 100644 --- a/setup.py +++ b/setup.py @@ -2,7 +2,7 @@ from setuptools import setup, find_packages setup( name="certbot-dns-yeil", - version="3.0.0", + version="3.0.1", description="yeil DNS Authenticator plugin for Certbot", url="https://git.eskimo.dev/Yeil/certbot-dns-yeil", author="yeil",