My server hasn't been able to renew certificates for any subdomains for my primary one. All fail with the following error for over a week. I thought that by this time any rate limiting on LetsEncrypt side would have resolved so wondering if something else might be wrong.
Failed to new certs of sub.domain.com: Failed to register user. Expecting 201, got 429 undefined. Renewal will be retried in 12 hours
There was recently an announcement about a change in Let's Encrypt - https://community.letsencrypt.org/t/acme-v1-v2-validating-challenges-from-multiple-network-vantage-points/112253 .
429 error does mean too many certs/rate limit. Are you using wild card certs or normal domain certs? If you use Cloudron DNS integration you will be using wildcard certs and you shouldn't be hitting this limit.
The error seen from the logs is
CAA record for *.domain.com prevents issuance. A CAA record is a special DNS record which authorizes CAs to issue certs for the domain.
In your case, your top level
domain.comhas a CNAME record to
xx.github.iowhich it turns has CAA records. Try this:
$ host -t CAA domain.com domain.com is an alias for domain.github.io. domain.github.io has CAA record 0 issue "letsencrypt.org" domain.github.io has CAA record 0 issue "digicert.com" domain.github.io has CAA record 0 issuewild "digicert.com"
So, issuing wildcard certs for letsencrypt is disabled. This is why it doesn't renew (maybe you didn't have this CNAME record when you setup cloudron).
Finally, having a CNAME at the top level domain is not a good practice. It essentially aliases the full domain to something else. Which means that subdomain like
foo.domain.commay not resolve properly. Please see - https://www.freecodecamp.org/news/why-cant-a-domain-s-root-be-a-cname-8cbab38e5f5c/. Maybe you can alias/CNAME
www.domain.cominstead to github.