I’m trying to get letsencrypt certificates via njalla, my DNS provider, but for some reason I’m getting the error about a record not existing when I run nixos-switch, and I can’t tell if it’s a problem with my configuration or a problem with the Njalla API. I’ve tried giving it full API access, restricting it to certain methods, etc., but it never succeeds. I’ve configured the tokens right and it’s always had the ability to create new DNS records, so I’m a bit confused about why it’s not working. I’m unsure what I’m doing wrong; my configuration is the standard security.acme.certs.<domain> configuration, where you specify dnsProvider as njalla, the credentialsFile to a file owned and readable only by root, and my email. Has anyone else encountered this problem? (I’m rate-limited atm so will need to retry later.)
Also, for reference, the specific error is [turn.the-gdn.net] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.turn.the-gdn.net - check that a DNS record exists for this domain. Frankly, this error makes absolutely no sense; the token I’m using has appropriate API access and should be able to create the DNS records it needs. It’s doing DNS propagation checking, even though I’ve explicitly disabled it. I’m using a separate matrix.nix file since it uses a function and I’m unsure how to merge all of that into my main configuration.nix file. I’ve even tried setting security.acme.defaults.dnsPropagationCheck to false and it still does it. Does anyone have any idea as to what’s going on?
Sorry for the triple post, but I’ve confirmed that it’s an external problem, though I’m unsure what it could be. I’ve just set my nameservers to Linode and switched dnsProvider to linode, set LINODE_TOKEN to my token, made sure I gave it R/W writes to domains, and it still occurs. 
i haven’t really looked into this, but looks like njalla has terraform stuff that could maybe help for this.