Let's Encrypt - Propagation Seconds (GUI) not applied for Active24 DNS challenge

[elvisek2020]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes (found Let's Encrypt Certificate fails if Propagation Seconds is set for Route53 DNS Challenge #4702 and Let's Encrypt: DNS Challenge for Cloudflare not working (conflicting dependencies) #1862 for other DNS providers)

---

Describe the bug

When using the initial wizard to request a Let's Encrypt certificate via DNS Challenge (specifically with Active24), the value entered in the Propagation Seconds field is ignored. Certbot starts DNS validation almost immediately, regardless of what value is entered.

From UI, it appears that the value is acknowledged (e.g. "Waiting up to 600 seconds"), but the challenge is still sent within ~2 seconds. This leads to No TXT record found errors due to insufficient DNS propagation time.

---

Nginx Proxy Manager Version
jc21/nginx-proxy-manager:latest (tested with version 2.12.6)

---

To Reproduce

1. Open the SSL Certificate wizard (before saving any entries to DB).
2. Select Active24 as DNS provider.
3. Set a value in Propagation Seconds (e.g. 600).
4. Complete required fields and start certificate request.
5. Observe logs and certbot behavior: DNS validation starts too early and fails.

---

Expected behavior

Certbot should be instructed to wait the specified number of seconds before attempting DNS validation. For Active24, this means passing: –dns-active24-propagation-seconds 600
to the underlying certbot call.

---

Screenshots

N/A – but can provide if needed.

---

Operating System

Docker on Debian 12 (but container logic is NPM-specific)

---

Thank you for your awesome work! Happy to assist with debugging or testing fixes.

[elvisek2020]

This screenshot shows that I’ve set Propagation Seconds to 900 seconds in the NPM GUI.
However, in the logs, it’s clear that Certbot initiates DNS validation immediately after creating the TXT record, without waiting.

This proves that the propagation_seconds value entered in the wizard is not applied.

This logs confirms that the propagation_seconds value entered in the wizard is not applied at all.

2025-08-13 14:51:14,373:DEBUG:certbot._internal.display.obj:Notifying user: Waiting at most 900 seconds for DNS changes to propagate
2025-08-13 14:51:15,016:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall/.../G2qfDg
2025-08-13 14:51:16,339:DEBUG:acme.client:Received response:
{
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "No TXT record found at _acme-challenge.test.example.com"
  }
}```