I couldn’t say. I don’t use Hetzner.
Worth saying though, what Caddy is doing is trying to check if the DNS change it had the DNS plugin made actually took effect, by querying the DNS, before actually asking the ACME issuer to continue. This is an optional step that Caddy does, but it can be turned off. Unfortunately though, it’s a bit goofy to configure for it to work for both the default issuers (Let’s Encrypt and ZeroSSL) since we didn’t set up a shortcut for it at the top level of tls config:
tls {
issuer acme {
dns hetzner <myAPIKey>
propagation_timeout -1
}
issuer zerossl {
dns hetzner <myAPIKey>
propagation_timeout -1
}
}
Alternatively you could configure a different DNS resolver for Caddy to use during DNS issuance operations, like this:
tls {
dns hetzner <myAPIKey>
resolvers 1.1.1.1
}