Acme dns-01 challenge stuck in pending state

I'm a noob so pardon any ignorance. I have an acme dns-01 challenge for a wildcard cert stuck in pending state. I tried a few times to delete and recreate my wildcard cert but same result - pending.

My setup:

  • Subdomain stack.mindpetal.com hosted in AWS Rt53.
  • TXT record is accessible fine with 'dig TXT _acme-challenge.stack.mindpetal.com'
  • Using cert-manager on EKS as client.

When I go directly to the https://acme-v02.api.letsencrypt.org/acme/authz/.../... URL in my browser I confirm the status is pending, and the token matches what I see when I look at the challenge with kubectl on EKS. At a loss here if I just need to keep waiting, or if something is wrong with my setup.

I used whatsmydns.net to check the TXT record and it returns fine except for some Canada location DNS Propagation Checker - Global DNS Testing Tool

My domain is: stack.mindpetal.com

I ran this command: kubectl apply -f my-certs.yaml

It produced this output: State: pending

My web server is (include version): Istio

The operating system my web server runs on is (include version): Amazon Linux

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): EKS

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): cert-manager v1.15.3

1 Like

Hello @plasma_beam, welcome to the Let's Encrypt community. :slightly_smiling_face:

Was any more information giving you by cert-manager v1.15.3?
Is there a verbose option?
Are there any logs? (If so please share).

I don't know anything about cert-manager.

A few things you mentioned suggest to me that cert-manager is not "triggering" the challenge, so the challenge and authorizations are both stuck in pending. You can try looking through the logs to see if something is breaking, and check the docs to see if you config file is correct.

You should also try running all this against the staging server until it gets working.

If you're constantly trying to redo this order and seeing the same token, the LetsEncrypt server is probably recycling the same Order/Authorization/Challenge because the original challenge was never triggered. As soon as that triggers:

1- if it succeeds, no new challenges will be generated for your account as the valid authorization will be cached for an unspecified time (currently 30 days, may drop to hours later this year);

2- if it fails, there will be a new order, authorization and challenge (so consequently, a new token) on the next request.

2 Likes

I fixed this - my cert config was incorrect for my wildcard cert, I was including definition for *.stack.mindpetal.com AND stack.mindpetal.com. I removed the latter and my challenges worked!

2 Likes

Note (just for info) that if you have a site that's actually at your subdomain e.g. https://stack.mindpetal.com you do need to include it as a separate identifier on the cert because the wildcard only covers subdomains of that.

3 Likes