I'm a noob so pardon any ignorance. I have an acme dns-01 challenge for a wildcard cert stuck in pending state. I tried a few times to delete and recreate my wildcard cert but same result - pending.
TXT record is accessible fine with 'dig TXT _acme-challenge.stack.mindpetal.com'
Using cert-manager on EKS as client.
When I go directly to the https://acme-v02.api.letsencrypt.org/acme/authz/.../... URL in my browser I confirm the status is pending, and the token matches what I see when I look at the challenge with kubectl on EKS. At a loss here if I just need to keep waiting, or if something is wrong with my setup.
A few things you mentioned suggest to me that cert-manager is not "triggering" the challenge, so the challenge and authorizations are both stuck in pending. You can try looking through the logs to see if something is breaking, and check the docs to see if you config file is correct.
You should also try running all this against the staging server until it gets working.
If you're constantly trying to redo this order and seeing the same token, the LetsEncrypt server is probably recycling the same Order/Authorization/Challenge because the original challenge was never triggered. As soon as that triggers:
1- if it succeeds, no new challenges will be generated for your account as the valid authorization will be cached for an unspecified time (currently 30 days, may drop to hours later this year);
2- if it fails, there will be a new order, authorization and challenge (so consequently, a new token) on the next request.
I fixed this - my cert config was incorrect for my wildcard cert, I was including definition for *.stack.mindpetal.com AND stack.mindpetal.com. I removed the latter and my challenges worked!
Note (just for info) that if you have a site that's actually at your subdomain e.g. https://stack.mindpetal.com you do need to include it as a separate identifier on the cert because the wildcard only covers subdomains of that.