Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: corp.p10y.ntnxdpro.com
I ran this command: nslookup artifactory.corp.p10y.ntnxdpro.com ns3.ntnxdpro.com (and public DNS resolvers)
It produced this output:
Name: artifactory.corp.p10y.ntnxdpro.com
Address: 10.33.205.114
Any ideas what I might have missed here please ?
That's internal IP so nothing outside of your LAN will able to see that page.
Have no idea what IP you expect it to see though.
1 Like
Thanks yes I know it's an internal IP but it's propergated to DNS servers publically and internally the authorative ones for this domain but the certificate is not getting issued for this record (it is for others).
I0213 08:37:07.778387 1 wait.go:410] "Returning cached zone record" logger="cert-manager.controller" resource_name="ingress-cert-artifactory-on-prem-prod-1-2707600319-2340945251" resource_namespace="istio-system" resource_kind="Challenge" resource_version="v1" dnsName="artifactory.corp.p10y.ntnxdpro.com" type="DNS-01" zoneRecord="acme.ntnxdpro.com." fqdn="artifactory-corp-p10y.acme.ntnxdpro.com."
I0213 08:37:07.778753 1 wait.go:397] "Returning authoritative nameservers" logger="cert-manager.controller" resource_name="ingress-cert-artifactory-on-prem-prod-1-2707600319-2340945251" resource_namespace="istio-system" resource_kind="Challenge" resource_version="v1" dnsName="artifactory.corp.p10y.ntnxdpro.com" type="DNS-01" authoritativeNameservers=["ns3.ntnxdpro.com.","ns2.ntnxdpro.com.","ns1.ntnxdpro.com."]
I0213 08:37:07.852186 1 wait.go:145] "Looking up TXT records" logger="cert-manager.controller" resource_name="ingress-cert-artifactory-on-prem-prod-1-2707600319-2340945251" resource_namespace="istio-system" resource_kind="Challenge" resource_version="v1" dnsName="artifactory.corp.p10y.ntnxdpro.com" type="DNS-01" fqdn="artifactory-corp-p10y.acme.ntnxdpro.com."
E0213 08:37:07.852223 1 sync.go:208] "propagation check failed" err="DNS record for \"artifactory.corp.p10y.ntnxdpro.com\" not yet propagated" logger="cert-manager.controller" resource_name="ingress-cert-artifactory-on-prem-prod-1-2707600319-2340945251" resource_namespace="istio-system"
resource_kind="Challenge" resource_version="v1" dnsName="artifactory.corp.p10y.ntnxdpro.com" type="DNS-01"
I0213 08:37:07.852406 1 controller.go:164] "finished processing work item" logger="cert-manager.controller"
Have you accounted for the fact that _acme-challenge.artifactory.corp.p10y.ntnxdpro.com is cnamed to artifactory-corp-p10y.acme.ntnxdpro.com?
3 Likes
cert-manager (which is not related to, or operated by Let's Encrypt) is doing it's own dns propagation tests. They may be wrong depnding on how it checks DNS.
You can configure some aspects of how that app checks dns: Best Practice - cert-manager Documentation
Ultimately, if cert-managers own checks are preventing you from proceeding with an order you need to disable it's built in dns propagation checks and use a standard delay instead (e.g. wait 60 seconds then proceed with order).
6 Likes