Another DNS-01 not yet propagated issue which I cannot work out this time

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: corp.p10y.ntnxdpro.com

I ran this command: nslookup artifactory.corp.p10y.ntnxdpro.com ns3.ntnxdpro.com (and public DNS resolvers)

It produced this output:
Name: artifactory.corp.p10y.ntnxdpro.com
Address: 10.33.205.114

Any ideas what I might have missed here please ?

That's internal IP so nothing outside of your LAN will able to see that page.
Have no idea what IP you expect it to see though.

Thanks yes I know it's an internal IP but it's propergated to DNS servers publically and internally the authorative ones for this domain but the certificate is not getting issued for this record (it is for others).

I0213 08:37:07.778387       1 wait.go:410] "Returning cached zone record" logger="cert-manager.controller" resource_name="ingress-cert-artifactory-on-prem-prod-1-2707600319-2340945251" resource_namespace="istio-system" resource_kind="Challenge" resource_version="v1" dnsName="artifactory.corp.p10y.ntnxdpro.com" type="DNS-01" zoneRecord="acme.ntnxdpro.com." fqdn="artifactory-corp-p10y.acme.ntnxdpro.com."
I0213 08:37:07.778753       1 wait.go:397] "Returning authoritative nameservers" logger="cert-manager.controller" resource_name="ingress-cert-artifactory-on-prem-prod-1-2707600319-2340945251" resource_namespace="istio-system" resource_kind="Challenge" resource_version="v1" dnsName="artifactory.corp.p10y.ntnxdpro.com" type="DNS-01" authoritativeNameservers=["ns3.ntnxdpro.com.","ns2.ntnxdpro.com.","ns1.ntnxdpro.com."]
I0213 08:37:07.852186       1 wait.go:145] "Looking up TXT records" logger="cert-manager.controller" resource_name="ingress-cert-artifactory-on-prem-prod-1-2707600319-2340945251" resource_namespace="istio-system" resource_kind="Challenge" resource_version="v1" dnsName="artifactory.corp.p10y.ntnxdpro.com" type="DNS-01" fqdn="artifactory-corp-p10y.acme.ntnxdpro.com."
E0213 08:37:07.852223       1 sync.go:208] "propagation check failed" err="DNS record for \"artifactory.corp.p10y.ntnxdpro.com\" not yet propagated" logger="cert-manager.controller" resource_name="ingress-cert-artifactory-on-prem-prod-1-2707600319-2340945251" resource_namespace="istio-system" 

resource_kind="Challenge" resource_version="v1" dnsName="artifactory.corp.p10y.ntnxdpro.com" type="DNS-01"
I0213 08:37:07.852406       1 controller.go:164] "finished processing work item" logger="cert-manager.controller"

Have you accounted for the fact that _acme-challenge.artifactory.corp.p10y.ntnxdpro.com is cnamed to artifactory-corp-p10y.acme.ntnxdpro.com?

cert-manager (which is not related to, or operated by Let's Encrypt) is doing it's own dns propagation tests. They may be wrong depnding on how it checks DNS.

You can configure some aspects of how that app checks dns: Best Practice - cert-manager Documentation

Ultimately, if cert-managers own checks are preventing you from proceeding with an order you need to disable it's built in dns propagation checks and use a standard delay instead (e.g. wait 60 seconds then proceed with order).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.