Cert-manager challenge hangs at "Waiting for dns-01 challenge propagation: DNS record

skg · August 17, 2020, 11:26pm

Hi All,

i am not sure if this is the right forum for this question. I am stuck, so trying to see if someone has any idea about this issue.

My domain is:
skgtestk8s.com its registered with google domains

I ran this command:
kubectl get challenge

Kubernetes yaml files

–Issuer
apiVersion: cert-manager.io/v1alpha3
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: sgk@gmail.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
clouddns:
project: white-ci-273105
serviceAccountSecretRef:
name: clouddns-dns01-solver-svc-acct
key: key.json

–certificate
apiVersion: cert-manager.io/v1alpha3
kind: Certificate
metadata:
name: test
namespace: default
spec:
secretName: test-tls
issuerRef:
name: letsencrypt-staging
dnsNames:

www.skgtestk8s.com

It produced this output:

My web server is (include version):
i don't have web server

The operating system my web server runs on is (include version):
* Kubernetes version: v1.16.13-gke.1
* Cloud-provider/provisioner: GKE
* cert-manager version: v0.16.1
* Install method (e.g. helm or static manifests):
helm3 install cert-manager --namespace cert-manager --version v0.16.1 jetstack/cert-manager --set installCRDs=true --set 'extraArgs={--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53,ns-cloud-a1.googledomains.com:53}'

My hosting provider, if applicable, is:
Google 


I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Google Console

The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot):
Kubernetes version: v1.16.13-gke.1


Issue:
Cert manager challenge hangs with following message.
"Waiting for dns-01 challenge propagation: DNS record for "skgtestk8s.com" not yet propagated"

kubectl get challenge

Status:
Presented: true
Processing: true
Reason: Waiting for dns-01 challenge propagation: DNS record for “skgtestk8s.com” not yet propagated
State: pending
Events:
Type Reason Age From Message

Normal Started 46m cert-manager Challenge scheduled for processing
Normal Presented 46m cert-manager Presented challenge using dns-01 challenge mechanism


CloudDNS shows challenge records

![image|690x57](upload://AcvvVhYiaArbp6I5rmztB8Ydka0.png)

_az · August 17, 2020, 11:31pm

Just so the screenshot isn’t hidden in a code block:

It doesn’t seem that the records are actually visible, though. Google Cloud nameservers are a giving me a NXDOMAIN response for those records.

Is it definitely the correct Google Cloud DNS account that owns the DNS zone, being updated? And definitely the right nameservers (ns-cloud-c{1,2,3,4}.googledomains.com)?

I know with some DNS providers it’s (confusingly) possible to add a single domain to many accounts, but only one actually really controls it after verifying it.

skg · August 17, 2020, 11:53pm

Sorry, I deleted the certificate which also deleted those records.

Please try now. I tried creating a certificate those records should be visible. i can see them in CloudDNS

_az · August 17, 2020, 11:56pm

This is definitely the wrong Google Cloud account, or the wrong DNS zone.

Look at the nameserver list: it’s ns-cloud-a{1,2,3,4}.googledomains.com.

However, at your domain registrar, you have these NS configured:

skgtestk8s.com.         172800  IN      NS      ns-cloud-c1.googledomains.com.
skgtestk8s.com.         172800  IN      NS      ns-cloud-c2.googledomains.com.
skgtestk8s.com.         172800  IN      NS      ns-cloud-c3.googledomains.com.
skgtestk8s.com.         172800  IN      NS      ns-cloud-c4.googledomains.com.

Note the difference - a vs c.

If you want to use this Google Cloud DNS Zone, you’ll have to update your domain registrar to use the a nameservers.

skg · August 17, 2020, 11:56pm

sorry, i had to bump the TTL. Here is the latest ones created

skg · August 18, 2020, 1:16am

Thanks!!, a lot. i will try changing and let you know results

freessltools.com · August 18, 2020, 1:50am

@skg

Glad to see you got your domain registered today

skg · August 18, 2020, 2:51am

Thanks a lot!!! that was THE problem. i really appreciate your help!

I am new, learning setting up a domain and a dns zone. It’s so confusing to really distinguish roles of domain and dnz done servers

system · September 17, 2020, 2:52am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ACME challenge error with google CloudDNS Help	7	2992	September 15, 2020
DNS01 is in Pending Help	2	464	June 4, 2022
Kubernetes Cert Manager: Order stuck at pending Help	6	1004	November 24, 2023
Cert-manager challenge stuck "Waiting for DNS-01 challenge propagation: read tcp i/o timeout" Help	6	1270	February 12, 2024
Issue with certificate using cert-manager Kubernetes Help	3	1994	April 29, 2020

Cert-manager challenge hangs at "Waiting for dns-01 challenge propagation: DNS record

Kubernetes yaml files

kubectl get challenge

Related topics