I ran this command: cmctl status certificate em-prod-tls-new -n trood-saas-tools
It produced this output:
Name: em-prod-tls-new
Namespace: trood-saas-tools
Created at: 2023-01-29T17:27:31-05:00
Conditions:
Issuing: True, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
Ready: False, Reason: DoesNotExist, Message: Issuing certificate as Secret does not exist
DNS Names:
em.trood.com
Events:
Issuer:
Name: letsencrypt-issuer-sz
Kind: ClusterIssuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
Events:
error when finding Secret "em-prod-tls-new": secrets "em-prod-tls-new" not found
Not Before:
Not After:
Renewal Time:
CertificateRequest:
Name: em-prod-tls-new-pbrnq
Namespace: trood-saas-tools
Conditions:
Approved: True, Reason: cert-manager.io, Message: Certificate request has been approved by cert-manager.io
Ready: False, Reason: Pending, Message: Waiting on certificate issuance from order trood-saas-tools/em-prod-tls-new-pbrnq-4212886358: "pending"
Events:
Order:
Name: em-prod-tls-new-pbrnq-4212886358
State: pending, Reason:
Authorizations:
URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/199210635327, Identifier: em.trood.com, Initial State: pending, Wildcard: false
Challenges:
curl https://acme-v02.api.letsencrypt.org/acme/authz-v3/199210635327
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.em.trood.com - check that a DNS record exists for this domain",
"status": 400
Yandex can take 1 hour or longer to propagate among their own authoritative DNS servers. I don't know how you make cert-manager wait longer.
Also, there may be some DNS config issue. See DNSViz report (link here)
Thank you very much!
Duplicated _acme-challenge to yandex.net, and put cname and ns records to point to digitalocean,- looks like that's not the lean solution, just wanted to double check.
But looks like it's just still wrong.
Yes.
I believe that looks like a right configuration?
If not explicitly stating 'ns1.digitalocean.com' it says "
Non-authoritative answer:
_acme-challenge.em.trood.com text = "FRWf7QDlrNR7n-1fQheUT4uokLqWpX-3KdBEjvL9hXM"
_acme-challenge.em.trood.com text = "uobe2Wz4lRR29ERxrk_9R2QHpF8QaJUg0VNiQbb01pk"
I believe with the DNS-01 challenge the token changes each time; lets see if a more knowledgeable Let's Encrypt community volunteer can confirm or deny my belief.
From here DNS-01 challenge
"After Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN> ."
Thank you,
it's ok to have multiple TXT records for the same challenge as they say, however I don't understand why letsecrypt keeps failing the check - so my assumption is they might look for an "authoritative answer", which is hardly though
They always will.
When using DNS-01 authentication, one should check that all authoritative DNS servers are showing the expected TXT entry(ies) before proceeding.
But do you really require the use of DNS-01 authentication?
[it is usually the more complicated choice]
Thank you,
yes, we need wildcards, so looks like DNS-01 fits us best. It even worked before the Kubernetes upgrade on DO, no looks like we have to set it up from scratch.
I have the only NS pointing to digitalocean.com and don't understand how to make it more authoritative.
Honestly hardly with that - I'm just resetting cert-manager from scratch.
Does that mean that I have to sign up to cloudflare, and create CNAME or NS to there on my domain registrator?
