My setup is EKS with cert-manager and godaddy addon to apply certificates on domains that not in AWS.
Godaddy plugin is using Godaddy api, once the ingress is been created, the webhook create record and it been used to generate the certificate.
Actually I'm getting error:
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/404387333556/xxxxx",
"status": "invalid",
"validated": "2024-09-16T13:23:08Z",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.x.domain.com - check that a DNS record exists for this domain",
"status": 400
},
"token": "r_-xxxxxxxxxxxx"
}
Here is logs of godaddy plugin creating the record.
Note:
When I created (using same clusterissuer, with same annoation) another ingress for exmaple y.domain.com, it worked. But from this one it stopped worked.
What could be the problem?
I moved your topic to the Help section. It asks for specific info when posting in that section but in this case your problem is likely due to a GoDaddy change described here
Thank you, but seem the issue is not with GoDaddy API, because the record is been created and deleted as expected, but during this duration the validation is failed not sure why. I've kept the certificate for the night, and a morning surprise - the cert-manager was able to validate and created the certificate.
I've added a new ingress with another domain, it worked less then a minute.
But since it's going to be our production, better to keep this thread open and understand what happend in here.
The validation failed because a Let's Encrypt Auth server did not see that TXT record. If you are sure it was present in the public DNS there are two likely causes.
One, the GoDaddy DNS servers need longer to sync amongst themselves. The LE Auth servers check from various points around the world and they must all see the TXT record. You should add a delay after adding the TXT but before requesting the cert. Many ACME Clients have options for that I just don't know how with cert-manager off-hand.
Two, some DNS config problem. The LE Auth servers walk the DNS tree and every legit path must reply properly. Config problems like faulty delegation can cause intermittent query failures. Provide your actual domain name and we could check. A tool like https://dnsviz.net is often helpful for common misconfigurations.
No, you need to add a delay after adding the TXT record not before deleting it.
When you add the record GoDaddy has to sync all their DNS servers world-wide. Then Let's Encrypt (or anyone) will see the TXT record from anywhere. Often a DNS API returns immediately but that does not mean that sync is complete. Some DNS providers offer an API to check that status and others do not. In that case you must sleep and hope.
The flow is roughly that you add the TXT; your ACME Client tells Let's Encrypt to make the challenge; when challenge completes your client deletes the TXT record. If the challenge was successful a cert is issued.
Sorry I was not clear. But saying adding delay before deleting it, is the same meaning for me to say a delay after adding the TXT record.
In the same time I've opened an issue to support on adding delay in Godaddy-webhook
Once I'll have the option, how much would you recommended? 5 minutes? 1 hour?
I will also mention that cert-manager checks for the TXT record before telling Let's Encrypt ACME Server that it is ready. However, it can only check from its own perspective and not every location world-wide that your DNS provider might have a DNS Server that needs to sync.
I believe it waits 60 seconds between these checks. Maybe there is a way to modify that sleep / recheck cycle. I am not a cert-manager expert (just have working knowledge). Or, have your GoDaddy plugin just add extra sleep after adding the TXT record.
UPDATE:
There are various complaints about this issue on cert-manager github. It affects various DNS providers that do not always sync their servers rapidly. One work-around is to set which name servers for cert-manager to pre-check but that does not always help. Many DNS providers use Anycast or similar and that still does not check world-wide sync. It does not look like cert-manager has any other way so a sleep in the DNS ADD TXT record would be best option. See for example:ACME DNS Challenge and Propagation Delay (NXDOMAIN) · Issue #4246 · cert-manager/cert-manager · GitHub
Also, GoDaddy DNS support is best place to ask how long their servers are expected to take to sync world-wide.