DNS 1 challenge stuck on pending

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: qa.wilm-ecom.com

I ran this command: I am using cert manager to automatically add certificates to an azure domain. I can see that the challenge has been raised against the ACME server and that a DNS txt record with the correct value has been created within the Zone but the request just sits in a pending status. I have used the https://letsdebug.net/ tool to see if there is an issue with the domain itself and it checks out OK. Just one thing to note, when I initially set up the domain it had the wrong name servers associated, so I deleted the certificate request, fixed the NS on the domain and then re-ran the certificate request. It has not been sat on pending for about 24 hours.

It produced this output: DNS 1 Pending

My web server is (include version): Azure AKS

The operating system my web server runs on is (include version): Azure AKS

My hosting provider, if applicable, is: Azure

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, Azure

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Client Version: util.Version{GitVersion:"v1.11.0", GitCommit:"2a0ef53b06e183356d922cd58af2510d8885bef5", GitTreeState:"", GoVersion:"go1.19.5", Compiler:"gc", Platform:"windows/amd64"}
Server Version: &versionchecker.Version{Detected:"v1.14.4", Sources:map[string]string{"crdLabelVersion":"v1.14.4"}}

I don't know that system configuration very well but have you reviewed the troubleshooting guide for cert manager?

2 Likes

Thanks for the response Mike. I certainly did check that article.

When I drill down all the way to the challenge, its status is as follows:

Status:
Presented: true
Processing: true
Reason: Waiting for DNS-01 challenge propagation: DNS record for "qa.wilm-ecom.com" not yet propagated
State: pending
Events:

However, as you can see from the LetsDebug result, the domain has propagated. So not sure what is going on, it is as if the challenge does not retry.

1 Like

Can you cancel the pending order and start over?

2 Likes

I'd guess that your cert-manager is unable to resolve your DNS records in azure, possibly because it's using an internal resolver instead of the public DNS (e.g. a public server like 8.8.8.8, or the IP of your actual nameserver), so it gets stuck waiting.

2 Likes

I have removed the certificate a number of times in an attempt to kick start the process but it always ends up in the same situation.

I have since created a different child zone on the same domain, and it has gone through without an issue. So it seems that something somewhere is caching the request with regards to the above domain, even if it is removed entirely from my platform.

1 Like

That seems like a good shout.I will try and change the cert-manager resolvers and see if that changes anything.

1 Like