DNS validation for Private Hosted Zone

sireesha · August 6, 2025, 7:44pm

I am stuck with this issue for past 10 days. Please help me here.

we have a domain which is public example.com, but we created one private hostedzone like eks-poc-us-east-1.example.com which has forwardzone creation and internal network access. This DNS we are using in private EKS and with traefik ingress. We are trying to generate wildcard certficate for privatehosted zones with certmanager, dns-01 challenge and let's encrypt. I am able to create the TXT record but challenge and order are pending with error
propagation check failed" err="DNS record for "eks-poc-us-east-1.example.com" not yet propagated" logger="cert-manager.controller" resource_name="private-cert-1-3922390411-670523937" resource_namespace="cert-manager" resource_kind="Challenge" resource_version="v1" dnsName="eks-poc-us-east-1.example.com" type="DNS-01"

I am using cert-manager version 1.18.2 ans ACME2 staging server.
Our organization is not providing DNS delegation for public hosted zones internally. So we are creating private hosted zones with forward zone which has internal network access. We are trying to create wild card certifcate for private hostedzone.

We are looking for renewal process also.

Please share the document i can follow for this?

sireesha · August 6, 2025, 8:14pm

We also have another public hosted zone eks-us-east-1.example.com.

mcpherrinm · August 6, 2025, 11:49pm

I'm not 100% confident in the AWS bits here, so let me rephrase and you can tell me if I've got this:

You've got an AWS EKS cluster that has some private (internal) DNS zone. But you want to issue wildcards, so you've also made an external DNS zone with the same names.

Cert-manager, running in the cluster, can't resolve the TXT records for its self-check, because you've got split internal/external DNS zones.

Cert-manager has an option to point it at another DNS server. You can use a public DNS server to have it resolve the external names:

sireesha · August 7, 2025, 1:28pm

Thanks @mcpherrinm for reverting back.
So basically we have only private DNS Zone, we don't have any public DNS Zone.

Yeah but as i mentioned above we are trying to create TLS/SSL certificate for Private hosted zone(http://eks-poc-us-east-1.example.com/) but also we do have public hosted zone with different name(http://eks-us-east-1.example.com/), don't know if this public hosted zone can help. Plus with this example.com is FQDN.

We are stuck at propagation check failure.

What are suggestions to bypass it.

Really appreciate your response and time.

Topic		Replies	Views
Let's encrypt and Azure Private DNS zones Help	28	6144	December 16, 2022
I cannot create a wild card certificate for self-hosted bare metal server Help	11	1028	June 1, 2020
"msg"="propagation check failed" "error"="failed to perform self check GET request Help	4	2452	August 12, 2023
Waiting for DNS-01 challenge propagation hangs pending state Help	3	4432	April 2, 2021
Cert-manager + dns01 + renewal + BIND w/ wildcard, causes dns-downtime Help	7	1505	December 24, 2020

DNS validation for Private Hosted Zone

Related topics