DNS validation for Private Hosted Zone

I am stuck with this issue for past 10 days. Please help me here.

we have a domain which is public example.com, but we created one private hostedzone like eks-poc-us-east-1.example.com which has forwardzone creation and internal network access. This DNS we are using in private EKS and with traefik ingress. We are trying to generate wildcard certficate for privatehosted zones with certmanager, dns-01 challenge and let's encrypt. I am able to create the TXT record but challenge and order are pending with error
propagation check failed" err="DNS record for "eks-poc-us-east-1.example.com" not yet propagated" logger="cert-manager.controller" resource_name="private-cert-1-3922390411-670523937" resource_namespace="cert-manager" resource_kind="Challenge" resource_version="v1" dnsName="eks-poc-us-east-1.example.com" type="DNS-01"

I am using cert-manager version 1.18.2 ans ACME2 staging server.
Our organization is not providing DNS delegation for public hosted zones internally. So we are creating private hosted zones with forward zone which has internal network access. We are trying to create wild card certifcate for private hostedzone.

We are looking for renewal process also.

Please share the document i can follow for this?

We also have another public hosted zone eks-us-east-1.example.com.

I'm not 100% confident in the AWS bits here, so let me rephrase and you can tell me if I've got this:

You've got an AWS EKS cluster that has some private (internal) DNS zone. But you want to issue wildcards, so you've also made an external DNS zone with the same names.

Cert-manager, running in the cluster, can't resolve the TXT records for its self-check, because you've got split internal/external DNS zones.

Cert-manager has an option to point it at another DNS server. You can use a public DNS server to have it resolve the external names:

6 Likes

Thanks @mcpherrinm for reverting back.
So basically we have only private DNS Zone, we don't have any public DNS Zone.

Yeah but as i mentioned above we are trying to create TLS/SSL certificate for Private hosted zone(http://eks-poc-us-east-1.example.com/) but also we do have public hosted zone with different name(http://eks-us-east-1.example.com/), don't know if this public hosted zone can help. Plus with this example.com is FQDN.

We are stuck at propagation check failure.

What are suggestions to bypass it.

Really appreciate your response and time.