Let's encrypt and Azure Private DNS zones

It might need to be in this format:

    solvers:
    - dns01:
        route53:
           ...
      selector:
        dnsZones:
        - 'abc.xyz'
3 Likes

changed the format resulted in a new error

`

cert-manager/challenges "msg"="propagation check failed" "error"="Could not determine authoritative nameservers for "_acme-challenge.xxx.abc.xyz."" "dnsName"="xxx.abc.xyz" "resource_kind"="Challenge" "resource_name"="sample" "resource_namespace"="default" "resource_version"="v1" "type"="DNS-01"

`

for this error to get resolved do i need to set the NS in cert manager as below

Likely yes. Those docs indicate cert-manager is trying to do a DNS self-check before asking the ACME server to do the DNS validation. But if it's pointing to the internal nameservers, it won't find the public records. So those two settings will force it to use an external resolver.

I'm surprised there doesn't seem to be a way to disable the self-check entirely. There are plenty of environments where the machine running the ACME client simply isn't allowed to directly query external resolvers at all.

5 Likes

Actually tried with the above configuration also, i am getting this error, using route 53 as my public dns zone so i am sure my name server are external

acme: authorization error for <xxxx>: 400 urn:ietf:params:acme:error:dns: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.xx.abc.xyz - check that a DNS record exists for this domain

more details

Accepting challenge authorization failed: acme: authorization error for xxx.abc.xyz: 400 urn:ietf:params:acme:error:dns: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.xxx.abc.xyz - check that a DNS record exists for this domain

DNS record _acme-challenge.xxx.abc.xyz was there but got auto deleted.

Hello everyone and letsencrypt community,
Thank you very much for the quick responses and clarifying my doubts/questions

Not sure what exactly the issue is but changed to actual domain from sub domain i was using for testing ,it started working as expected ,was able to achieve split dns concept

Just a last question, i am using dns01 with route53 as solver,are certs auto renewed after 60 days?

Only if a cron type job has been setup to retry periodically.

4 Likes

wouldn't cert-manager auto renew my letsencrypt certs?

I wouldn't know - I've never used cert-manager.
Perhaps that answer is in their documentation.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.