It might need to be in this format:
solvers:
- dns01:
route53:
...
selector:
dnsZones:
- 'abc.xyz'
3 Likes
changed the format resulted in a new error
`
cert-manager/challenges "msg"="propagation check failed" "error"="Could not determine authoritative nameservers for "_acme-challenge.xxx.abc.xyz."" "dnsName"="xxx.abc.xyz" "resource_kind"="Challenge" "resource_name"="sample" "resource_namespace"="default" "resource_version"="v1" "type"="DNS-01"
`
for this error to get resolved do i need to set the NS in cert manager as below
Likely yes. Those docs indicate cert-manager is trying to do a DNS self-check before asking the ACME server to do the DNS validation. But if it's pointing to the internal nameservers, it won't find the public records. So those two settings will force it to use an external resolver.
I'm surprised there doesn't seem to be a way to disable the self-check entirely. There are plenty of environments where the machine running the ACME client simply isn't allowed to directly query external resolvers at all.
5 Likes
Actually tried with the above configuration also, i am getting this error, using route 53 as my public dns zone so i am sure my name server are external
acme: authorization error for <xxxx>: 400 urn:ietf:params:acme:error:dns: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.xx.abc.xyz - check that a DNS record exists for this domain
more details
Accepting challenge authorization failed: acme: authorization error for xxx.abc.xyz: 400 urn:ietf:params:acme:error:dns: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.xxx.abc.xyz - check that a DNS record exists for this domain
DNS record _acme-challenge.xxx.abc.xyz was there but got auto deleted.
Hello everyone and letsencrypt community,
Thank you very much for the quick responses and clarifying my doubts/questions
Not sure what exactly the issue is but changed to actual domain from sub domain i was using for testing ,it started working as expected ,was able to achieve split dns concept
Just a last question, i am using dns01 with route53 as solver,are certs auto renewed after 60 days?
Only if a cron type job has been setup to retry periodically.
4 Likes
wouldn't cert-manager auto renew my letsencrypt certs?
I wouldn't know - I've never used cert-manager.
Perhaps that answer is in their documentation.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.