"msg"="propagation check failed" "error"="failed to perform self check GET request

Help
1

My domain is: example.com (Route 53 Private DNS record)

Error: E0713 17:41:06.686487 1 sync.go:186] cert-manager/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://example.com/.well-known/acme-challenge/': Get "http://example.com/.well-known/acme-challenge/": dial tcp: example.com on 10.100.0.10:53: no such host" "dnsName"="example.com" "resource_kind"="Challenge" "resource_name"="certmanager-app-qmtcz-2297577018-2676934156" "resource_namespace"="default" "resource_version"="v1" "type"="HTTP-01"

sync.go:386] cert-manager/challenges/acceptChallenge "msg"="error waiting for authorization" "error"="acme: authorization error for opensearch.example.com: 400 urn:ietf:params:acme:error:dns: DNS problem: NXDOMAIN looking up A for opensearch.example.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for opensearch.example.com - check that a DNS record exists for this domain" "dnsName"="opensearch.example.com" "resource_kind"="Challenge" "resource_name"="opensearch-general-tls-gjp92-2541976160-979087680" "resource_namespace"="opensearch" "resource_version"="v1" "type"="HTTP-01"
E0713 17:50:36.220706 1 controller.go:102] ingress 'opensearch/cm-acme-http-solver-nl5nk' in work queue no longer exists

cert-manager/challenges/acceptChallenge "msg"="error waiting for authorization" "error"="acme: authorization error for opensearch.example.com: 400 urn:ietf:params:acme:error:dns: DNS problem: NXDOMAIN looking up A for opensearch.example.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for opensearch.example.com - check that a DNS record exists for this domain" "dnsName"="opensearch.example.com" "resource_kind"="Challenge" "resource_name"="opensearch-general-tls-gjp92-2541976160-979087680" "resource_namespace"="opensearch" "resource_version"="v1" "type"="HTTP-01"
E0713 17:50:36.220706 1 controller.go:102] ingress 'opensearch/cm-acme-http-solver-nl5nk' in work queue no longer exists

In my AWS EKS Cluster, I have integrated Nginx, Cert-manager and Let's encrypt staging. I have created the _acme-challenge.example.com in my Route 53 Private DNS record with the respective token value and registed as 'TXT'.
I can resolve (Dig, NSLookup) the domain within my System.
My AWS Route 53 private zone has A record for opensearch.example.com

I am facing the above error when my opensearch ingress is triggered and the cert manager is trying to use Let's encrypt to do acme challenge and generate certificate.

Certificate state: Invalid
Events:

Normal Issuing 33m cert-manager Issuing certificate as Secret does not exist
Normal Generated 33m cert-manager Stored new private key in temporary Secret resource "certmanager-app-lkgfg"
Normal Requested 33m cert-manager Created new CertificateRequest resource "certmanager-app-qmtcz"
Warning Failed 27m cert-manager The certificate request has failed to complete and will be retried: Failed to wait for order resource "certmanager-app-qmtcz-2297577018" to become ready: order is in "invalid" state:

Order:
Status: Invalid
Events:
Created Challenge resource "certmanager-app-qmtcz-2297577018-2676934156" for domain example.com

Challenge:
Status: Invalid

URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/7290122804/-U80Bg
Wildcard: false
Status:
Presented: false
Processing: false
Reason: Error accepting authorization: acme: authorization error for opensearch.example.com: 400 urn:ietf:params:acme:error:dns: DNS problem: NXDOMAIN looking up A for example.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for example.com - check that a DNS record exists for this domain
State: invalid
Events:
Type Reason Age From Message

Normal Started 37m cert-manager Challenge scheduled for processing
Normal Presented 37m cert-manager Presented challenge using HTTP-01 challenge mechanism
Warning Failed 32m cert-manager Accepting challenge authorization failed: acme: authorization error for example.com: 400 urn:ietf:params:acme:error:dns: DNS problem: NXDOMAIN looking up A for example.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for example.com - check that a DNS record exists for this domain

Attached the Cluster Issuer and certificate yaml files here.
eks-Certificate.txt (253 Bytes)
ClusterIssuer.txt (346 Bytes)

Kindly guide me on this and let me know if you require more details.

Thanks in advance!

2

The public Let's Encrypt systems require your domain in the public DNS. The above error means you are doing an HTTP Challenge but don't have an A and/or AAAA record there.

This looks like an error from cert-manager. It tries to validate your cert request before making it but fails. The error shows a private IP address which will (should) fail for the same reason just described for Let's Encrypt.

It would help to know what you are trying to do in general before anyone gives advice on your options. For one, will you have your domain in the public DNS at all?

For now, I think you would benefit by reading:
Let's Encrypt - How it Works
and
Challenge Types

5 Likes
3

Thanks for your response @MikeMcQ

For one, will you have your domain in the public DNS at all? - No, we are trying to use Private DNS with the Let's encrypt cert signed by Global Root CA
Objective: I am deploying an vendor application in my eks cluster with the below integrations.

  1. Nginx Ingress Controller (Deploy NLB in AWS)
  2. external-dns (To handle AWS Route 53 Private record and to map them the NLB)
  3. Cert-manager
  4. Let's encrypt

The application supports only global Root CA authorised cert. So, I am trying to use Cert-manager and Let's encrypt to manage cert for my app.

I have my A record (in AWS Route 53 Private record under DNS example.com) for opensearch.example.com pointing to my NLB.

1 Like
4

Let's Encrypt does not issue certs signed by Global Root CA. Are you talking about a Digicert product? They have a Digicert Global Root CA (link here)

Also, as I noted, Let's Encrypt requires at least the domain name to exist in the public DNS. Let's Encrypt is a public Certificate Authority (CA).

You may need to talk with them about configuration.

5 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.