Registered domains are not propagated

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cert.prd.yoda.yogiyo.co.kr

I ran this command:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
    namespace: yoda-prd
    name: yoda-prd-issuer
    labels:
        service: yoda
spec:
    acme:
        email: choonho.shin@deliveryhero.co.kr
        server: https://acme-staging-v02.api.letsencrypt.org/directory
        privateKeySecretRef:
            name: yoda-prd-issuer-secret-staging
        solvers:
            - selector: {}
              dns01:
                  cloudDNS:
                      project: dhk-d-resto
                      serviceAccountSecretRef:
                        name: clouddns-dns01-solver-svc-acct
                        key: key.json
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
    namespace: yoda-prd
    name: yoda-ingress-prd
    labels:
        service: yoda
        env: prd
    annotations:
        nginx.ingress.kubernetes.io/rewrite-target: /
        kubernetes.io/ingress.class: "nginx"
        cert-manager.io/issuer: "yoda-prd-issuer"
spec:
    tls:
        - hosts:
              - "*.yoda.yogiyo.co.kr"
          secretName: yoda-prd-issuer-secret-staging
    rules:
        - host: cert.prd.yoda.yogiyo.co.kr
          http:
              paths:
                  - path: /
                    backend:
                        serviceName: yoda-frontend-svc
                        servicePort: yoda-fs-port

It produced this output:

> k describe issuer yoda-prd-issuer

Name:         yoda-prd-issuer
Namespace:    yoda-prd
Labels:       service=yoda
Annotations:  API Version:  cert-manager.io/v1
Kind:         Issuer
Metadata:
  Creation Timestamp:  2020-10-15T07:49:22Z
  Generation:          1
  Resource Version:    2076683
  Self Link:           /apis/cert-manager.io/v1/namespaces/yoda-prd/issuers/yoda-prd-issuer
  UID:                 7dec6b6d-4649-47a1-98b7-081ca90c548c
Spec:
  Acme:
    Email:            choonho.shin@deliveryhero.co.kr
    Preferred Chain:  
    Private Key Secret Ref:
      Name:  yoda-prd-issuer-secret-staging
    Server:  https://acme-staging-v02.api.letsencrypt.org/directory
    Solvers:
      dns01:
        Cloud DNS:
          Project:  dhk-d-resto
          Service Account Secret Ref:
            Key:   key.json
            Name:  clouddns-dns01-solver-svc-acct
      Selector:
Status:
  Acme:
    Last Registered Email:  choonho.shin@deliveryhero.co.kr
    Uri:                    https://acme-staging-v02.api.letsencrypt.org/acme/acct/16125294
  Conditions:
    Last Transition Time:  2020-10-15T07:49:23Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>
> k describe certificate yoda-prd-issuer-secret-staging
                   
Name:         yoda-prd-issuer-secret-staging
Namespace:    yoda-prd
Labels:       env=prd
              service=yoda
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2020-10-15T07:49:22Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  yoda-ingress-prd
    UID:                   c2d9c16c-1b7c-4b18-824f-1feb169cde5e
  Resource Version:        2076672
  Self Link:               /apis/cert-manager.io/v1/namespaces/yoda-prd/certificates/yoda-prd-issuer-secret-staging
  UID:                     d805601b-7342-42d3-9494-bdff68eb81de
Spec:
  Dns Names:
    *.yoda.yogiyo.co.kr
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       Issuer
    Name:       yoda-prd-issuer
  Secret Name:  yoda-prd-issuer-secret-staging
Status:
  Conditions:
    Last Transition Time:        2020-10-15T07:49:22Z
    Message:                     Issuing certificate as Secret does not contain a certificate
    Reason:                      MissingData
    Status:                      True
    Type:                        Issuing
    Last Transition Time:        2020-10-15T07:49:22Z
    Message:                     Issuing certificate as Secret does not contain a certificate
    Reason:                      MissingData
    Status:                      False
    Type:                        Ready
  Next Private Key Secret Name:  yoda-prd-issuer-secret-staging-h6xzz
Events:                          <none>
> k describe challenge yoda-prd-issuer-secret-staging-s7mdm-3658250181-2121561333                                                          
Name:         yoda-prd-issuer-secret-staging-s7mdm-3658250181-2121561333
Namespace:    yoda-prd
Labels:       <none>
Annotations:  <none>
API Version:  acme.cert-manager.io/v1
Kind:         Challenge
Metadata:
  Creation Timestamp:  2020-10-15T07:49:25Z
  Finalizers:
    finalizer.acme.cert-manager.io
  Generation:  1
  Owner References:
    API Version:           acme.cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Order
    Name:                  yoda-prd-issuer-secret-staging-s7mdm-3658250181
    UID:                   bb07fb3b-c2f1-4dea-a62e-b8bc2f583d95
  Resource Version:        2076733
  Self Link:               /apis/acme.cert-manager.io/v1/namespaces/yoda-prd/challenges/yoda-prd-issuer-secret-staging-s7mdm-3658250181-2121561333
  UID:                     59a0bb03-0ee3-46f1-b680-7fdedb91c272
Spec:
  Authorization URL:  https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/133106301
  Dns Name:           yoda.yogiyo.co.kr
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   Issuer
    Name:   yoda-prd-issuer
  Key:      6ncRJlSeDlEwdh5_Q54gsqYOrVuEHqcGZ0uGgp7_7_4
  Solver:
    dns01:
      Cloud DNS:
        Project:  dhk-d-resto
        Service Account Secret Ref:
          Key:   key.json
          Name:  clouddns-dns01-solver-svc-acct
    Selector:
  Token:     S_w5tDGC-Mx4-5PCHKfxg_Xi-hOD7qVjTTwLFhPowc8
  Type:      DNS-01
  URL:       https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/133106301/-Z08LA
  Wildcard:  true
Status:
  Presented:   true
  Processing:  true
  Reason:      Waiting for DNS-01 challenge propagation: DNS record for "yoda.yogiyo.co.kr" not yet propagated
  State:       pending
Events:        <none>

My web server is (include version): nginx:1.19-alpine in GKE

The operating system my web server runs on is (include version): nginx:1.19-alpine in GKE

My hosting provider, if applicable, is: GKE

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): cert-manager 1.03

What am I doing wrong?

2 Likes

It looks like cert-manager is getting stuck on its preflight check for _acme-challenge.yoda.yogiyo.co.kr/TXT.

This is going to rely on the resolvers that your cert-manager containers are using. Maybe they have gotten stuck with a stale negative response.

You might have better luck if you nominate some external nameservers for --dns01-self-check-nameservers: https://cert-manager.io/docs/release-notes/release-notes-0.4/#better-support-for-split-horizon-dns-environments-with-acme-dns01-challenges

3 Likes

Also have a look at:
https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check

3 Likes