[Solved] Error trying to get certificates with cert-manager

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
internal.tcohen3.crt.nuance.com.

I ran this command:
I’m trying to generate a certificate using cert-manager and let’sencrypt

It produced this output:

E1127 20:25:54.248950       1 sync.go:183] cert-manager/controller/challenges "msg"="propagation check failed" "error"="Could not determine the zone for \"_acme-challenge.internal.tcohen3.crt.nuance.com.\": Unexpected response code 'SERVFAIL' for _acme-challenge.internal.tcohen3.crt.nuance.com." "dnsName"="internal.tcohen3.crt.nuance.com" "resource_kind"="Challenge" "resource_name"="ambassador-cert-ambassador-internal-556220335-1" "resource_namespace"="ingress-controllers" "type"="dns-01" 
I1127 20:25:54.249014       1 base_controller.go:193] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="ingress-controllers/ambassador-cert-ambassador-internal-556220335-1" 
I1127 20:26:04.249207       1 base_controller.go:187] cert-manager/controller/challenges "level"=0 "msg"="syncing item" "key"="ingress-controllers/ambassador-cert-ambassador-internal-556220335-1" 
I1127 20:26:04.249476       1 dns.go:119] cert-manager/controller/challenges/Check "level"=0 "msg"="checking DNS propagation" "dnsName"="internal.tcohen3.crt.nuance.com" "domain"="internal.tcohen3.crt.nuance.com" "resource_kind"="Challenge" "resource_name"="ambassador-cert-ambassador-internal-556220335-1" "resource_namespace"="ingress-controllers" "type"="dns-01" "nameservers"=["192.168.0.10:53"]

My web server is (include version):

The operating system my web server runs on is (include version):
AKS/k8s/linux/docker deployed with the official helm chart

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
cert-manager v0.9.1

Hello,
I guess I reached the Let’s encrypt limit, but I’m still not able to use let’encrypt staging.

  • Can you confirm that I reached the limit ?
  • How can I be unblocked for the next 7 days ?
  • What is the process to be partner/sponsor to increase the limit ?

Thanks for your answer !

Hi @titilambert

there is a check of your domain - 10 minutes old - https://check-your-website.server-daten.de/?q=internal.tcohen3.crt.nuance.com#ct-logs

There are two new Letsencrypt certificates:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-11-27 2020-02-25 *.internal.tcohen3.crt.nuance.com, internal.tcohen3.crt.nuance.com - 2 entries duplicate nr. 2
Let’s Encrypt Authority X3 2019-11-27 2020-02-25 *.internal.tcohen3.crt.nuance.com, internal.tcohen3.crt.nuance.com - 2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-11-20 2020-02-18 *.internal.tcohen3.crt.nuance.com, internal.tcohen3.crt.nuance.com - 2 entries

And a correct TXT entry.

So that part has worked.

Use one of these, don’t create the next. Rate limit -> 5 identical certificates.

So

  1. no - but you shouldn’t hit the limit if you need a certificate. Make a backup of your private and public key.
  2. That’s not possible and not required.
  3. These are different things. If you have only one domain, there is no need to increase the limit. Configuration errors -> fix these.

That looks like an error from your own computer – cert-manager is trying to do its own check to see if your DNS configuration is correct, and it’s failing for some reason.

From the Internet, your TXT record looks fine.

_acme-challenge.internal.tcohen3.crt.nuance.com. 60 IN TXT "Ms58GcWyByBf3IfZ7nSlmecP90g7dN6F1Ih-0-U43V8"

Thanks for you answer !
I have the same issue with mix-qa.cd4.crt.nuance.com

E1127 20:48:28.797779       1 sync.go:183] cert-manager/controller/challenges "msg"="propagation check failed" "error"="Could not determine the zone for \"_acme-challenge.mix-qa.cd4.crt.nuance.com.\": Unexpected response code 'SERVFAIL' for _acme-challenge.mix-qa.cd4.crt.nuance.com." "dnsName"="mix-qa.cd4.crt.nuance.com" "resource_kind"="Challenge" "resource_name"="ambassador-certificate-3088412214-0" "resource_namespace"="mix-qa" "type"="dns-01" 
I1127 20:48:28.797869       1 base_controller.go:193] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="mix-qa/ambassador-certificate-3088412214-0" 
I1127 20:48:38.798162       1 base_controller.go:187] cert-manager/controller/challenges "level"=0 "msg"="syncing item" "key"="mix-qa/ambassador-certificate-3088412214-0" 
I1127 20:48:38.798372       1 dns.go:119] cert-manager/controller/challenges/Check "level"=0 "msg"="checking DNS propagation" "dnsName"="mix-qa.cd4.crt.nuance.com" "domain"="mix-qa.cd4.crt.nuance.com" "resource_kind"="Challenge" "resource_name"="ambassador-certificate-3088412214-0" "resource_namespace"="mix-qa" "type"="dns-01" "nameservers"=["192.168.0.10:53"]

I check that https://check-your-website.server-daten.de/?q=mix-qa.cd4.crt.nuance.com#ct-logs
But I don’t understand why I can not get my cert.

I’m able to get the same TXT entry from the k8s cluster … I don’t see why the cert-manager can not get the record …

The TXT entry looks good:

_acme-challenge.mix-qa.cd4.crt.nuance.com
tCWjCBdb8c9XUlphl-bOylrD909Lv0_sdZdAZifjEC8
looks good, correct length, correct characters

Works your internal dns setup?

Your ip address is private:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
mix-qa.cd4.crt.nuance.com A 10.58.160.192 No Hostname found yes 1 0
AAAA yes
www.mix-qa.cd4.crt.nuance.com Name Error yes 1 0

That shouldn’t be a problem if you use dns validation.

But I don’t know if Cert-Manager works with that configuration.

And your first domain has two certificates, created this morning (last 07:07:08). So it had worked.

Did you change something?

I was working few days ago :confused: I still able to get the DNS entry from inside the cluster.
We were doing that for months.
Do you know who sent the Unexpected response code ? is it let’encrypt ?

I didn’t change anything DNS/firewall wide

it seems that we can not have any new certs in all nuance.com.
That’s why I thought I reached the limit

No, that’s a precheck.

Copied:

E1127 20:48:28.797779 1 sync.go:183] cert-manager/controller/challenges “msg”=“propagation check failed” “error”=“Could not determine the zone for “_acme-challenge.mix-qa.cd4.crt.nuance.com.”: Unexpected response code ‘SERVFAIL’ for _acme-challenge.mix-qa.cd4.crt.nuance.com.” “dnsName”=“mix-qa.cd4.crt.nuance.com” “resource_kind”=“Challenge” “resource_name”=“ambassador-certificate-3088412214-0” “resource_namespace”=“mix-qa” “type”=“dns-01”

Propagation check failed, so your local cert-manager has problems to find the zone.

But there are no problems visible - not with “check your website”, not with Unboundtest:

https://unboundtest.com/m/TXT/_acme-challenge.mix-qa.cd4.crt.nuance.com/2G3HIRPT

Response:
;; opcode: QUERY, status: NOERROR, id: 13734
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.mix-qa.cd4.crt.nuance.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.mix-qa.cd4.crt.nuance.com. 0 IN TXT “tCWjCBdb8c9XUlphl-bOylrD909Lv0_sdZdAZifjEC8”

Letsencrypt uses an unbound instance with the same configuration.

Hum,
We are using Azure DNS, should we check on this side ?

Finally the issue disappear, I suspect I reach a limit (I don’t know which one …)

Thanks for you help

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.