Why is the dns01 authentication status always pending?

see url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/423264840117/g7YHrA

Why is the dns01 authentication status always pending?
The dns txt record can be parsed around the world.

I didn't encounter this problem before when I applied for a certificate, but this time when the certificate was about to expire and cert-manager automatically renewed it, this problem appeared.
Someone please help me. thanks

How, exactly, did you check that? By walking the authoritative DNS tree?

Can you show output from this site looking up the _acme-challenge.(domain) TXT record
https://unboundtest.com

Just the top part with the result. Not all the trace info

2 Likes

https://unboundtest.com/m/TXT/_acme-challenge.cert-test.shawf.me/YONXDQ2E
Can you see the info?

Yes, I see it. I think the "pending" means that Cert-Manager has prepared the challenge but not yet told Let's Encrypt server to check it.

You might review this troubleshooting guide. Or wait for someone with more cert-manager experience. Still, I am fairly confident that is what "pending" means

5 Likes

Thanks, You're right.
The problem is with one of my A records: *.xx.com.
The Cert-Manager prioritizes the A record over the TXT record. So it's like you said: "pending" means that Cert-Manager has prepared the challenge but not yet told Let's Encrypt server to check it.
I temporarily turned off the A-record to get it resolved.

Problems with Cert-Manager. I think Cert-Manager should modify the checksum logic to get only TXT records,like 'dig TXT xx.com' .

1 Like

I presume you know how to contact them about this?

2 Likes

yea, thanks a lot for the troubleshooting ideas anyway!

2 Likes