cert-manager: DNS-01 self check fails for domain

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug

/kind feature

What happened: Not sure if this is really a bug or just a misconfiguration but I’ve tried already several setups but none of them worked 😕 I’m using Traefik as ingress controller and I’m trying to get a certificate for one of my services via the DNS-01 challenge for an A record demo.test.company.com in my Azure DNS Zone. But I’m always getting the error message:

dns-01 self check failed for domain "demo.test.company.com"

I do see that LE was able to add the ACME challenge to my Azure DNS Zone hence my DNS provider config within the certificate issuer should be ok.

> YAMLs and logs

Any help would be appreciated!

What you expected to happen:

Check for domain succeeds and secret gets created holding the LE certificate.

Environment: Cluster: AKS (Azure Kubernetes Service) DNS Type: Azure DNS Zone Treafik: 1.34.0 (via Helm) Cert-Manager: 0.3.4 (via Helm)

Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T22:29:25Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:05:37Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 4
  • Comments: 21 (2 by maintainers)

Most upvoted comments

OK. One mir thing for the not existing Documentation on the azure dns provider: do not use delegated zones… working now, no cert-manager issue.

+2
phires on Sep 13, 2018

@munnerz Finally I’ve also figured out my issue 🎉 In the end it was a misconfiguration of the Azure DNS01 provider as in my cert issuer the hostedZoneName property was missing which must be set. If it isn’t set cert-manager will silently create a challenge looking like _acme-challenge.myapp.domain.com.domain.com which causes to DNS self check to fail. To avoid this hostedZoneName must be set to domain.com. After fixing that there was also no need for me anymore to explicitly set the --dns01-self-check-nameservers.

Unfortunately the Azure DNS01 provider hasn’t been well documented (http://docs.cert-manager.io/en/latest/reference/issuers/acme/dns01.html?highlight=azure) and also I’d be great if the cert-manager would make the hostedZoneName attribute mandatory and show an error/warning if it isn’t set. Also it’d be a good idea to check if the generated ACME DNS challenge record matches the expected record name to avoid miss-configurations.

+1
subesokun on Aug 21, 2018

Having the same issue with 0.4.0 on the fresh cluster. No problems on the cluster where I re-issued existing wildcard certificate after upgrade from 0.3.2 UPD: after 4 hours it obtained the certificate…

+1
str1k3r on Jul 16, 2018
Read more comments on GitHub
← cert-manager: customresourcedefinitions.apiextensions.k8s.io "certificates.certmanager.k8s.io" already exists
cert-manager: DNS01 Challenge via AWS Route53 on AWS EKS 1.15 not working →