-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"propagation check failed" for DNS-01 ACME challenge on internal EKS-cluster #5586
Comments
🤷♂️ Turns out that it's impossible to solve the dns01 challenge in a AWS Route53 private hosted zone as mentioned in #2690. |
@kobethuwis I am using a public hosted zone with a similar set of configurations and facing the same issue. Did you ever tried a public hosted zone and does it work for you? |
Yes! The certificate configuration for the ELB worked, but I experienced application-level issues causing the SSL deployment in general to be delayed. An ACM generated certificated issued in a public hosted zone definitely works though! |
If you are getting this error and using a public Route53 zone, check your VPC Network ACLs if they are blocking incoming port 53. That was what we found. Possible work around using https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check extraArgs:
- --dns01-recursive-nameservers-only
- --dns01-recursive-nameservers=kube-dns.kube-system.svc.cluster.local:53 |
@kzap @kobethuwis I have the same issue but I can't find any solution. Can you let me know how to fix this or at least understand the problem? Adding those extra flags doesn't help. |
@droslean You need to make sure that your cert-manager deployment can reach and resolve public IP's. This is needed because you can't issue an SSL certificate without 'proving' that you're the issuer (look at it like some sort of handshake). Like @kzap mentioned, you need to check your security groups, network gateways and even external firewalls if they allow traffic through port 53. When you're using a private hosted zone in AWS, you are by definition blocking public access: Additionally, I was trying to propagate an SSL Certificate through cert-manager attached to an Ingress Nginx Load Balancer. Since I was using the helm chart, am using an EKS hosted cluster and wanted to use a single SSL certificate for all of my applications (thus attach it to the ELB, not the separate Ingresses) I had to use AWS ACM to issue a certificate, which worked like a charm! |
@kobethuwis Thanks for the response! I tried to take a look but it seems that everything should be ok but it's not :(. I will try to dig further into the problem by opening a customer support case in AWS to at least understand where is the problem. |
Trying to configure a LetsEncrypt Clusterissuer for our internal EKS-cluster here using the official Helm charts & documentation. I can access the challenge from my webbrowser, DNS resolving works for both the certificate requesting & cert manager pods. I can even retrieve the challenge's TXT DNS01 challenge in the Route53 console. However, when the certificate is created, the challenge & order are kept in the 'Pending' state and the cert-manager pod spits out the following:
What's going wrong here? I've already tried editing the serviceaccount's permissions & specifying the extraArgs, as mentioned in #1627, without result.
Cert-manager config
Ingress config
The text was updated successfully, but these errors were encountered: