New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cert-manager can't find GoogleCloud subdomain. #1507
Comments
I don't know why but I can get wildcard certificate |
Same issue here, for a Cloud DNS subdomain delegated to another Cloud DNS zone. I am able to e.g. This appears to be the same issue described at the bottom of #728 - is this a regression? I would try v0.4.1 but it doesn't appear to be hosted on the
Edit: perhaps it took some time for the records to propagate, but it looks like it's working for me now. Not sure what else it could be, the only other thing I changed was adding the following flags: |
I also encountered the same issue when using a Cloud DNS domain, which delegates to another CloudDNS subdomain. In my case, I was able to get everything working with only this flag:
Hope this helps anyone else that encounters this! |
Interestingly this worked fine in the first project I used it project-1.example.com. Then when I used the same TLD for a second project, project-2.example.com I got this error in project 2. I am still debugging and making sure I haven't missed something. I can't think why this would change anything. |
I need to try and recreate this, but deleting the zone in the other project, creating a new subdomain (to get around any DNS caching) worked as expected. |
I have the same issue with route53:
cert-manager's log:
challenge status:
cert-manager v0.8.1 |
So cert-manager doesn't take your FQDN blindly and try to manage the zone for you with CloudDNS. What it does is it takes your FQDN and then searches from left to right for a SOA record. So if you have a root domain Its this block of code which causes the issues:
So why does this code skip the first SOA? Well in our case it was because we had multiple zones we were delegating and I put my NS record of interest in the wrong one. For example, we have zones
So when we were querying for The way to correct this was to remove
when before we had
The way to debug this is to just |
Just on my 403 issue, there is an internal tracking bug at Google, I am just trying to get the exact replication steps. It seems that you can only use a service account once, if you use the same service account but with a new key the Cloud DNS api won't accept the call. Call SA a different name, or clear all keys it seems to work. I can check your code in a bit, but if you could let me know which version of the API you are using that would be a great help. |
I'm running into this as well, but trying to generate a wildcard domain: so I two zones in Google Cloud:
I can generate a wildcard fine for:
but fails for:
I think it's adding the entry in the wrong zone or something? Is there a way to fix this? |
Adding the TXT record to the correct zone generates the cert successfully, but I had to move it manually. Maybe I don't need two zones for the same domain? I have a zone for the domain and then also a zone for the subdomain. Maybe I need 1 zone for both the domain and the subdomain. |
https://github.com/jetstack/cert-manager/blob/master/pkg/issuer/acme/dns/util/wait.go#L306 If CertManager were to do the traversal on the zones which are in a premature state, it might well resolve to a wrong FQDN and would cache it until the process terminates. So when you got the strange "No matching GoogleCloud domain found for domain", try deleting the cert-manager pod and waiting for it to respawn. IMO, the cache implementation should have got a TTL for each entry. |
Thanks! Restarting cert-manager POD solved my issue. |
As @Freyert points out very well in #1507 (comment), I think this issue can be resolved by properly configuring your DNS hierarchy to point to the correct zone. I don't think there's an inherent issue in our resolution logic, rather it is working as intended. /area acme/dns01 |
In my case, I have a domain on Google Domains. And I fixed this issue by moving the DNS solving from Google Domains to Cloud DNS: https://cloud.google.com/dns/docs/tutorials/create-domain-tutorial#set-up-domain |
Describe the bug:
Cert-manager could not find GoogleCloud subdomain.
I has a zone
a.foobar.com
, which managed in CloudDNS.And I want to create SSL certificates of
x.a.foobar.com
andy.a.foobar.com
But cert-manager attempt to find domain
foobar.com
Expected behaviour:
Cert-manager attempt to find domain
a.foobar.com
Steps to reproduce the bug:
Anything else we need to know?:
foobar.com.
is managed in route53a.foobar.com
is managed in clouddnsEnvironment details::
/kind bug
The text was updated successfully, but these errors were encountered: