search

baarde / cert-manager-webhook-ovh

OVH Webhook for Cert Manager
Apache License 2.0
93 stars 64 forks source link

Propagation check failed #16

Closed cedvan closed 2 years ago

cedvan commented 2 years ago

Hi,

I want generate my certificate with lets encrypt and OVH, I followed this guide https://dev.to/iderr/use-ovh-as-a-dns-01-provider-for-cert-manager-5hl7

Record challenge _acme-challenge.xxx.yyy.com. is created in my OVH domain zone. So OVH connection is OK But propagation check failed in loop

cert-manager pod logs :

...
E1224 02:53:24.382561       1 sync.go:186] cert-manager/controller/challenges "msg"="propagation check failed" "error"="DNS record for \"xxx.yyy.com\" not yet propagated" "dnsName"="xxx.yyy.com" "resource_kind"="Challenge" "resource_name"="xxx-yyy-com-tls-v54tn-112196193-1530170224" "resource_namespace"="kube-system" "resource_version"="v1" "type"="DNS-01" 
E1224 02:53:34.386310       1 sync.go:186] cert-manager/controller/challenges "msg"="propagation check failed" "error"="DNS record for \"xxx.yyy.com\" not yet propagated" "dnsName"="xxx.yyy.com" "resource_kind"="Challenge" "resource_name"="xxx-yyy-com-tls-v54tn-112196193-1530170224" "resource_namespace"="kube-system" "resource_version"="v1" "type"="DNS-01" 
E1224 02:53:44.388556       1 sync.go:186] cert-manager/controller/challenges "msg"="propagation check failed" "error"="DNS record for \"xxx.yyy.com\" not yet propagated" "dnsName"="xxx.yyy.com" "resource_kind"="Challenge" "resource_name"="xxx-yyy-com-tls-v54tn-112196193-1530170224" "resource_namespace"="kube-system" "resource_version"="v1" "type"="DNS-01"
...

Loop again and again...

Any idea please :pray: ?

Kubernetes version : v1.22.4-3+adc4115d990346 Cert Manager controller version : v1.6.1 Cert Manager webhook ovh version : 0.3.0 Letsencrypt server: https://acme-staging-v02.api.letsencrypt.org/directory (tested with production too)

ArturZurawski commented 2 years ago

I had to roll back cert-manager to 1.5.4 to get this working

cedvan commented 2 years ago

Try with cert-manager 1.5.4, but same problem :/

aureq commented 2 years ago

So, I don't know if anyone examined the certificate itself stored in the secret, but I found that despite the error messages as reported by @cedvan the certificate is correctly generated and stored in the mentioned Secret. It took a few seconds (maybe 15 or so) but it ended fine.

I was able to confirm this after using the following openssl command : openssl s_client -connect 10.0.255.1:443 -servername test.example.com -showcerts and then pasted the 1st certificate here for additional validation.

Finally, if using LE's production API your certificate, if correctly issued, should appear after a bit of time at the following certificate transparency website https://crt.sh/

cedvan commented 2 years ago

Hello,

No solution !? Tested with Cert Manager v1.7.2, same issue :/...

Same for me @aureq, TLS key is generated in secret. But propagation check is stuck and my certificates stay to ready "False"

cedvan commented 2 years ago

Tested with cert-manager 1.5.3, I have same problem, don't understand :/

Anyone can help please ?

cedvan commented 2 years ago

OMG, it works with v1.5.3 !

For information, I have add custom nameservers to check DNS : https://cert-manager.io/v0.15-docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check

After this update, propagation check is success and my certificates is used by my ingress.

I will try with other cert-manager version ;)

cedvan commented 2 years ago

Ok works with 1.7.2 too. So this problem was with DNS resolution.