search

zachomedia / cert-manager-webhook-pdns

A PowerDNS webhook for cert-manager
MIT License
57 stars 33 forks source link

Error "failed loading zone" #33

Closed tgruenert closed 1 year ago

tgruenert commented 1 year ago

pdns is on an external host. setup with apikey seams working (all domain names replaced by placeholders)

curl -s -H 'X-API-Key: ****apikey**** ' https://examplednshost.com/api/v1/servers/localhost/zones/example.com

gives me domain content (attachment) pdns_domain.txt

cert-manger generate log:

I0418 07:47:05.571918       1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="example.com" "domain"="example.com" "resource_kind"="Challenge" "resource_name"="test-example-ca-4kjr4-291941251-3316154360" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
E0418 07:47:05.668496       1 controller.go:163] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="failed loading existing records for _acme-challenge.example.com. in domain example.com.: failed loading zone example.com.: " "key"="cert-manager/test-example-ca-4kjr4-291941251-3316154360"

What could i´ve done wrong? Thank you in advance.

Edit: add Certificate and ClusterIssuer

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-example-ca
  namespace: cert-manager
spec:
  secretName: example-com-tls
  dnsNames:
  - teamproq.com

  issuerRef:
    name: letsencrypt-prod-dns01-wolke8dns
    kind: ClusterIssuer
    group: cert-manager.io
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
spec:
  acme:
    email: server@example.com
    preferredChain: ''
    privateKeySecretRef:
      name: letsencrypt-account-key
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
      - dns01:
          webhook:
            config:
              apiKeySecretRef:
                key: key
                name: cert-manager-examplednshost-api-key
              host: https://ns1.examplednshost.com
            groupName: acme.examplednshost.com
            solverName: pdns
tgruenert commented 1 year ago

after some deeper analysis - the entry _acme-challenge.example.com. will be placed correctly. But due dns cache or a delayed replication to secondary dns the record _acme-challenge.example.com. will not be answered right in time. setting a larger ttl helps. so my solution is

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod-dns01-wolke8dns
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
...
    solvers:
    - dns01:
        webhook:
          config:
              # TTL for DNS records
              # (in seconds)
              # records needs to be replicated to Secondaries, it takes a while
            ttl: 360