TXT record created with malformed name when using subdomain under a DNS zone #35
Comments
Can you also share the ChallengeRequest created by the Cert Manager as the ACME webhook extracts the information from what we got from the challenge using the following fields: https://github.com/cert-manager/cert-manager/blob/master/pkg/acme/webhook/apis/acme/v1alpha1/types.go#L81-L95 Remark: Can you use the |
|
Thanks for looking into this, I appreciate it!
Is this logged out somewhere? I've set v=6 on
Works okay if use the top domain: make test TEST_ZONE_NAME=mycompany.org.
ok github.com/snowdrop/godaddy-webhook 35.639sBut timesout if I use the zone: make test TEST_ZONE_NAME=zone.mycompany.org.
time="2023-11-06T16:06:22Z" level=info msg="TXT Record name: cert-manager-dns01-tests"
time="2023-11-06T16:06:22Z" level=info msg="### Try to present the DNS record with the DNS provider using as challengeKey: 123d=="
time="2023-11-06T16:06:22Z" level=info msg="### URL request issued to check if the TXT DNS record is present: /v1/domains/zone.mycompany.org/records/TXT/cert-manager-dns01-tests"
time="2023-11-06T16:06:22Z" level=info msg="### URL request issued to create/update the DNS record: /v1/domains/zone.mycompany.org/records/TXT/cert-manager-dns01-tests"
time="2023-11-06T16:06:23Z" level=info msg="### TXT record created/updated using godaddy REST API !"
time="2023-11-06T16:09:23Z" level=info msg="### CleanUp should delete the relevant TXT record for the challengeKey: 123d=="
time="2023-11-06T16:09:23Z" level=info msg="### URL request issued to check if the TXT DNS record is present: /v1/domains/zone.mycompany.org/records/TXT/cert-manager-dns01-tests"
[controller-runtime] log.SetLogger(...) was never called, logs will not be displayed:
goroutine 216 [running]:
runtime/debug.Stack()
/usr/local/go/src/runtime/debug/stack.go:24 +0x5e
sigs.k8s.io/controller-runtime/pkg/log.eventuallyFulfillRoot()
/home/ptaylour/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/log/log.go:59 +0xcd
sigs.k8s.io/controller-runtime/pkg/log.(*delegatingLogSink).Enabled(0xc000443480, 0xc00061b9b8?)
/home/ptaylour/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/log/deleg.go:111 +0x32
github.com/go-logr/logr.Logger.Enabled(...)
/home/ptaylour/go/pkg/mod/github.com/go-logr/[email protected]/logr.go:261
github.com/go-logr/logr.Logger.Info({{0x23625e8?, 0xc000443480?}, 0x0?}, {0x205fc9e, 0x16}, {0x0, 0x0, 0x0})
/home/ptaylour/go/pkg/mod/github.com/go-logr/[email protected]/logr.go:274 +0x72
sigs.k8s.io/controller-runtime/pkg/envtest.(*Environment).Start(0xc00092e280)
/home/ptaylour/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/envtest/server.go:260 +0x419
github.com/cert-manager/cert-manager/test/apiserver.RunBareControlPlane(0xc0008d36c0)
/home/ptaylour/go/pkg/mod/github.com/cert-manager/[email protected]/test/apiserver/apiserver.go:44 +0x2f
github.com/cert-manager/cert-manager/test/acme.(*fixture).setup(0xc0003c3d40, 0xc0008d36c0)
/home/ptaylour/go/pkg/mod/github.com/cert-manager/[email protected]/test/acme/fixture.go:114 +0x105
github.com/cert-manager/cert-manager/test/acme.(*fixture).RunExtended(0xc0003c3d40, 0x0?)
/home/ptaylour/go/pkg/mod/github.com/cert-manager/[email protected]/test/acme/fixture.go:100 +0x2d
github.com/cert-manager/cert-manager/test/acme.(*fixture).RunConformance.func1(0xc000527fd0?)
/home/ptaylour/go/pkg/mod/github.com/cert-manager/[email protected]/test/acme/fixture.go:88 +0x36
testing.tRunner(0xc0008d36c0, 0xc000917040)
/usr/local/go/src/testing/testing.go:1595 +0xff
created by testing.(*T).Run in goroutine 89
/usr/local/go/src/testing/testing.go:1648 +0x3ad
--- FAIL: TestRunsSuite (199.80s)
--- FAIL: TestRunsSuite/Conformance (194.17s)
--- FAIL: TestRunsSuite/Conformance/Basic (183.75s)
--- FAIL: TestRunsSuite/Conformance/Basic/PresentRecord (183.75s)
util.go:61: skipping file "testdata/godaddy/README.md" with unrecognised extension
util.go:61: skipping file "testdata/godaddy/godaddy.secret.example" with unrecognised extension
util.go:70: created fixture "basic-present-record"
suite.go:38: Calling Present with ChallengeRequest: &v1alpha1.ChallengeRequest{UID:"", Action:"", Type:"", DNSName:"example.com", Key:"123d==", ResourceNamespace:"basic-present-record", ResolvedFQDN:"cert-manager-dns01-tests.zone.mycompany.org.", ResolvedZone:"zone.mycompany.org.", AllowAmbientCredentials:false, Config:(*v1.JSON)(0xc00035b5d8)}
suite.go:48: error waiting for DNS record propagation: context deadline exceeded |
This is an object that you can get using "kubectl get ChallengeRequest" @PTaylour |
|
I didn't have any luck with The closest resources I have to that are: ❯ kubectl api-resources | grep -i "^ch\|^ce"
challenges acme.cert-manager.io/v1 true Challenge
certificaterequests cr,crs cert-manager.io/v1 true CertificateRequest
certificates cert,certs cert-manager.io/v1 true Certificate
certificatesigningrequests csr certificates.k8s.io/v1 false CertificateSigningRequestI had a look at each of these and couldn't see the ResovledZone or ResolvedFQDN. I'm on v1.3.1 of cert-manager and v0.2.0 of the webhook ❯ kubectl get deployment -n cert-manager -o=jsonpath='{$.items[*].spec.template.spec.containers[:1].image}'
quay.io/jetstack/cert-manager-controller:v1.13.1 quay.io/jetstack/cert-manager-cainjector:v1.13.1 quay.io/jetstack/cert-manager-webhook:v1.13.1 quay.io/snowdrop/cert-manager-webhook-godaddy:0.2.0%Thanks again for your help |
|
Sorry. My fault, I was referring to |
|
Do the dependencies here roll back up into acme.sh by chance. I had the same issue there recently, and used a wildcard instead of messing with it further. It was the same exact thing of the DNS record not getting created properly when subdomain was used so I just changed it to *.mycompany.org for my domain in this example and moved on. acmesh-official/acme.sh#4870 |
|
@PTaylour have you managed to solve your issue without using dns01RecursiveNameservers and dns01RecursiveNameserversOnly |
|
I'm having a similar issue to this. I have a domain The The API call looks like this: The same workaround proposed by @PTaylour, adding the below settings to cert-manager, fixes the issue, but I don't fully understand why, nor if this is the actual solution to the issue. |
I've been using the GoDaddy webhook with cert-manager on an on-prem cluster and I've encountered a situation that I'm hoping to get some clarification on.
We're running an internal DNS server with a specified DNS zone (
zone.mycompany.org)When I request a certificate for a sub-subdomain (e.g.,
app.zone.mycompany.org), the GoDaddy webhook seems to attempt to create the TXT record underzone.mycompany.org(as expected), but GoDaddy ends up creating the record undermycompany.orginstead.The
PUTrequest made by the webhook:results in the record being accessible at
_acme-challenge.app.mycompany.org(zoneis missing)dig -t txt _acme-challenge.app.mycompany.org +short "c-JuZ0H6dcsr1oVTk0INFciyviEi42Fnvn_mTxf5ErF"and not at
_acme-challenge.app.zone.mycompany.orgas I would expect.
I can work around this by telling cert-manager to use only public DNS servers:
Which results in the
PUTrequestand creates the TXT record at
_acme-challenge.app.zone.mycompany.orgas required.However, I'm wondering if this implies there's a limitation or a specific configuration requirement when using DNS zones with the GoDaddy webhook? Or is this likely to be an issue with how we've configured the internal DNS server?
Thanks for your time and assistance!
Additional information
Here's my config
The text was updated successfully, but these errors were encountered: