-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dns i/o timeout with dns01 when trying to issue a certificate via cloddns provider #896
Comments
So, problem was in the following: slow (or with no reponse at all, i don't check it yet) UDP requests. Similar issues here: kubernetes/kubernetes#62628, kubernetes/kubernetes#56903, etc. Proposed solutions (mostly modifying resolv.conf) was not relevant, bcs cert-manager don't uses resolv.conf options on DNS lookups. My solution is to patch
With this dirty fix cert issuance is finally working... But problem with kubernetes and UDP unfortunately doesn't solved :( My proposal for this project: allow user to specify "only TCP resolution" in |
For the helm chart use |
I ran into a similar issue using AWS. The problem started a week or two ago. Before that it was running fine. The error from 0.5.2 was:
I was able to do nslookup from within the cert-manager pod using the ipv6 address above. Similar error from a version I built from master and after setting the
I noticed the dns library revision is over a year old so I tried updating it, but it didn't fix the issue. The tcp fallback from comment above worked. I can send PR's for both the dns dependency update and the tcp fallback. |
Interesting that there appears to be issues with IPv6 too. I've not got an environment setup to test this in, nor have I been able to reproduce it. |
This was on a test cluster using k8s 1.11.4 built with kops 1.11alpha, cillium network provider, on t3 instance types. I found this issue on the dns project which says that dns servers will ignore invalid requests: miekg/dns#784 The fact that a TCP request works ok makes me think it's something with the length of the request. Maybe the ipv6 addressing contributes to this? FYI, the hostnames it was failing on were 32 and 30 chars long. |
Hello.
I try to get cetificates using Letsencrypt with Google Clouddns provider and dns01 challenge.
cert-manager
installed on bare metal with kubeadm, helm.Helm: 2.10.0
Kubectl: 1.11.2
Kubeadm: 1.11.2
Cert-manager: 0.4.1
ClusterIssuer config:
Certificate config:
I use helm deploy command with flag
--set podDnsConfig.nameservers={"8.8.8.8","8.8.4.4"}"
and216.239.32.109
is Google DNS IP (NS for my domain) in my case.And cert-manager logs with errors (multiple times):
The main problem is in i/o timeout, another authorization for domain "example.com" is in progress and as result the cerificate is not issued.
If i try to run
kubectl exec -ti cert-manager-xxxxxxxxxxxx-xxxxx nslookup example.com -n kube-system
then i got:It's means dns resolving works as expected or not? I think yes, because i can reach host by name inside pod, but it seems that the cert-manager does not have access to dns server.
I don't use
--dns01-self-check-nameservers=
bcs don't understand how to pass this paramerter viahelm install
. This flag may solve the problem?And what the proper way to obtain certificates? Thanks!
The text was updated successfully, but these errors were encountered: