cert-manager get connection refused when challenge acme_dns01

11/19/2021

Using jetstack/cert-manager-controller as cert-manager and google cloud dns for acme dns01 challenge, the version of cert-manager-controller is v1.6.0, the gcp sa store in secret google-clouddns-dns01-sa,

After create certificate, cert-manager pod show error "read udp 10.244.7.159:43347->192.168.20.31:53: read: connection refused"

10.244.7.159 => this is cert-manager pod ,

192.168.20.31:53 => I think this might be dns server for resolve domain, but after check , this is a node not related to dns or kubernetes cluster, I don't know why it appear here.

ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: google-clouddns-clusterissuer
  namespace: cert-manager
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: google-clouddns-clusterissuer-key
    solvers:
    - selector: {}
      dns01:
        cloudDNS:
          project: "getbrightauto"
          serviceAccountSecretRef:
            name: google-clouddns-dns01-sa
            key: serviceAccountKey.json

Certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: getbrightauto-cert
  namespace: cert-manager
spec:
  dnsNames:
  - '*.getbrightauto.com'
  secretName: getbrightauto-com-tls
  issuerRef:
    kind: ClusterIssuer
    name: google-clouddns-clusterissuer

cert-manager pod error log

I1119 06:29:51.636448       1 conditions.go:201] Setting lastTransitionTime for Certificate "getbrightauto-cert" condition "Issuing" to 2021-11-19 06:29:51.636444946 +0000 UTC m=+9823.281270634
I1119 06:29:51.636440       1 conditions.go:201] Setting lastTransitionTime for Certificate "getbrightauto-cert" condition "Ready" to 2021-11-19 06:29:51.636401959 +0000 UTC m=+9823.281227652
I1119 06:29:51.710683       1 controller.go:161] cert-manager/controller/certificates-trigger "msg"="re-queuing item due to optimistic locking on resource" "key"="cert-manager/getbrightauto-cert" "error"="Operation cannot be fulfilled on certificates.cert-manager.io \"getbrightauto-cert\": the object has been modified; please apply your changes to the latest version and try again"
I1119 06:29:51.710896       1 trigger_controller.go:181] cert-manager/controller/certificates-trigger "msg"="Certificate must be re-issued" "key"="cert-manager/getbrightauto-cert" "message"="Issuing certificate as Secret does not exist" "reason"="DoesNotExist"
I1119 06:29:51.710938       1 conditions.go:201] Setting lastTransitionTime for Certificate "getbrightauto-cert" condition "Issuing" to 2021-11-19 06:29:51.710928378 +0000 UTC m=+9823.355754057
I1119 06:29:51.864458       1 conditions.go:261] Setting lastTransitionTime for CertificateRequest "getbrightauto-cert-9cq6z" condition "Approved" to 2021-11-19 06:29:51.86445152 +0000 UTC m=+9823.509277212
I1119 06:29:51.890542       1 conditions.go:261] Setting lastTransitionTime for CertificateRequest "getbrightauto-cert-9cq6z" condition "Ready" to 2021-11-19 06:29:51.890529646 +0000 UTC m=+9823.535355334
I1119 06:29:51.900851       1 conditions.go:261] Setting lastTransitionTime for CertificateRequest "getbrightauto-cert-9cq6z" condition "Ready" to 2021-11-19 06:29:51.900844807 +0000 UTC m=+9823.545670484
I1119 06:29:51.907289       1 controller.go:161] cert-manager/controller/certificaterequests-issuer-acme "msg"="re-queuing item due to optimistic locking on resource" "key"="cert-manager/getbrightauto-cert-9cq6z" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"getbrightauto-cert-9cq6z\": the object has been modified; please apply your changes to the latest version and try again"
E1119 06:29:59.641932       1 sync.go:186] cert-manager/controller/challenges "msg"="propagation check failed" "error"="read udp 10.244.7.159:43347->192.168.20.31:53: read: connection refused" "dnsName"="getbrightauto.com" "resource_kind"="Challenge" "resource_name"="getbrightauto-cert-9cq6z-2473526240-1001066544" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
E1119 06:29:59.660499       1 sync.go:186] cert-manager/controller/challenges "msg"="propagation check failed" "error"="read udp 10.244.7.159:42189->192.168.20.31:53: read: connection refused" "dnsName"="getbrightauto.com" "resource_kind"="Challenge" "resource_name"="getbrightauto-cert-9cq6z-2473526240-1001066544" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
E1119 06:29:59.671445       1 sync.go:186] cert-manager/controller/challenges "msg"="propagation check failed" "error"="read udp 10.244.7.159:57988->192.168.20.31:53: read: connection refused" "dnsName"="getbrightauto.com" "resource_kind"="Challenge" "resource_name"="getbrightauto-cert-9cq6z-2473526240-1001066544" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
E1119 06:30:19.881627       1 sync.go:186] cert-manager/controller/challenges "msg"="propagation check failed" "error"="dial tcp 192.168.20.31:53: connect: connection refused" "dnsName"="getbrightauto.com" "resource_kind"="Challenge" "resource_name"="getbrightauto-cert-9cq6z-2473526240-1001066544" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
E1119 06:30:19.903955       1 sync.go:186] cert-manager/controller/challenges "msg"="propagation check failed" "error"="read udp 10.244.7.159:56614->192.168.20.31:53: read: connection refused" "dnsName"="getbrightauto.com" "resource_kind"="Challenge" "resource_name"="getbrightauto-cert-9cq6z-2473526240-1001066544" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
I1119 06:30:19.913668       1 controller.go:161] cert-manager/controller/challenges "msg"="re-queuing item due to optimistic locking on resource" "key"="cert-manager/getbrightauto-cert-9cq6z-2473526240-1001066544" "error"="Operation cannot be fulfilled on challenges.acme.cert-manager.io \"getbrightauto-cert-9cq6z-2473526240-1001066544\": the object has been modified; please apply your changes to the latest version and try again"
E1119 06:30:19.915387       1 sync.go:186] cert-manager/controller/challenges "msg"="propagation check failed" "error"="read udp 10.244.7.159:57178->192.168.20.31:53: read: connection refused" "dnsName"="getbrightauto.com" "resource_kind"="Challenge" "resource_name"="getbrightauto-cert-9cq6z-2473526240-1001066544" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
E1119 06:30:19.926516       1 sync.go:186] cert-manager/controller/challenges "msg"="propagation check failed" "error"="read udp 10.244.7.159:46034->192.168.20.31:53: read: connection refused" "dnsName"="getbrightauto.com" "resource_kind"="Challenge" "resource_name"="getbrightauto-cert-9cq6z-2473526240-1001066544" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
kubectl  describe certificaterequests.cert-manager.io getbrightauto-cert-9cq6z -n cert-manager

OrderPending Waiting on certificate issuance from order cert-manager/getbrightauto-cert-9cq6z-24735
 
kubectl describe order getbrightauto-cert-9cq6z-2473526240 -n cert-manager
Status:
  Authorizations:
    Challenges:
      Token:        Un7TMPRu0UJDjPbqD-8Rd5pYDp1KUA02jmyBZG_fKl0
      Type:         dns-01
      URL:          https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/974003918/Y0LoTA
    Identifier:     getbrightauto.com
    Initial State:  pending
    URL:            https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/974003918
    Wildcard:       true
  Finalize URL:     https://acme-staging-v02.api.letsencrypt.org/acme/finalize/34217178/1056679278
  State:            pending
  URL:              https://acme-staging-v02.api.letsencrypt.org/acme/order/34217178/1056679278

Is this problem due to network setting? Where should I check? I had test a dnsutil pod to check in the same namespace which can resolve google.com to Ip.

-- Makkenac
cert-manager
kubernetes

0 Answers