Cert-manager: CloudFlare Dns01 re-queuing item due to error processing" "error"="Could not find the start of authority

Created on 18 Oct 2019 · 2Comments · Source: jetstack/cert-manager

Bugs should be filed for issues encountered whilst operating cert-manager.
You should first attempt to resolve your issues through the community support
channels, e.g. Slack, in order to rule out individual configuration errors.
Please provide as much detail as possible.

Describe the bug:
dns challenge stuck in pending status forever due to error "Could not find the start of authority"
Using CloudFlare as dns management

I verified the SOA record, the nameservers are displace when I run nslook up.

Here is the yaml files for me, do I have any configuration issue?
Here is the Issuer file
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: acme-issuer-dnschallengeendtoend
namespace: cert-manager
spec:
acme:
email: [email protected]
server: https://acmeUrlhere/v2/DV
privateKeySecretRef:

  name: secret

solvers:
- dns01:
    cloudflare:
      email: [email protected]
      apiKeySecretRef:
        name: cloudflare-api-key
        key: api-key

Here is the certificate file
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-com
namespace: cert-manager
spec:
secretName: example-com-tls
dnsNames:

example.com
issuerRef:
name: acme-issuer-dnschallengeendtoend
kind: ClusterIssuer

Here 1018 17:03:25.676603 I1018 17:03:25.676207 I1018 17:03:29.775064 I1018 17:03:29.775379 I1018 17:03:29.775514 I1018 17:03:29.775561 I1018 17:03:29.777122 I1018 17:03:29.777175 I1018 17:03:29.777578 I1018 17:03:29.787215 I1018 17:03:29.787616 I1018 17:03:29.787753 I1018 17:03:29.787926 E1018 17:03:29.791643 I1018 17:03:29.791685 I1018 17:03:29.792006 E1018 17:03:29.794203 I1018 17:03:34.793646 I1018 17:03:34.794078 E1018 17:03:34.797682 I1018 17:03:54.798760 I1018 17:03:54.799312 E1018 17:03:54.801436 I1018 17:04:34.802120 I1018 17:04:34.803319 E1018 17:04:34.824939 I1018 17:05:54.827186 I1018 17:05:54.828249 E1018 17:05:54.833893 I attached the log file as well
1 controller.go:135] cert-manager/controller/orders "level"=0 "msg"="finished processing work item" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890"
1 logger.go:68] Calling GetChallenge
1 controller.go:129] cert-manager/controller/orders "level"=0 "msg"="syncing item" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890"
1 logger.go:98] Calling DNS01ChallengeRecord
1 sync.go:155] cert-manager/controller/orders "level"=0 "msg"="No action taken" "resource_kind"="Order" "resource_name"="dnschallengesectigol-ml-1225831616-4263745890" "resource_namespace"="cert-manager"
1 controller.go:135] cert-manager/controller/orders "level"=0 "msg"="finished processing work item" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890"
1 controller.go:135] cert-manager/controller/challenges "level"=0 "msg"="finished processing work item" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890-1665173357"
1 controller.go:129] cert-manager/controller/challenges "level"=0 "msg"="syncing item" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890-1665173357"
1 dns.go:106] cert-manager/controller/challenges/Present "level"=0 "msg"="presenting DNS01 challenge for domain" "dnsName"="dnschallengesectigo.ml" "domain"="dnschallengesectigo.ml" "resource_kind"="Challenge" "resource_name"="dnschallengesectigol-ml-1225831616-4263745890-1665173357" "resource_namespace"="cert-manager" "type"="dns-01"
1 controller.go:129] cert-manager/controller/orders "level"=0 "msg"="syncing item" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890"
1 logger.go:98] Calling DNS01ChallengeRecord
1 sync.go:155] cert-manager/controller/orders "level"=0 "msg"="No action taken" "resource_kind"="Order" "resource_name"="dnschallengesectigol-ml-1225831616-4263745890" "resource_namespace"="cert-manager"
1 controller.go:135] cert-manager/controller/orders "level"=0 "msg"="finished processing work item" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890"
1 controller.go:131] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="Could not find the start of authority" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890-1665173357"
1 controller.go:129] cert-manager/controller/challenges "level"=0 "msg"="syncing item" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890-1665173357"
1 dns.go:106] cert-manager/controller/challenges/Present "level"=0 "msg"="presenting DNS01 challenge for domain" "dnsName"="dnschallengesectigo.ml" "domain"="dnschallengesectigo.ml" "resource_kind"="Challenge" "resource_name"="dnschallengesectigol-ml-1225831616-4263745890-1665173357" "resource_namespace"="cert-manager" "type"="dns-01"
1 controller.go:131] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="Could not find the start of authority" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890-1665173357"
1 controller.go:129] cert-manager/controller/challenges "level"=0 "msg"="syncing item" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890-1665173357"
1 dns.go:106] cert-manager/controller/challenges/Present "level"=0 "msg"="presenting DNS01 challenge for domain" "dnsName"="dnschallengesectigo.ml" "domain"="dnschallengesectigo.ml" "resource_kind"="Challenge" "resource_name"="dnschallengesectigol-ml-1225831616-4263745890-1665173357" "resource_namespace"="cert-manager" "type"="dns-01"
1 controller.go:131] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="Could not find the start of authority" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890-1665173357"
1 controller.go:129] cert-manager/controller/challenges "level"=0 "msg"="syncing item" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890-1665173357"
1 dns.go:106] cert-manager/controller/challenges/Present "level"=0 "msg"="presenting DNS01 challenge for domain" "dnsName"="dnschallengesectigo.ml" "domain"="dnschallengesectigo.ml" "resource_kind"="Challenge" "resource_name"="dnschallengesectigol-ml-1225831616-4263745890-1665173357" "resource_namespace"="cert-manager" "type"="dns-01"
1 controller.go:131] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="Could not find the start of authority" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890-1665173357"
1 controller.go:129] cert-manager/controller/challenges "level"=0 "msg"="syncing item" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890-1665173357"
1 dns.go:106] cert-manager/controller/challenges/Present "level"=0 "msg"="presenting DNS01 challenge for domain" "dnsName"="dnschallengesectigo.ml" "domain"="dnschallengesectigo.ml" "resource_kind"="Challenge" "resource_name"="dnschallengesectigol-ml-1225831616-4263745890-1665173357" "resource_namespace"="cert-manager" "type"="dns-01"
1 controller.go:131] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="Could not find the start of authority" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890-1665173357"
1 controller.go:129] cert-manager/controller/challenges "level"=0 "msg"="syncing item" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890-1665173357"
1 dns.go:106] cert-manager/controller/challenges/Present "level"=0 "msg"="presenting DNS01 challenge for domain" "dnsName"="dnschallengesectigo.ml" "domain"="dnschallengesectigo.ml" "resource_kind"="Challenge" "resource_name"="dnschallengesectigol-ml-1225831616-4263745890-1665173357" "resource_namespace"="cert-manager" "type"="dns-01"
1 controller.go:131] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="Could not find the start of authority" "key"="cert-manager/dnschallengesectigol-ml-1225831616-4263745890-1665173357"

Expected behaviour:
DNS01 challenge should be triggered properly

Steps to reproduce the bug:
Steps to reproduce the bug should be clear and easily reproducible to help people
gain an understanding of the problem.

Environment details::

Kubernetes version (e.g. v1.16.0):
Cloud-provider: CloudFlare
cert-manager version (e.g. v0.11.0):
Install method : static manifests

/kind bug

kinbug

Source

lulin1994

Most helpful comment

Finally found the solution.
Somehow minikube screwed up the dns, so any request inside the jetstack manager container cannot be sent to the outside world.
In order to make it work, run command "Kubectl -n kube-system edit configmap coredns"
and edit the line in configmap from forward . etc/resolv.conf to forward . 1.1.1.1 or any public namesever. So that pods inside minikube can make handshake to the real world
My issue was specific because I was using an private ACME server. So I had to add a host record in the configmap of coredns as well.
For more information about this, please read this link https://github.com/coredns/coredns/tree/master/plugin/hosts

lulin1994 on 29 Oct 2019

🎉2 👀1