Error: Auth did not complete in time
0cwa opened this issue · 7 comments
First time certification, using Digital Ocean Kubernetes 1.22.8-do.1 and:
NGINX Ingress controller
Release: v1.2.0
Build: a2514768cd282c41f39ab06bda17efefc4bd233a
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.19.10
{"EventId":0,"LogLevel":"Error","Category":"KCert.Services.RenewalHandler","Message":"Certificate renewal failed.","Exception":"System.Exception: Auth https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2314308814 did not complete in time. Last Response: invalid at KCert.Services.RenewalHandler.ValidateAuthorizationAsync(String key, String kid, String nonce, Uri authUri) in /build/Services/RenewalHandler.cs:line 111 at KCert.Services.RenewalHandler.RenewCertAsync(String ns, String secretName, String[] hosts) in /build/Services/RenewalHandler.cs:line 45","State":{"Message":"Certificate renewal failed.","{OriginalFormat}":"Certificate renewal failed."}}
{"EventId":0,"LogLevel":"Error","Category":"KCert.Services.KCertClient","Message":"Renewal failed","Exception":"KCert.Models.RenewalException: Auth https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2314308814 did not complete in time. Last Response: invalid ---\u003E System.Exception: Auth https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2314308814 did not complete in time. Last Response: invalid at KCert.Services.RenewalHandler.ValidateAuthorizationAsync(String key, String kid, String nonce, Uri authUri) in /build/Services/RenewalHandler.cs:line 111 at KCert.Services.RenewalHandler.RenewCertAsync(String ns, String secretName, String[] hosts) in /build/Services/RenewalHandler.cs:line 45 --- End of inner exception stack trace --- at KCert.Services.RenewalHandler.RenewCertAsync(String ns, String secretName, String[] hosts) in /build/Services/RenewalHandler.cs:line 57 at KCert.Services.KCertClient.RenewCertAsync(Task prev, String ns, String secretName, String[] hosts, CancellationToken tok) in /build/Services/KCertClient.cs:line 63","State":{"Message":"Renewal failed","{OriginalFormat}":"Renewal failed"}}
Hi, this is often usually by misconfigured DNS. Have you checked that your domain has an A-record set to the correct IP address (this should be the IP address of your load balancer).
Yes, that's how it's set it up.
Might it have something to do with using Digital Ocean's nameservers?
Could TTL being set too far in the future effect certification? I know my dns record was set correctly because I could ping my domain and get a response from the correct load balancer ip.
To double check that routing is working as expected, could you try creating the following ingress in your cluster:
https://gist.github.com/nabsul/a699fc1715939c02652cf88673100652
You'll need to update it with a host name of your own, but then you can test by running commands like this:
curl http://debug.kcert.dev/.well-known/acme-challenge/test/value1
curl http://debug.kcert.dev/.well-known/acme-challenge/test/value2
curl http://debug.kcert.dev/.well-known/acme-challenge/test/value3
If you'd like to experiment with the wait and retry times of kcert, you can do so by changing these two environment variables:
ACME__ValidationWaitTimeSeconds
ACME__ValidationNumRetries
Note: Those are double-underscores not single, and it't not case-sensitive if you prefer all-caps.
The default values are here:
Lines 14 to 15 in fa83022
If neither of these help, you can also get more debug information by watching KCert's live logs while a certificate is being created:
kubectl -n kcert logs -f svc/kcert
Thanks! It's working now 🤷