nabsul/kcert

Error: Auth did not complete in time

0cwa opened this issue · 7 comments

0cwa commented

First time certification, using Digital Ocean Kubernetes 1.22.8-do.1 and:

NGINX Ingress controller
  Release:       v1.2.0
  Build:         a2514768cd282c41f39ab06bda17efefc4bd233a
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.19.10
{"EventId":0,"LogLevel":"Error","Category":"KCert.Services.RenewalHandler","Message":"Certificate renewal failed.","Exception":"System.Exception: Auth https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2314308814 did not complete in time. Last Response: invalid    at KCert.Services.RenewalHandler.ValidateAuthorizationAsync(String key, String kid, String nonce, Uri authUri) in /build/Services/RenewalHandler.cs:line 111    at KCert.Services.RenewalHandler.RenewCertAsync(String ns, String secretName, String[] hosts) in /build/Services/RenewalHandler.cs:line 45","State":{"Message":"Certificate renewal failed.","{OriginalFormat}":"Certificate renewal failed."}}
{"EventId":0,"LogLevel":"Error","Category":"KCert.Services.KCertClient","Message":"Renewal failed","Exception":"KCert.Models.RenewalException: Auth https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2314308814 did not complete in time. Last Response: invalid  ---\u003E System.Exception: Auth https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2314308814 did not complete in time. Last Response: invalid    at KCert.Services.RenewalHandler.ValidateAuthorizationAsync(String key, String kid, String nonce, Uri authUri) in /build/Services/RenewalHandler.cs:line 111    at KCert.Services.RenewalHandler.RenewCertAsync(String ns, String secretName, String[] hosts) in /build/Services/RenewalHandler.cs:line 45    --- End of inner exception stack trace ---    at KCert.Services.RenewalHandler.RenewCertAsync(String ns, String secretName, String[] hosts) in /build/Services/RenewalHandler.cs:line 57    at KCert.Services.KCertClient.RenewCertAsync(Task prev, String ns, String secretName, String[] hosts, CancellationToken tok) in /build/Services/KCertClient.cs:line 63","State":{"Message":"Renewal failed","{OriginalFormat}":"Renewal failed"}}

Hi, this is often usually by misconfigured DNS. Have you checked that your domain has an A-record set to the correct IP address (this should be the IP address of your load balancer).

0cwa commented

Yes, that's how it's set it up.
Might it have something to do with using Digital Ocean's nameservers?

0cwa commented

Could TTL being set too far in the future effect certification? I know my dns record was set correctly because I could ping my domain and get a response from the correct load balancer ip.

To double check that routing is working as expected, could you try creating the following ingress in your cluster:

https://gist.github.com/nabsul/a699fc1715939c02652cf88673100652

You'll need to update it with a host name of your own, but then you can test by running commands like this:

curl http://debug.kcert.dev/.well-known/acme-challenge/test/value1
curl http://debug.kcert.dev/.well-known/acme-challenge/test/value2
curl http://debug.kcert.dev/.well-known/acme-challenge/test/value3

If you'd like to experiment with the wait and retry times of kcert, you can do so by changing these two environment variables:

ACME__ValidationWaitTimeSeconds
ACME__ValidationNumRetries

Note: Those are double-underscores not single, and it't not case-sensitive if you prefer all-caps.

The default values are here:

kcert/appsettings.json

Lines 14 to 15 in fa83022

"ValidationWaitTimeSeconds": 10,
"ValidationNumRetries": 5,

If neither of these help, you can also get more debug information by watching KCert's live logs while a certificate is being created:

kubectl -n kcert logs -f svc/kcert
0cwa commented

Thanks! It's working now 🤷

Hi @nabsul
I'm now having the same issue as @0cwa - DNS is good and app reachable, however the acme challenge is timing out.
image