Re: Unable to provision certificate

mountaincode2 · 08-24-2024 08:45 PM

I am trying to follow the steps in the following document to create a certificate using Certificate Manager:

https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth#create-cert-dns-aut...

I have a query regarding "Add the CNAME record to your DNS configuration"

https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth#cname-record

I have create a public zone using Cloud DNS, but my domain is from Hostinger.

I have added a CNAME record as shown in the documentation.

When i run the command to verify whether my certificate is added, i still don't see the ACTIVE state even after several hours:

createTime: '2024-08-25T03:26:07.788998638Z'
managed:
  authorizationAttemptInfo:
  - domain: <domain>
    state: AUTHORIZING
  dnsAuthorizations:
  - projects/xxxxx/locations/global/dnsAuthorizations/test-dns-auth
  domains:
  - <domain>
  state: PROVISIONING
name: projects/<project>/locations/global/certificates/test-cert
sanDnsnames:
- <domain>
updateTime: '2024-08-25T03:26:08.245783381Z'

After some time, i got the message that the authorization has failed:

createTime: '2024-08-25T03:26:07.788998638Z'
managed:
  authorizationAttemptInfo:
  - domain: <domain>
    failureReason: CONFIG
    state: FAILED
  dnsAuthorizations:
  - projects/xxxxxxxx/locations/global/dnsAuthorizations/test-dns-auth
  domains:
  - <domain>
  provisioningIssue:
    reason: AUTHORIZATION_ISSUE
  state: PROVISIONING
name: projects/<project>/locations/global/certificates/test-cert
sanDnsnames:
- <domain>
updateTime: '2024-08-25T03:26:08.245783381Z'

Where am i going wrong here.

jamespatrickm

Hi @mountaincode2,

Welcome to Google Cloud Community!

It appears you encountered an issue during authorization. In the message, authorizationAttemptInfo is showing failureReason: CONFIG. This means that there was an issue with your DNS or load balancer configuration. This prevents the Managed Certificate from being issued.

It is best to review your DNS or load balancer configuration for your domain and try again. Please note that you will have to delete and create a new managed certificate resource to try again.

Please refer to the following troubleshooting pages below for more guidance:

Hope this helps.

AI

A crucial part of troubleshooting this issue would be to verify if the dns record you created in your dns zone is publicly resolvable. Try to resolve it from your system (using nslookup or dig or host or ping) or online with one of the services like dnschecker and see if the name (_acme-challenge....) resolved to that long string ending in goog.

mountaincode2

Hi @AI :

i checked in the console and there is the following, however, it is not ending in `goog`:

DNS name: _acme-challenge.<domanin.com.>

Type: CNAME

TTL(seconds): 30

What do i need to look for please. can you break it down for me.

AI

what is the value for that record? that's what usually ends with ".goog."

Go to dnschecker, edit the name of the record (copy the name of the record from Cloud DNS to avoid mistakes) and click Search to verify if the record is publicly resolvable.

https://dnschecker.org/#CNAME/_acme-challenge.yourdomain.com.

mountaincode2

@AI

In DNS checker, i see that the record is publicly resolvable.

and i am able to see that the certificate is active now as well.

But there is one thing that is eluding my understanding and that is in the following step why am i adding the CNAME record to the DNS zone in Cloud DNS. Shouldn't i also add it to my records in Hostinger from whom i purchased the domain.

https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth#cname-record