This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Google Certificate Manager - AUTHORIZATION_ISSUE - Failure Reason : CONFIG

Posted on 01-16-2024 06:07 AM
ThibaultS
New Member
Reply posted on --/--/---- --:-- AM

Hello everyone,

Here's my problem, i've created a wildcard certificate for my domain's name with google certificate manager. These certificate has been valided a first time, on Sep 3, 2023, 5:14:47 PM, they will expire soon, and the auto-renew won't work. It throws me the status "failed". When i got more information on gcloud cli with this command :

 

 

 

gcloud --project=project certificate-manager certificates describe prod-cert-wildcard

 

 

 

I got this outpout :

 

 

 

createTime: '2023-09-03T15:14:45.431133477Z'
expireTime: '2024-01-30T04:41:26Z'
managed:
  authorizationAttemptInfo:
  - domain: '*.domain.com'
    failureReason: CONFIG
    state: FAILED
  dnsAuthorizations:
  - projects/XXXXXXX/locations/global/dnsAuthorizations/dns-auth-prod
  domains:
  - '*.domain.com'
  provisioningIssue:
    reason: AUTHORIZATION_ISSUE
  state: PROVISIONING
name: projects/XXXXX/locations/global/certificates/prod-cert-wildcard

 

 

 

What does mean "FailureReason : CONFIG", if it's the DNS CNAME : _acme-challenge.domain.com, i don't changed it, and it's the same as the creation.

Following the docs, they say to use CAA,  

 

And I can't renew it because it's attached to my load balancer, destroying it and recreate it will produce downtime to my architecture…

Why it's been validated before and not now?

Is there's a way to relaunch the verification for certificate with the cloud CLI, have more information about why the renewal was not good?

3 1 1,088
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
Marvin_Lucero
Staff
Reply posted on --/--/---- --:-- AM

Hi @ThibaultS ,

@ThibaultS wrote:

What does mean "FailureReason : CONFIG", if it's the DNS CNAME : _acme-challenge.domain.com, i don't changed it, and it's the same as the creation.

You may need to check the CNAME record values and make sure they match the values provided during the certificate creation. It's possible that there was an error in copying the values or that there's a typo. Another thing is, inspect the details of the DNS authorization attempt (projects/XXXXXXX/locations/global/dnsAuthorizations/dns-auth-prod). Are there any specific error messages or details about why the authorization failed? It should be able to provide details of the error.

You can also check the Certificate Manager logs as it can also provide details on the specific issue causing the authorization failure.

@ThibaultS wrote:

And I can't renew it because it's attached to my load balancer, destroying it and recreate it will produce downtime to my architecture…

Why it's been validated before and not now?

Is there's a way to relaunch the verification for certificate with the cloud CLI, have more information about why the renewal was not good?

There isn't a direct command to "re-verify" or "re-launch" the verification process for a certificate renewal. 

When renewing a certificate, the usual procedure involves going through the same authorization steps as when the certificate was initially created. 

gcloud logging read "resource.type=certificate" --project=your-project-id --limit=10

Check the logs or error messages related to the renewal attempt using the command above.

gcloud --project=your-project-id certificate-manager dns-authorizations describe dns-auth-prod

 By using the gcloud command above, you can verify the status of authorization attempts using the dnsAuthorizations details. Replace your-project-id and dns-auth-prod with your project ID and authorization ID.

I also recommend you to contact Google Cloud Support as they can inspect your project further and determine what causes the issue. 

0 Likes
Top Solution Authors
View all