Google Certificate Manager - AUTHORIZATION_ISSUE - Failure Reason : CONFIG

Google Cloud Cloud Foundations & Onboarding
1

Hello everyone,

Here’s my problem, i’ve created a wildcard certificate for my domain’s name with google certificate manager. These certificate has been valided a first time, on Sep 3, 2023, 5:14:47 PM, they will expire soon, and the auto-renew won’t work. It throws me the status “failed”. When i got more information on gcloud cli with this command :

gcloud --project=project certificate-manager certificates describe prod-cert-wildcard

I got this outpout :

createTime: '2023-09-03T15:14:45.431133477Z'
expireTime: '2024-01-30T04:41:26Z'
managed:
  authorizationAttemptInfo:
  - domain: '*.domain.com'
    failureReason: CONFIG
    state: FAILED
  dnsAuthorizations:
  - projects/XXXXXXX/locations/global/dnsAuthorizations/dns-auth-prod
  domains:
  - '*.domain.com'
  provisioningIssue:
    reason: AUTHORIZATION_ISSUE
  state: PROVISIONING
name: projects/XXXXX/locations/global/certificates/prod-cert-wildcard

What does mean “FailureReason : CONFIG”, if it’s the DNS CNAME : _acme-challenge.domain.com, i don’t changed it, and it’s the same as the creation.

Following the docs, they say to use CAA,

And I can’t renew it because it’s attached to my load balancer, destroying it and recreate it will produce downtime to my architecture…

Why it’s been validated before and not now?

Is there’s a way to relaunch the verification for certificate with the cloud CLI, have more information about why the renewal was not good?

2

Hi @ThibaultS ,

You may need to check the CNAME record values and make sure they match the values provided during the certificate creation. It’s possible that there was an error in copying the values or that there’s a typo. Another thing is, inspect the details of the DNS authorization attempt (projects/XXXXXXX/locations/global/dnsAuthorizations/dns-auth-prod). Are there any specific error messages or details about why the authorization failed? It should be able to provide details of the error.

You can also check the Certificate Manager logs as it can also provide details on the specific issue causing the authorization failure.

There isn’t a direct command to “re-verify” or “re-launch” the verification process for a certificate renewal.

When renewing a certificate, the usual procedure involves going through the same authorization steps as when the certificate was initially created.

gcloud logging read "resource.type=certificate" --project=your-project-id --limit=10

Check the logs or error messages related to the renewal attempt using the command above.

gcloud --project=your-project-id certificate-manager dns-authorizations describe dns-auth-prod

By using the gcloud command above, you can verify the status of authorization attempts using the dnsAuthorizations details. Replace your-project-id and dns-auth-prod with your project ID and authorization ID.

I also recommend you to contact Google Cloud Support as they can inspect your project further and determine what causes the issue.