Fix unregulated retries with the DigitalOcean, Azure DNS, and AWS Route53 DNS-01 solver by wallrj-cyberark · Pull Request #8221 · cert-manager/cert-manager

wallrj-cyberark · 2025-10-31T11:18:47Z

Fixes: #8166
Fixes: #6230

I've moved the error-message "stabilization" closer to the place where it is needed; so that it is clearer that redaction is only necessary for certain error messages and only where they are used in the Challenge.Status.Reason value.
This has the added benefit that the unredacted errors can be added to events, where previously, the user would have to examine the logs to see the trace IDs and response details for debugging.

⚠️ Note on Design Intent

This PR stabilizes error messages from certain DNS providers to prevent the ACME challenge controller from re-reconciling challenges too frequently. The root issue is that the controller reacts to any change in status.Reason, including unique error content like UIDs, triggering rapid reprocessing.

While this workaround builds on a pattern we maintainers introduced years ago (e.g., AWS Route53) and later endorsed (e.g., Azure DNS), it’s not an architectural decision. Internally, we’ve long questioned this approach and discussed alternatives—like ignoring status-only updates in the informer/workqueue—but haven’t had bandwidth to pursue them.

A proper fix is planned in a follow-up PR: challenges should only be immediately reconciled when Challenge.Spec changes, and errors should trigger backoff-based retries. This can be achieved by checking metadata.generation.

I’ve avoided introducing inversion-of-control here to keep this workaround lightweight and clearly temporary. Once the proper fix lands, this logic can be removed.

Replaced provider-level custom normalization with centralized handling in pkg/controller/acmechallenges/sync.go.
Switched some fmt.Errorf("%s", err) calls to %w so errors can be inspected with errors.As.
Removed duplicated logic from Azure/Route53 provider code.

/kind cleanup

Fix unregulated retries with the DigitalOcean DNS-01 solver
Add full detailed DNS-01 errors to the events attached to the Challenge, for easier debugging

xrefs

This PR supplants fix incorrect error handling in route53 dns provider #8167. I have come to agree with @Peac36 that all the errors should be wrapped with %w. I originally considered it a leak abstraction, but this PR is an example of a case where it is useful to be able to reach the wrapped errors from a higher function. Afterall, redacting the errors in the lower functions so as not to cause problems for the parent reconciler is also a leaky abstraction.
The stabilization of DigitalOcean ErrorResponse should prevent the rapid API requests and stabilize the unique error responses reported by @maaft in DigitalOcean: cert-manager DDoSes DNS-01 solver - infinite rate limiting #6230
The error message stabilization in this PR is an alternative to the retry-with-backoff mechanism proposed by @dunglas in: feat: exponential backoff for DigitalOcean API calls #8205
The stabilization should address the rapid API requests and error responses reported by @sdudley in Wildcard certificates not being resolved correctly. #3848 (comment)

Testing

I've built Docker images from this branch and published them to my GitHub packages:

make ko-images-push KO_REGISTRY=ghcr.io/wallrj-cyberark

crane ls ghcr.io/wallrj-cyberark/cert-manager-controller

Install cert-manager:

helm upgrade test cert-manager \
  --repo https://charts.jetstack.io \
  --version 1.19.1 \
  --install \
  --create-namespace \
  --namespace cert-manager \
  --set global.logLevel=4 \
  --set crds.enabled=true \
  --set image.repository=ghcr.io/wallrj-cyberark/cert-manager-controller \
  --set image.tag=v1.19.0-51-g52737d18b2f780

Create an AWS Route 53 Issuer with a bad credential:

# resources.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: ${EMAIL_ADDRESS}
    profile: tlsserver
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - dns01:
        route53:
          region: us-east-2
          accessKeyIDSecretRef:
            name: aws-credentials
            key: AWS_ACCESS_KEY_ID
          secretAccessKeySecretRef:
            name: aws-credentials
            key: AWS_SECRET_ACCESS_KEY
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: www
spec:
  secretName: www-tls
  privateKey:
    rotationPolicy: Always
  commonName: www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net
  dnsNames:
    - www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net
  usages:
    - digital signature
    - key encipherment
    - server auth
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
    group: cert-manager.io

export EMAIL_ADDRESS=test@my-domain.com
envsubst < resources.yaml | kubectl apply -f -

Observe the redacted error in the Reason field and the actual errors in the events and notice the backoff interval between the events.

$ kubectl describe challenges.acme.cert-manager.io
Name:         www-1-3309209053-3014772441
Namespace:    default
...
Status:
  Presented:   false
  Processing:  true
  Reason:      failed to determine Route 53 hosted zone ID: operation error Route 53: ListHostedZonesByName, <redacted AWS SDK error: http.ResponseError: see events and logs for details>
  State:       pending
Events:
  Type     Reason        Age   From                     Message
  ----     ------        ----  ----                     -------
  Normal   Started       38s   cert-manager-challenges  Challenge scheduled for processing
  Warning  PresentError  37s   cert-manager-challenges  Error presenting challenge: failed to determine Route 53 hosted zone ID: operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 7c31c507-4343-4b75-bb99-d60450e3d212, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
  Warning  PresentError  36s   cert-manager-challenges  Error presenting challenge: failed to determine Route 53 hosted zone ID: operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 430c4ecc-b425-45f8-84a8-683656c6ad76, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
  Warning  PresentError  31s   cert-manager-challenges  Error presenting challenge: failed to determine Route 53 hosted zone ID: operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 0ea176f9-e187-4ba0-a094-d269012ad7e6, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
  Warning  PresentError  10s   cert-manager-challenges  Error presenting challenge: failed to determine Route 53 hosted zone ID: operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 0bc17599-ebf1-4d0c-8e58-446c57bd3c22, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

And observe the detailed errors in the logs:

$ kubectl -n cert-manager logs deployments/test-cert-manager --follow
...
I1031 17:37:08.984077       1 controller.go:144] "syncing item" logger="cert-manager.controller"
I1031 17:37:08.984183       1 dns.go:296] "preparing to create Route53 provider" logger="cert-manager.controller.Present.solverForChallenge" resource_name="www-1-3309209053-3014772441" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net" type="DNS-01" resource_name="www-1-3309209053-3014772441" resource_namespace="default" resource_kind="Challenge" resource_version="v1" domain="www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net"
I1031 17:37:08.991507       1 route53.go:139] "not using ambient credentials" logger="cert-manager.controller.Present" resource_name="www-1-3309209053-3014772441" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net" type="DNS-01" resource_name="www-1-3309209053-3014772441" resource_namespace="default" resource_kind="Challenge" resource_version="v1" domain="www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net"
I1031 17:37:08.991709       1 route53.go:195] "loaded-config" logger="cert-manager.controller.Present" resource_name="www-1-3309209053-3014772441" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net" type="DNS-01" resource_name="www-1-3309209053-3014772441" resource_namespace="default" resource_kind="Challenge" resource_version="v1" domain="www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net" defaults-mode="legacy" region="us-east-2" runtime-environment={"EnvironmentIdentifier":"","Region":"","EC2InstanceMetadataRegion":""}
I1031 17:37:08.991771       1 dns.go:104] "presenting DNS01 challenge for domain" logger="cert-manager.controller.Present" resource_name="www-1-3309209053-3014772441" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net" type="DNS-01" resource_name="www-1-3309209053-3014772441" resource_namespace="default" resource_kind="Challenge" resource_version="v1" domain="www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net"
I1031 17:37:09.107720       1 wait.go:376] "Caching DNS response" logger="cert-manager.controller.Present" resource_name="www-1-3309209053-3014772441" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net" type="DNS-01" resource_name="www-1-3309209053-3014772441" resource_namespace="default" resource_kind="Challenge" resource_version="v1" domain="www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net" fqdn="_acme-challenge.www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net." ttl=5
I1031 17:37:09.108863       1 route53.go:85] "Request\nGET /2013-04-01/hostedzonesbyname?dnsname=richard-gcp.jetstacker.net HTTP/1.1\r\nHost: route53.amazonaws.com\r\nUser-Agent: aws-sdk-go-v2/1.39.2 ua/2.1 os/linux lang/go#1.25.1 md/GOOS#linux md/GOARCH#amd64 api/route53#1.58.4 cert-manager/cert-manager-challenges-canary--linux-amd64--cert-manager- m/E,e\r\nAmz-Sdk-Invocation-Id: 265785f0-e326-4b35-a118-851f8884fa48\r\nAmz-Sdk-Request: attempt=1; max=3\r\nAuthorization: AWS4-HMAC-SHA256 Credential=AKIAU3SWGEVCHUA6BE45/20251031/us-east-1/route53/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;host;x-amz-date, Signature=ce210bd13d5a5eccc5c6e10f415b9c222443064ba68d30f3a2be85800ddc5b38\r\nX-Amz-Date: 20251031T173709Z\r\nAccept-Encoding: gzip\r\n\r\n" logger="cert-manager.controller.Present" resource_name="www-1-3309209053-3014772441" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net" type="DNS-01" resource_name="www-1-3309209053-3014772441" resource_namespace="default" resource_kind="Challenge" resource_version="v1" domain="www.cert-manager-aws-tutorial.richard-gcp.jetstacker.net" aws-classification="DEBUG"
E1031 17:37:09.747142       1 controller.go:157] "re-queuing item due to error processing" err="failed to determine Route 53 hosted zone ID: operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 3c80746d-a458-44fc-8f24-917e3a7f4f01, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details." logger="cert-manager.controller"
I1031 17:37:09.747270       1 logs.go:185] "Event(v1.ObjectReference{Kind:\"Challenge\", Namespace:\"default\", Name:\"www-1-3309209053-3014772441\", UID:\"6045ec60-43b1-43cb-94a2-026cab843b0e\", APIVersion:\"acme.cert-manager.io/v1\", ResourceVersion:\"7027\", FieldPath:\"\"}): type: 'Warning' reason: 'PresentError' Error presenting challenge: failed to determine Route 53 hosted zone ID: operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 3c80746d-a458-44fc-8f24-917e3a7f4f01, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details." logger="cert-manager.controller"

cert-manager-prow · 2025-10-31T11:18:50Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

Copilot

Pull Request Overview

This PR refactors error handling for AWS Route53 and Azure DNS providers by removing custom error stabilization logic and consolidating it into a centralized location. The changes ensure that error messages remain stable (without unique request IDs) to prevent spurious challenge updates.

Removed removeReqID() function from Route53 provider and stabilizeError() function from Azure DNS provider
Added centralized stabilizeSolverErrorMessage() function in the ACME challenge controller that handles error message stabilization for both AWS and Azure SDK errors
Updated error formatting to use %w instead of %s or %v for proper error wrapping

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/issuer/acme/dns/route53/route53.go	Removed `removeReqID()` function and its calls; updated error messages to use `%w` for proper error wrapping
pkg/issuer/acme/dns/route53/route53_test.go	Removed tests for the deleted `removeReqID()` function
pkg/issuer/acme/dns/azuredns/azuredns.go	Removed `stabilizeError()` function and `NormalizedError` type; updated error messages to use `%w` for proper error wrapping
pkg/issuer/acme/dns/azuredns/azuredns_test.go	Removed tests for the deleted `stabilizeError()` function
pkg/issuer/acme/dns/dns.go	Updated error message to use `%w` for proper error wrapping
pkg/controller/acmechallenges/sync.go	Added centralized `stabilizeSolverErrorMessage()` function and applied it to error messages stored in challenge status
pkg/controller/acmechallenges/sync_test.go	Added tests for the new `stabilizeSolverErrorMessage()` function

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

wallrj-cyberark · 2025-10-31T17:43:41Z

pkg/controller/acmechallenges/sync.go

+//
+// TODO(wallrj): Ideally this would not be necessary. It should be possible to
+// add the unique error message to the status without triggering another
+// reconcile.


I'll see if I can get that alternative approach working, in :

Add predicate filtering to queuing handler #8220

But that would be too big a change to backport to release-1.19.
This simpler change in this PR might be backported so that we can fix the problem now for Digital Ocean users.

wallrj-cyberark · 2025-10-31T17:59:23Z

/retest

dunglas · 2025-10-31T19:52:08Z

pkg/controller/acmechallenges/sync.go

+	}
+	fullMessage := err.Error()
+	{
+		var target *awshttp.ResponseError


Wouldn't it be easier to maintain to introduce some inversion of control (as already done in some other parts of the code base) and let each provider provides its own implementation?

I considered it....for example I considered adding a new "StabilizeErrors" function to the "Provider" interface, but hesitated because it would imply a level of permanence and design endorsement that isn’t appropriate for a workaround. This PR is meant to be a cleanup and extension of existing hacks, not a new architectural direction.
Once the proper fix is in place, this workaround can and should be removed.

I've added a note the PR description (with the help of copilot).

wallrj-cyberark · 2025-11-01T09:15:36Z

Further testing

# resources.yaml
---
# AWS Rout53
apiVersion: v1
kind: Namespace
metadata:
  name: aws
---
apiVersion: v1
kind: Secret
metadata:
  name: aws-credentials
  namespace: aws
stringData:
  AWS_ACCESS_KEY_ID: DEADBEEF
  AWS_SECRET_ACCESS_KEY: DEADBEEF
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: issuer-1
  namespace: aws
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: ${EMAIL_ADDRESS}
    profile: tlsserver
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - dns01:
        route53:
          region: us-east-2
          accessKeyIDSecretRef:
            name: aws-credentials
            key: AWS_ACCESS_KEY_ID
          secretAccessKeySecretRef:
            name: aws-credentials
            key: AWS_SECRET_ACCESS_KEY
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: www
  namespace: aws
spec:
  secretName: www-tls
  privateKey:
    rotationPolicy: Always
  dnsNames:
    - aws.cert-manager.richard-gcp.jetstacker.net
  usages:
    - digital signature
    - key encipherment
    - server auth
  issuerRef:
    name: issuer-1
    kind: Issuer
    group: cert-manager.io
---
# Azure DNS
apiVersion: v1
kind: Namespace
metadata:
  name: azure
---
apiVersion: v1
kind: Secret
metadata:
  name: azure-credentials
  namespace: azure
stringData:
  SECRET: DEADBEEF
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: issuer-1
  namespace: azure
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: ${EMAIL_ADDRESS}
    profile: tlsserver
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - dns01:
        azureDNS:
          resourceGroupName: rg-1
          subscriptionID: sub-1
          clientID: client-1
          tenantID: tenant-1
          clientSecretSecretRef:
            name: azure-credentials
            key: SECRET
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: www
  namespace: azure
spec:
  secretName: www-tls
  privateKey:
    rotationPolicy: Always
  dnsNames:
    - azure.cert-manager.richard-gcp.jetstacker.net
  usages:
    - digital signature
    - key encipherment
    - server auth
  issuerRef:
    name: issuer-1
    kind: Issuer
    group: cert-manager.io
---
# Digital Ocean
apiVersion: v1
kind: Namespace
metadata:
  name: digitalocean
---
apiVersion: v1
kind: Secret
metadata:
  name: digitalocean-credentials
  namespace: digitalocean
stringData:
  TOKEN: DEADBEEF
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: issuer-1
  namespace: digitalocean
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: ${EMAIL_ADDRESS}
    profile: tlsserver
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - dns01:
        digitalocean:
          tokenSecretRef:
            name: digitalocean-credentials
            key: TOKEN
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: www
  namespace: digitalocean
spec:
  secretName: www-tls
  privateKey:
    rotationPolicy: Always
  dnsNames:
    - do.cert-manager.richard-gcp.jetstacker.net
  usages:
    - digital signature
    - key encipherment
    - server auth
  issuerRef:
    name: issuer-1
    kind: Issuer
    group: cert-manager.io

export EMAIL_ADDRESS=me@my-domain.net
envsubst < resources.yaml  | kubectl apply -f -

$ kubectl describe challenge -A  | fgrep -e Name -e Reason -e Warning
Name:         www-1-2083194893-1034299529
Namespace:    aws
    Name:                  www-1-2083194893
  Dns Name:           aws.cert-manager.richard-gcp.jetstacker.net
    Name:   issuer-1
          Name:  aws-credentials
          Name:  aws-credentials
  Reason:      failed to determine Route 53 hosted zone ID: operation error Route 53: ListHostedZonesByName, <redacted AWS SDK error: http.ResponseError: see events and logs for details>
  Type     Reason        Age   From                     Message
  Warning  PresentError  90s   cert-manager-challenges  Error presenting challenge: failed to determine Route 53 hosted zone ID: operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 37cfa379-b028-4273-934e-c848c57935d9, api error InvalidClientTokenId: The security token included in the request is invalid.
  Warning  PresentError  90s   cert-manager-challenges  Error presenting challenge: failed to determine Route 53 hosted zone ID: operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: fc78b20c-40d3-44dd-8d6a-d2a4deb6df09, api error InvalidClientTokenId: The security token included in the request is invalid.
  Warning  PresentError  84s   cert-manager-challenges  Error presenting challenge: failed to determine Route 53 hosted zone ID: operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: a0dd686f-2fdb-483a-ab5c-3f1017cb7178, api error InvalidClientTokenId: The security token included in the request is invalid.
  Warning  PresentError  63s   cert-manager-challenges  Error presenting challenge: failed to determine Route 53 hosted zone ID: operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: d1294754-ca28-4378-9f9a-7829ff4daa40, api error InvalidClientTokenId: The security token included in the request is invalid.
  Warning  PresentError  22s   cert-manager-challenges  Error presenting challenge: failed to determine Route 53 hosted zone ID: operation error Route 53: ListHostedZonesByName, https response error StatusCode: 403, RequestID: 64c5325d-24a1-4f90-bb1d-1400eaa433a7, api error InvalidClientTokenId: The security token included in the request is invalid.
Name:         www-1-137601487-3491019926
Namespace:    azure
    Name:                  www-1-137601487
  Dns Name:           azure.cert-manager.richard-gcp.jetstacker.net
    Name:   issuer-1
          Name:               azure-credentials
        Resource Group Name:  rg-1
  Reason:      Zone richard-gcp.jetstacker.net. not found in AzureDNS for domain _acme-challenge.azure.cert-manager.richard-gcp.jetstacker.net.. Err: <redacted Azure SDK error: azidentity.AuthenticationFailedError: see events and logs for details>
  Type     Reason        Age   From                     Message
  Warning  PresentError  90s   cert-manager-challenges  Error presenting challenge: Zone richard-gcp.jetstacker.net. not found in AzureDNS for domain _acme-challenge.azure.cert-manager.richard-gcp.jetstacker.net.. Err: ClientSecretCredential authentication failed.
  Warning  PresentError  90s  cert-manager-challenges  Error presenting challenge: Zone richard-gcp.jetstacker.net. not found in AzureDNS for domain _acme-challenge.azure.cert-manager.richard-gcp.jetstacker.net.. Err: ClientSecretCredential authentication failed.
  Warning  PresentError  85s  cert-manager-challenges  Error presenting challenge: Zone richard-gcp.jetstacker.net. not found in AzureDNS for domain _acme-challenge.azure.cert-manager.richard-gcp.jetstacker.net.. Err: ClientSecretCredential authentication failed.
  Warning  PresentError  65s  cert-manager-challenges  Error presenting challenge: Zone richard-gcp.jetstacker.net. not found in AzureDNS for domain _acme-challenge.azure.cert-manager.richard-gcp.jetstacker.net.. Err: ClientSecretCredential authentication failed.
  Warning  PresentError  24s  cert-manager-challenges  Error presenting challenge: Zone richard-gcp.jetstacker.net. not found in AzureDNS for domain _acme-challenge.azure.cert-manager.richard-gcp.jetstacker.net.. Err: ClientSecretCredential authentication failed.
Name:         www-1-2131901473-3262237110
Namespace:    digitalocean
    Name:                  www-1-2131901473
  Dns Name:           do.cert-manager.richard-gcp.jetstacker.net
    Name:   issuer-1
          Name:  digitalocean-credentials
  Reason:      <redacted DigitalOcean SDK error: godo.ErrorResponse: see events and logs for details>
  Type     Reason        Age   From                     Message
  Warning  PresentError  91s   cert-manager-challenges  Error presenting challenge: GET https://api.digitalocean.com/v2/domains/richard-gcp.jetstacker.net/records?type=TXT: 401 (request "186967b9-8430-4ffb-be6f-2fdbf06f71d9") Unable to authenticate you
  Warning  PresentError  90s   cert-manager-challenges  Error presenting challenge: GET https://api.digitalocean.com/v2/domains/richard-gcp.jetstacker.net/records?type=TXT: 401 (request "467e41c6-c1f4-47f5-bd43-eee0c1793337") Unable to authenticate you
  Warning  PresentError  85s   cert-manager-challenges  Error presenting challenge: GET https://api.digitalocean.com/v2/domains/richard-gcp.jetstacker.net/records?type=TXT: 401 (request "b15242f4-f522-4ca4-b8db-afa5a0543f8d") Unable to authenticate you
  Warning  PresentError  65s   cert-manager-challenges  Error presenting challenge: GET https://api.digitalocean.com/v2/domains/richard-gcp.jetstacker.net/records?type=TXT: 401 (request "63f0a3be-fdca-48f7-9808-e82c7f606596") Unable to authenticate you
  Warning  PresentError  24s   cert-manager-challenges  Error presenting challenge: GET https://api.digitalocean.com/v2/domains/richard-gcp.jetstacker.net/records?type=TXT: 401 (request "42d9487b-0888-4090-aee7-19a053761dec") Unable to authenticate you

- Redact AWS and Azure SDK http errors in controller error normalizer - Remove azuredns stabilizeError/NormalizedError and return original errors - Use %w when wrapping Azure errors so callers can redact them - Update tests to expect redacted messages and remove obsolete checks - Stabilize DigitalOcean ErrorResponse errors too Signed-off-by: Richard Wall <richard.wall@cyberark.com>

inteon · 2025-11-04T07:17:26Z

/approve
/lgtm

Thanks @wallrj-cyberark for tackling this long-standing issue & investing the time to find a more universal fix for these problems.

cert-manager-prow · 2025-11-04T07:17:39Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dunglas, inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [inteon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

wallrj-cyberark · 2025-11-04T15:58:24Z

/kind bug

wallrj-cyberark · 2025-11-04T16:55:03Z

📢 A new pre-release is available which contains this fix or feature:

https://github.com/cert-manager/cert-manager/releases/tag/v1.20.0-alpha.0

Please test and report back.

maelvls · 2025-12-12T10:51:41Z

@wallrj-cyberark Will #7234 be fixed by your PR, too?

I noticed you told users to try the alpha and give feedback in #6230 and #8166, but I haven't seen that same message in #7234.

…#4581) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) | minor | `v1.19.4` → `v1.20.0` | --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager/cert-manager)</summary> ### [`v1.20.0`](https://github.com/cert-manager/cert-manager/releases/tag/v1.20.0) [Compare Source](cert-manager/cert-manager@v1.19.4...v1.20.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. v1.20.0 adds support for the new ListenerSet resource, adds support for Azure Private DNS; parentRefs are no longer required when using ACME with Gateway API, and OtherNames was promoted to Beta. #### Changes by Kind ##### Feature - Added a set of flags to permit setting NetworkPolicy across all deployed containers. Remove redundant global IP ranges from example policies. ([#8370](cert-manager/cert-manager#8370), [@jcpunk](https://github.com/jcpunk)) - Added selectable fields to custom resource definitions for .spec.issuerRef.{group, kind, name} ([#8256](cert-manager/cert-manager#8256), [@tareksha](https://github.com/tareksha)) - Added support for specifying `imagePullSecrets` in the `startupapicheck-job` Helm template to enable pulling images from private registries. ([#8186](cert-manager/cert-manager#8186), [@mathieu-clnk](https://github.com/mathieu-clnk)) - Added 'extraContainers' helm chart value, allowing the deployment of arbitrary sidecar containers within the cert-manager operator pod. This can be used to support, for e.g., AWS IAM Roles Anywhere for Route53 DNS01 verification. ([#8355](cert-manager/cert-manager#8355), [@dancmeyers](https://github.com/dancmeyers)) - Added `parentRef` override annotations on the Certificate resource. ([#8518](cert-manager/cert-manager#8518), [@hjoshi123](https://github.com/hjoshi123)) - Added support for azure private zones for dns01 issuer. ([#8494](cert-manager/cert-manager#8494), [@hjoshi123](https://github.com/hjoshi123)) - Added support for configuring PEM decoding size limits, allowing operators to handle larger certificates and keys. ([#7642](cert-manager/cert-manager#7642), [@robertlestak](https://github.com/robertlestak)) - Added support for unhealthyPodEvictionPolicy in PodDisruptionBudget ([#7728](cert-manager/cert-manager#7728), [@jcpunk](https://github.com/jcpunk)) - For Venafi provider, read `venafi.cert-manager.io/custom-fields` annotation on Issuer/ClusterIssuer and use it as base with override/append capabilities on Certificate level. ([#8301](cert-manager/cert-manager#8301), [@k0da](https://github.com/k0da)) - Improve error message when CA issuers are misconfigured to use a clashing secret name ([#8374](cert-manager/cert-manager#8374), [@majiayu000](https://github.com/majiayu000)) - Introduce a new Ingress annotation `acme.cert-manager.io/http01-ingress-ingressclassname` to override `http01.ingress.ingressClassName` field in HTTP-01 challenge solvers. ([#8244](cert-manager/cert-manager#8244), [@lunarwhite](https://github.com/lunarwhite)) - Update `global.nodeSelector` to helm chart to perform a `merge` and allow for a single `nodeSelector` to be set across all services. ([#8195](cert-manager/cert-manager#8195), [@StingRayZA](https://github.com/StingRayZA)) - Vault issuers will now include the Vault server address as one of the default audiences on generated service account tokens. ([#8228](cert-manager/cert-manager#8228), [@terinjokes](https://github.com/terinjokes)) - Added experimental `XListenerSet` feature gate ([#8394](cert-manager/cert-manager#8394), [@hjoshi123](https://github.com/hjoshi123)) ##### Documentation - Add GWAPI documentation to NOTES.TXT in helm chart ([#8353](cert-manager/cert-manager#8353), [@jaxels10](https://github.com/jaxels10)) ##### Bug or Regression - Adds logs for cases when acme server returns us a fatal error in the order controller ([#8199](cert-manager/cert-manager#8199), [@Peac36](https://github.com/Peac36)) - Fixed an issue where kind or group in the issuerRef of a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate to be renewed ([#8160](cert-manager/cert-manager#8160), [@inteon](https://github.com/inteon)) - Changes to the Duration and RenewBefore annotations on ingress and gateway-api resources will now trigger certificate updates. ([#8232](cert-manager/cert-manager#8232), [@eleanor-merry](https://github.com/eleanor-merry)) - Fix an issue where ACME challenge TXT records are not cleaned up when there are many resource records in CloudDNS. ([#8456](cert-manager/cert-manager#8456), [@tkna](https://github.com/tkna)) - Fix unregulated retries with the DigitalOcean DNS-01 solver Add full detailed DNS-01 errors to the events attached to the Challenge, for easier debugging ([#8221](cert-manager/cert-manager#8221), [@wallrj-cyberark](https://github.com/wallrj-cyberark)) - Fixed an infinite re-issuance loop that could occur when an issuer returns a certificate with a public key that doesn't match the CSR. The issuing controller now validates the certificate before storing it and fails with backoff on mismatch. ([#8403](cert-manager/cert-manager#8403), [@calm329](https://github.com/calm329)) - Fixed an issue where HTTP-01 challenges failed when the Host header contains an IPv6 address. This means that users can now issue IP address certificates for IPv6 address subjects. ([#8424](cert-manager/cert-manager#8424), [@SlashNephy](https://github.com/SlashNephy)) - Fixed the HTTP-01 Gateway solver creating invalid HTTPRoutes by not setting spec.hostnames when the challenge DNSName is an IP address. ([#8443](cert-manager/cert-manager#8443), [@alviss7](https://github.com/alviss7)) - Revert API defaults for issuer reference kind and group introduced in 0.19.0 ([#8173](cert-manager/cert-manager#8173), [@erikgb](https://github.com/erikgb)) - Security (MODERATE): Fix a potential panic in the cert-manager controller when a DNS response in an unexpected order was cached. If an attacker was able to modify DNS responses (or if they controlled the DNS server) it was possible to cause denial of service for the cert-manager controller. ([#8469](cert-manager/cert-manager#8469), [@SgtCoDFish](https://github.com/SgtCoDFish)) - Update Go to `v1.25.5` to fix `CVE-2025-61727` and `CVE-2025-61729` ([#8290](cert-manager/cert-manager#8290), [@octo-sts](https://github.com/octo-sts)\[bot]) - When Prometheus monitoring is enabled, the metrics label is now set to the intended value of `cert-manager`. Previously, it was set depending on various factors (namespace cert-manager is installed in and/or Helm release name). ([#8162](cert-manager/cert-manager#8162), [@LiquidPL](https://github.com/LiquidPL)) ##### Other (Cleanup or Flake) - Promoted the OtherNames feature to Beta and enabled it by default ([#8288](cert-manager/cert-manager#8288), [@wallrj-cyberark](https://github.com/wallrj-cyberark)) - Promoting `xlistenerset` feature gate to `listenerset` ([#8501](cert-manager/cert-manager#8501), [@hjoshi123](https://github.com/hjoshi123)) - Rebranding of the Venafi Issuer to CyberArk ([#8215](cert-manager/cert-manager#8215), [@iossifbenbassat123](https://github.com/iossifbenbassat123)) - Switched to SSA for challenge finalizer updates ([#8519](cert-manager/cert-manager#8519), [@inteon](https://github.com/inteon)) - The default container user (UID) is now 65532 (previously 1000) and the default container group (GID) is now 65532 (previously 0) ([#8408](cert-manager/cert-manager#8408), [@wallrj-cyberark](https://github.com/wallrj-cyberark)) - The feature-gate DefaultPrivateKeyRotationPolicyAlways moved from Beta to GA and can no longer be disabled. ([#8287](cert-manager/cert-manager#8287), [@wallrj-cyberark](https://github.com/wallrj-cyberark)) - Update cert-manager's ACME client, forked from golang/x/crypto ([#8268](cert-manager/cert-manager#8268), [@SgtCoDFish](https://github.com/SgtCoDFish)) - Use the latest version of Kyverno (1.16.2) in the best-practice installation tests ([#8389](cert-manager/cert-manager#8389), [@wallrj-cyberark](https://github.com/wallrj-cyberark)) - We stopped testing with Coutour due to it not supporting the new XListenerSet resource, and moved to kgateway. ([#8426](cert-manager/cert-manager#8426), [@hjoshi123](https://github.com/hjoshi123)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4581 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://cert-manager.io) ([source](https://github.com/cert-manager/cert-manager)) | minor | `v1.19.4` → `v1.20.0` | --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.20.0`](https://github.com/cert-manager/cert-manager/releases/tag/v1.20.0) [Compare Source](cert-manager/cert-manager@v1.19.4...v1.20.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. v1.20.0 adds support for the new ListenerSet resource, adds support for Azure Private DNS; parentRefs are no longer required when using ACME with Gateway API, and OtherNames was promoted to Beta. #### Changes by Kind ##### Feature - Added a set of flags to permit setting NetworkPolicy across all deployed containers. Remove redundant global IP ranges from example policies. ([#8370](cert-manager/cert-manager#8370), [@jcpunk](https://github.com/jcpunk)) - Added selectable fields to custom resource definitions for .spec.issuerRef.{group, kind, name} ([#8256](cert-manager/cert-manager#8256), [@tareksha](https://github.com/tareksha)) - Added support for specifying `imagePullSecrets` in the `startupapicheck-job` Helm template to enable pulling images from private registries. ([#8186](cert-manager/cert-manager#8186), [@mathieu-clnk](https://github.com/mathieu-clnk)) - Added 'extraContainers' helm chart value, allowing the deployment of arbitrary sidecar containers within the cert-manager operator pod. This can be used to support, for e.g., AWS IAM Roles Anywhere for Route53 DNS01 verification. ([#8355](cert-manager/cert-manager#8355), [@dancmeyers](https://github.com/dancmeyers)) - Added `parentRef` override annotations on the Certificate resource. ([#8518](cert-manager/cert-manager#8518), [@hjoshi123](https://github.com/hjoshi123)) - Added support for azure private zones for dns01 issuer. ([#8494](cert-manager/cert-manager#8494), [@hjoshi123](https://github.com/hjoshi123)) - Added support for configuring PEM decoding size limits, allowing operators to handle larger certificates and keys. ([#7642](cert-manager/cert-manager#7642), [@robertlestak](https://github.com/robertlestak)) - Added support for unhealthyPodEvictionPolicy in PodDisruptionBudget ([#7728](cert-manager/cert-manager#7728), [@jcpunk](https://github.com/jcpunk)) - For Venafi provider, read `venafi.cert-manager.io/custom-fields` annotation on Issuer/ClusterIssuer and use it as base with override/append capabilities on Certificate level. ([#8301](cert-manager/cert-manager#8301), [@k0da](https://github.com/k0da)) - Improve error message when CA issuers are misconfigured to use a clashing secret name ([#8374](cert-manager/cert-manager#8374), [@majiayu000](https://github.com/majiayu000)) - Introduce a new Ingress annotation `acme.cert-manager.io/http01-ingress-ingressclassname` to override `http01.ingress.ingressClassName` field in HTTP-01 challenge solvers. ([#8244](cert-manager/cert-manager#8244), [@lunarwhite](https://github.com/lunarwhite)) - Update `global.nodeSelector` to helm chart to perform a `merge` and allow for a single `nodeSelector` to be set across all services. ([#8195](cert-manager/cert-manager#8195), [@StingRayZA](https://github.com/StingRayZA)) - Vault issuers will now include the Vault server address as one of the default audiences on generated service account tokens. ([#8228](cert-manager/cert-manager#8228), [@terinjokes](https://github.com/terinjokes)) - Added experimental `XListenerSet` feature gate ([#8394](cert-manager/cert-manager#8394), [@hjoshi123](https://github.com/hjoshi123)) ##### Documentation - Add GWAPI documentation to NOTES.TXT in helm chart ([#8353](cert-manager/cert-manager#8353), [@jaxels10](https://github.com/jaxels10)) ##### Bug or Regression - Adds logs for cases when acme server returns us a fatal error in the order controller ([#8199](cert-manager/cert-manager#8199), [@Peac36](https://github.com/Peac36)) - Fixed an issue where kind or group in the issuerRef of a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate to be renewed ([#8160](cert-manager/cert-manager#8160), [@inteon](https://github.com/inteon)) - Changes to the Duration and RenewBefore annotations on ingress and gateway-api resources will now trigger certificate updates. ([#8232](cert-manager/cert-manager#8232), [@eleanor-merry](https://github.com/eleanor-merry)) - Fix an issue where ACME challenge TXT records are not cleaned up when there are many resource records in CloudDNS. ([#8456](cert-manager/cert-manager#8456), [@tkna](https://github.com/tkna)) - Fix unregulated retries with the DigitalOcean DNS-01 solver Add full detailed DNS-01 errors to the events attached to the Challenge, for easier debugging ([#8221](cert-manager/cert-manager#8221), [@wallrj-cyberark](https://github.com/wallrj-cyberark)) - Fixed an infinite re-issuance loop that could occur when an issuer returns a certificate with a public key that doesn't match the CSR. The issuing controller now validates the certificate before storing it and fails with backoff on mismatch. ([#8403](cert-manager/cert-manager#8403), [@calm329](https://github.com/calm329)) - Fixed an issue where HTTP-01 challenges failed when the Host header contains an IPv6 address. This means that users can now issue IP address certificates for IPv6 address subjects. ([#8424](cert-manager/cert-manager#8424), [@SlashNephy](https://github.com/SlashNephy)) - Fixed the HTTP-01 Gateway solver creating invalid HTTPRoutes by not setting spec.hostnames when the challenge DNSName is an IP address. ([#8443](cert-manager/cert-manager#8443), [@alviss7](https://github.com/alviss7)) - Revert API defaults for issuer reference kind and group introduced in 0.19.0 ([#8173](cert-manager/cert-manager#8173), [@erikgb](https://github.com/erikgb)) - Security (MODERATE): Fix a potential panic in the cert-manager controller when a DNS response in an unexpected order was cached. If an attacker was able to modify DNS responses (or if they controlled the DNS server) it was possible to cause denial of service for the cert-manager controller. ([#8469](cert-manager/cert-manager#8469), [@SgtCoDFish](https://github.com/SgtCoDFish)) - Update Go to `v1.25.5` to fix `CVE-2025-61727` and `CVE-2025-61729` ([#8290](cert-manager/cert-manager#8290), [@octo-sts](https://github.com/octo-sts)\[bot]) - When Prometheus monitoring is enabled, the metrics label is now set to the intended value of `cert-manager`. Previously, it was set depending on various factors (namespace cert-manager is installed in and/or Helm release name). ([#8162](cert-manager/cert-manager#8162), [@LiquidPL](https://github.com/LiquidPL)) ##### Other (Cleanup or Flake) - Promoted the OtherNames feature to Beta and enabled it by default ([#8288](cert-manager/cert-manager#8288), [@wallrj-cyberark](https://github.com/wallrj-cyberark)) - Promoting `xlistenerset` feature gate to `listenerset` ([#8501](cert-manager/cert-manager#8501), [@hjoshi123](https://github.com/hjoshi123)) - Rebranding of the Venafi Issuer to CyberArk ([#8215](cert-manager/cert-manager#8215), [@iossifbenbassat123](https://github.com/iossifbenbassat123)) - Switched to SSA for challenge finalizer updates ([#8519](cert-manager/cert-manager#8519), [@inteon](https://github.com/inteon)) - The default container user (UID) is now 65532 (previously 1000) and the default container group (GID) is now 65532 (previously 0) ([#8408](cert-manager/cert-manager#8408), [@wallrj-cyberark](https://github.com/wallrj-cyberark)) - The feature-gate DefaultPrivateKeyRotationPolicyAlways moved from Beta to GA and can no longer be disabled. ([#8287](cert-manager/cert-manager#8287), [@wallrj-cyberark](https://github.com/wallrj-cyberark)) - Update cert-manager's ACME client, forked from golang/x/crypto ([#8268](cert-manager/cert-manager#8268), [@SgtCoDFish](https://github.com/SgtCoDFish)) - Use the latest version of Kyverno (1.16.2) in the best-practice installation tests ([#8389](cert-manager/cert-manager#8389), [@wallrj-cyberark](https://github.com/wallrj-cyberark)) - We stopped testing with Coutour due to it not supporting the new XListenerSet resource, and moved to kgateway. ([#8426](cert-manager/cert-manager#8426), [@hjoshi123](https://github.com/hjoshi123)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4582 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

wallrj-cyberark force-pushed the route53-error-chain-2 branch from 67cf158 to f6e63e5 Compare October 31, 2025 11:44

cert-manager-prow bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 31, 2025

wallrj-cyberark force-pushed the route53-error-chain-2 branch 2 times, most recently from 95bffdd to 0f60d31 Compare October 31, 2025 13:38

wallrj requested a review from Copilot October 31, 2025 13:42

wallrj-cyberark marked this pull request as ready for review October 31, 2025 13:43

cert-manager-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 31, 2025

Copilot AI reviewed Oct 31, 2025

View reviewed changes

wallrj-cyberark force-pushed the route53-error-chain-2 branch from 0f60d31 to aae0a6c Compare October 31, 2025 14:26

cert-manager-prow bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Oct 31, 2025

wallrj-cyberark force-pushed the route53-error-chain-2 branch 2 times, most recently from 4e10d3a to 6a943b5 Compare October 31, 2025 15:58

wallrj-cyberark marked this pull request as draft October 31, 2025 17:22

cert-manager-prow bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 31, 2025

wallrj-cyberark force-pushed the route53-error-chain-2 branch from 6a943b5 to 52737d1 Compare October 31, 2025 17:27

wallrj-cyberark commented Oct 31, 2025

View reviewed changes

wallrj-cyberark mentioned this pull request Oct 31, 2025

fix incorrect error handling in route53 dns provider #8167

Closed

wallrj-cyberark marked this pull request as ready for review October 31, 2025 17:50

cert-manager-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 31, 2025

This comment was marked as outdated.

Sign in to view

dunglas reviewed Oct 31, 2025

View reviewed changes

dunglas approved these changes Nov 1, 2025

View reviewed changes

wallrj-cyberark force-pushed the route53-error-chain-2 branch from 52737d1 to 8f2779c Compare November 4, 2025 06:29

cert-manager-prow bot added the lgtm Indicates that a PR is ready to be merged. label Nov 4, 2025

cert-manager-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 4, 2025

cert-manager-prow bot merged commit c2e1b56 into cert-manager:master Nov 4, 2025
6 checks passed

dunglas mentioned this pull request Nov 4, 2025

feat: exponential backoff for DigitalOcean API calls #8205

Closed

wallrj-cyberark deleted the route53-error-chain-2 branch November 4, 2025 12:26

wallrj-cyberark mentioned this pull request Nov 4, 2025

wip: add retry mechanism for challenge solver whenever we detect unauthorized error #7897

Open

cert-manager-prow bot added the kind/bug Categorizes issue or PR as related to a bug. label Nov 4, 2025

wallrj-cyberark changed the title ~~Centralize the stabilization of DNS01 API errors~~ Fix unregulated retries with the DigitalOcean DNS-01 solver Nov 4, 2025

maelvls mentioned this pull request Nov 18, 2025

Add predicate filtering to queuing handler #8220

Open

This was referenced Dec 8, 2025

Improve cert-manager's event handler to allow us to selectively skip some reconciliations #8319

Open

Fix spurious reconciliations due to a lack of error message normalization in DigitalOcean, AWS Route53, and Azure DNS ACME providers #8318

Closed

maelvls changed the title ~~Fix unregulated retries with the DigitalOcean DNS-01 solver~~ Fix unregulated retries with the DigitalOcean, Azure DNS, and AWS Route53 DNS-01 solver Dec 12, 2025

Conversation

wallrj-cyberark commented Oct 31, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

xrefs

Testing

Uh oh!

cert-manager-prow bot commented Oct 31, 2025

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

wallrj-cyberark Oct 31, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

This comment was marked as outdated.

wallrj-cyberark commented Oct 31, 2025

Uh oh!

dunglas Oct 31, 2025

Choose a reason for hiding this comment

Uh oh!

wallrj-cyberark Nov 1, 2025

Choose a reason for hiding this comment

Uh oh!

wallrj-cyberark commented Nov 1, 2025

Further testing

Uh oh!

inteon commented Nov 4, 2025

Uh oh!

cert-manager-prow bot commented Nov 4, 2025

Uh oh!

Uh oh!

wallrj-cyberark commented Nov 4, 2025

Uh oh!

wallrj-cyberark commented Nov 4, 2025

Uh oh!

maelvls commented Dec 12, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

wallrj-cyberark commented Oct 31, 2025 •

edited

Loading

wallrj-cyberark Oct 31, 2025 •

edited

Loading