I have configured a ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-cluster-issuer
spec:
acme:
email: <myemail>
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-cluster-issuer-key
solvers:
- http01:
ingress:
class: nginx
and An Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
kubernetes.io/ingress.class: nginx
name: web-ingress
namespace: default
spec:
rules:
- host: hostname
http:
paths:
- backend:
service:
name: web-service
port:
number: 3000
path: /
pathType: Prefix
tls:
- hosts:
- hostname
secretName: web-cert-tls
I’m unable to get the configuration to run properly. This spawns a new ingress as follows
Name: cm-acme-http-solver-9nbh6
Labels: acme.cert-manager.io/http-domain=1234
acme.cert-manager.io/http-token=1234
acme.cert-manager.io/http01-solver=true
Namespace: default
Address: <IPAddress>
Ingress Class: <none>
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
hostname
/.well-known/acme-challenge/challengexyzxyzxyz-o cm-acme-http-solver-9dc8z:8089 (10.2.0.85:8089)
Annotations: kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0,::/0
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 10m (x2 over 10m) nginx-ingress-controller Scheduled for sync
Here’s the describe for Ingress which is applied by me
Name: web-ingress
Labels: app.kubernetes.io/instance=web-app
Namespace: default
Address: <IPAddress>
Ingress Class: <none>
Default backend: <default>
TLS:
web-cert-tls terminates hostname
Rules:
Host Path Backends
---- ---- --------
hostname
/ web-service:3000 (10.2.0.68:3000)
Annotations: acme.cert-manager.io/http01-edit-in-place: true
cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreateCertificate 31m cert-manager-ingress-shim Successfully created Certificate "web-cert-tls"
Normal Sync 6m27s (x6 over 31m) nginx-ingress-controller Scheduled for sync
and when I check the cert-manager logs I find this error
E0905 10:09:04.617600 1 sync.go:190] cert-manager/challenges "msg"="propagation check failed" "error"="did not get expected response when querying endpoint, expected "challengexyzxyz.morestuffherexyzxyz" but got: <html xml:lang="fr-FR" l... (truncated)" "dnsName"="hostname.ovh" "resource_kind"="Challenge" "resource_name"="web-cert-tls-xtp2r-768063107-2100049723" "resource_namespace"="default" "resource_version"="v1" "type"="HTTP-01"
When I access hostname/.well-known/acme-challenge/challengexyzxyzxyz-o
from browser
I’m getting the expected value.
When I access it from a pod I’m getting an html that says domain purchased page.
I’ve also tried to just apply the certificate without the Ingress
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: web-cert
namespace: default
spec:
dnsNames:
- hostname.ovh
secretName: web-cert-tls
issuerRef:
name: letsencrypt-cluster-issuer
kind: ClusterIssuer
I’ve also tried adding acme.cert-manager.io/http01-edit-in-place: "true"
to Ingress object annotation, It didnt solve the problem either. ( It didnt spawn a new ingress that’s all )
so I’m stuck at this stage of challenge
Type: HTTP-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/12134567898/Fmasf
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: did not get expected response when querying endpoint, expected "challengexyzxyzxyz-o.challengexyzxyzxyz-o" but got: <html xml:lang="fr-FR" l... (truncated)
State: pending
2
Answers
Setting this config for cert-manager worked out.
It was
dnsPolicy: ClusterFirst
And it somehow was pointing to dns provider's website saying congrats on purchase.Turns out that, it also can be a propagation delay for the dns that's local to the k8s provider. In my case the delay was more than 24h. Once the nameserver was updated I could revert this change and still got it to work.
I fixed this by making sure that
tls
in spec is present of ingress