skip to Main Content

I have configured a ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-cluster-issuer
spec:
  acme:
    email: <myemail>
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-cluster-issuer-key
    solvers:
      - http01:
          ingress:
            class: nginx

and An Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
    kubernetes.io/ingress.class: nginx
  name: web-ingress
  namespace: default
spec:
  rules:
    - host: hostname
      http:
        paths:
          - backend:
              service:
                name: web-service
                port:
                  number: 3000
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - hostname
      secretName: web-cert-tls

I’m unable to get the configuration to run properly. This spawns a new ingress as follows

Name:             cm-acme-http-solver-9nbh6
Labels:           acme.cert-manager.io/http-domain=1234
                  acme.cert-manager.io/http-token=1234
                  acme.cert-manager.io/http01-solver=true
Namespace:        default
Address:          <IPAddress>
Ingress Class:    <none>
Default backend:  <default>
Rules:
  Host          Path  Backends
  ----          ----  --------
  hostname  
                /.well-known/acme-challenge/challengexyzxyzxyz-o   cm-acme-http-solver-9dc8z:8089 (10.2.0.85:8089)
Annotations:    kubernetes.io/ingress.class: nginx
                nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0,::/0
Events:
  Type    Reason  Age                From                      Message
  ----    ------  ----               ----                      -------
  Normal  Sync    10m (x2 over 10m)  nginx-ingress-controller  Scheduled for sync

Here’s the describe for Ingress which is applied by me

Name:             web-ingress
Labels:           app.kubernetes.io/instance=web-app
Namespace:        default
Address:          <IPAddress>
Ingress Class:    <none>
Default backend:  <default>
TLS:
  web-cert-tls terminates hostname
Rules:
  Host          Path  Backends
  ----          ----  --------
  hostname  
                /   web-service:3000 (10.2.0.68:3000)
Annotations:    acme.cert-manager.io/http01-edit-in-place: true
                cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
                kubernetes.io/ingress.class: nginx
Events:
  Type    Reason             Age                  From                       Message
  ----    ------             ----                 ----                       -------
  Normal  CreateCertificate  31m                  cert-manager-ingress-shim  Successfully created Certificate "web-cert-tls"
  Normal  Sync               6m27s (x6 over 31m)  nginx-ingress-controller   Scheduled for sync

and when I check the cert-manager logs I find this error

E0905 10:09:04.617600       1 sync.go:190] cert-manager/challenges "msg"="propagation check failed" "error"="did not get expected response when querying endpoint, expected "challengexyzxyz.morestuffherexyzxyz" but got: <html xml:lang="fr-FR" l... (truncated)" "dnsName"="hostname.ovh" "resource_kind"="Challenge" "resource_name"="web-cert-tls-xtp2r-768063107-2100049723" "resource_namespace"="default" "resource_version"="v1" "type"="HTTP-01"

When I access hostname/.well-known/acme-challenge/challengexyzxyzxyz-o from browser
I’m getting the expected value.

When I access it from a pod I’m getting an html that says domain purchased page.

I’ve also tried to just apply the certificate without the Ingress

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: web-cert
  namespace: default
spec:
  dnsNames:
    - hostname.ovh
  secretName: web-cert-tls
  issuerRef:
    name: letsencrypt-cluster-issuer
    kind: ClusterIssuer

I’ve also tried adding acme.cert-manager.io/http01-edit-in-place: "true" to Ingress object annotation, It didnt solve the problem either. ( It didnt spawn a new ingress that’s all )

so I’m stuck at this stage of challenge

Type:         HTTP-01
  URL:          https://acme-v02.api.letsencrypt.org/acme/chall-v3/12134567898/Fmasf
  Wildcard:     false
Status:
  Presented:   true
  Processing:  true
  Reason:      Waiting for HTTP-01 challenge propagation: did not get expected response when querying endpoint, expected "challengexyzxyzxyz-o.challengexyzxyzxyz-o" but got: <html xml:lang="fr-FR" l... (truncated)
  State:       pending

2

Answers


  1. Chosen as BEST ANSWER
          dnsPolicy: "None"
          dnsConfig:
            nameservers:
              - 8.8.8.8
              - 8.8.4.4
    

    Setting this config for cert-manager worked out.

    It was dnsPolicy: ClusterFirst And it somehow was pointing to dns provider's website saying congrats on purchase.

    Turns out that, it also can be a propagation delay for the dns that's local to the k8s provider. In my case the delay was more than 24h. Once the nameserver was updated I could revert this change and still got it to work.


  2. I fixed this by making sure that tls in spec is present of ingress

     spec:
      tls:
      - hosts:
        - deck.spinnaker.abc.com
        secretName: spin-deck-tls
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search