8

My letsencrypt order keeps pending. I am using cert-manager on my single node kubernetes plane. Also I am using letsencrypt.

kind: Certificate
metadata:
  name: example-zone
  namespace: default
spec:
  secretName: example-zone-tls
  renewBefore: 360h # 15d
  commonName: example.zone
  dnsNames:
    - example.zone
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

Output:

pascal$ kubectl get cert,order
NAME                                          READY   SECRET             AGE
certificate.certmanager.k8s.io/example-zone   False   example-zone-tls   79m

NAME                                               STATE     AGE
order.certmanager.k8s.io/example-zone-2971070786   pending   77m

Events received:

Events:
  Type     Reason            Age   From          Message
  ----     ------            ----  ----          -------
  Warning  NoMatchingSolver  15s   cert-manager  Failed to create challenge for domain "example.zone": no configured challenge solvers can be used for this challenge

The cert should be issued but I think it hangs up in my haproxy. No errors and I don't exactly know how to expose the acme challenge using haproxy, could someone explain me?

My ClusterIssuer:

pascal$ kubectl describe clusterissuer letsencrypt-prod
Name:         letsencrypt-prod
Namespace:    # yep, it's empty!?
Labels:       <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         ClusterIssuer
Spec:
  Acme:
    Email:  <my-real-mail>
    Http 01:
      Ingress Class:  haproxy
    Private Key Secret Ref:
      Name:  letsencrypt-prod
    Server:  https://acme-v02.api.letsencrypt.org/directory
Status:
  Acme:
    Last Registered Email:  <my-real-mail>
    Uri:                    https://acme-v02.api.letsencrypt.org/acme/acct/<hash>
  Conditions:
    Last Transition Time:  2019-08-17T11:49:05Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>
Pascal K.
  • 138
  • 1
  • 3
  • 12
  • Can you share (appropriately redacted) output of `kubectl describe order example-zone-2971070786`? – Amit Kumar Gupta Aug 17 '19 at 23:57
  • 1
    Any chance you are trying to issue a wildcard cert? – coderanger Aug 18 '19 at 22:31
  • 1
    No :/ Is it possible, that the challenge is not reachable cause my own ingress tries to bind the request? And so the challenge Ingress is not working? – Pascal K. Aug 19 '19 at 06:27
  • I don't really know but I think I reached the issue limit: issuing another subdomain works fine but now haproxy won't serve it to my clients :? – Pascal K. Aug 19 '19 at 06:34
  • Can you post the yaml of your clusterissuer – jemag Aug 23 '19 at 15:03
  • How have you installed cert-manager? In which namespace was it deployed? – Crou Aug 27 '19 at 14:58
  • It seems something wrong with solver. Did you configure the solver for the ClusterIssuers? Can you post the yaml of your clusterissuer. https://cert-manager.io/docs/configuration/acme/dns01/ – Stella Jan 02 '20 at 01:08

2 Answers2

-2

So, I am now also using the dns01 challenge and this is working now. Another thing is, that I updated the annotations and added the method, clusterissuer

Pascal K.
  • 138
  • 1
  • 3
  • 12
-3

If you do not open port 80 in your network security rules, then the order from cert-manager cannot be fulfilled. The order remains in pending state. Ideally you should not open your port 80 open always, you can choose to close this port once your order is fulfilled (you need to manage the renewal process after 90 days with the same process).

user1859658
  • 23
  • 2