1

I'm having an issue trying to create certs with cert-manager in a GKE cluster. This has to be something I am doing on my end as I have tried versions, 1.7.1, 1.7.0, and 1.6.2 with all getting the same error.

The error I am seeing is:

E0219 00:57:39.270717       1 sync.go:186] cert-manager/controller/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://mysubdomain.mmydomain.com/.well-known/acme-challenge/secretKey': Get \"https://mysubdomain.mmydomain.com:443/.well-known/acme-challenge/secretKey\": remote error: tls: unrecognized name" "dnsName"="mysubdomain.mmydomain.com" "resource_kind"="Challenge" "resource_name"="elasticsearch-tls-cert-somenumbers" "resource_namespace"="elastic-stack" "resource_version"="v1" "type"="HTTP-01"

This is the setup I went though to install:

Install CRDs kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.crds.yaml

Helm install cert-manager

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.7.1

Confirmed install is good:

➜  ~ helm list -n cert-manager
NAME            NAMESPACE       REVISION    UPDATED                                 STATUS      CHART               APP VERSION
cert-manager    cert-manager    1           2022-02-18 16:07:57.258172 -0800 PST    deployed    cert-manager-v1.6.2 v1.6.2
➜  ~

Applied the ClusterIssuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    email: "myemail@myemail.com"
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt
    solvers:
    - http01:
        ingress:
          class: nginx

Deployed my ingress:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: kibana-ingress
  namespace: elastic-stack
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
  rules:
  - host: mysubdomain.mmydomain.com
    http:
      paths:
      - path: /
        backend:
          serviceName: kibana-kb-http
          servicePort: 5601
  tls:
    - hosts:
      - mysubdomain.mmydomain.com
      secretName: kibana-tls-cert

Then when I tail the cert-manager pods I see the remote error: tls: unrecognized name" "dnsName error.

A describe of the cert challenge says the same thing:

Status:
  Presented:   true
  Processing:  true
  Reason:      Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://mysubdomain.mmydomain.com/.well-known/acme-challenge/secretKey': Get "https://mysubdomain.mmydomain.com:443/.well-known/acme-challenge/secretKey": remote error: tls: unrecognized name
  State:       pending
Events:
  Type    Reason     Age    From          Message
  ----    ------     ----   ----          -------
  Normal  Started    8m45s  cert-manager  Challenge scheduled for processing
  Normal  Presented  8m45s  cert-manager  Presented challenge using HTTP-01 challenge mechanism

This works totally fine in another cluster, so I cannot figure out what I am doing wrong here.

user17094440
  • 41
  • 1
  • 4
  • Add the service.beta.kubernetes.io/do-loadbalancer-hostname annotation and edit the resource with kubectl edit service ingress-nginx-controller -n ingress-nginx. Have in mind that you might have a different name and namespace. [Reference](https://stackoverflow.com/questions/59390660/certmanager-letsencrypt-certificaterequest-failed-to-perform-self-check-get-req) – Abhijith Chitrapu Feb 19 '22 at 11:37
  • @AbhijithChitrapu I believe that annotation is only for AWS, but I could be wrong. The issue actually was that I used a different NGINX chart, and so the configs for ingress were different. When I switched the NGINX chat to the chart I used in the other cluster, everything worked correctly. – user17094440 Feb 19 '22 at 21:53

2 Answers2

5

Just to elaborate more on this.

The error for me as well had to do with using the nginx-stable chart which cert-manager does not support instead of the ingress-nginx chart.

So instead of this:

helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update
helm upgrade --install nginx-ingress nginx-stable/nginx-ingress \
  --namespace nginx-ingress \
  --create-namespace \
  --timeout 600s \
  --debug
  --set controller.publishService.enabled=true

Use this to install ingress-nginx:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
  --namespace ingress-nginx \
  --create-namespace \
  --timeout 600s \
  --debug \
  --set controller.publishService.enabled=true

And then install cert-manager:

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm upgrade --install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --atomic \
  --version v1.8.2 \
  --set installCRDs=true
Promise Preston
  • 24,334
  • 12
  • 145
  • 143
  • 1
    I was facing this issue for last 2 days and was loosing my mind. This solved the issue. Thanks a lot – Furkan Sep 14 '22 at 14:20
1

The issue ended up being that I used a different nginx chart in my second cluster by mistake, so the configs for the ingress were different, and in turn not working. I switched the chart on my second cluster to the one that I used in my first cluster, and every thing worked.

user17094440
  • 41
  • 1
  • 4
  • 1
    Glad to hear it. Thanks for posting the resolution. – Gari Singh Feb 20 '22 at 09:49
  • 1
    I ran into exactly the same problem with the same solution on AWS. It is a shame cert-manager does not emphasize that it only works well with the one on https://kubernetes.github.io/ingress-nginx and not with the other ones, including Nginx Inc's own Nginx Ingress Controller. – aries1980 May 18 '22 at 20:16