cert-manager: Acme challenge keeps failing due to propagation check failed

The cert-manager pod logs the following on GKE kubernetes cluster:

cert-manager/controller/challenges "msg"="propagation check failed" "error"="presented key (\n\n\u003c!DOCTYPE html\u003e\n\u003chtml lang=\"en\"\u003e\n\n \u003chead\u003e\n \n \u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /\u003e\n \u003ctitle\u003eKonstantin Werhahn | \u003c/title\u003e\n \u003cmeta name=\"description\ m .....CUT..... ss=\"large\"\u003ePage Not Found\u003c/h1\u003e\n \u003cp\u003eThe page you requested couldn't be found - this could be due to a spelling error in the URL or a removed page.\u003c/p\u003e\n \u003ca class=\"btn\" href=\"home\"\u003eGo Back Home\u003c/a\u003e\n \u003c/div\u003e\n \u003c/div\u003e\n .... CUT...../script\u003e\n\n\u003c/html\u003e\n\n) did not match expected (VKC1CqDsd27eEL5Pge8eF14Trm6WOhtRVq5_2xJrc94.AKkjxkjtuUfCyRBifGSsXmUSkyIVj7_vVlXwjXmMU8c)" "dnsName"="khw.io" "resource_kind"="Challenge" "resource_name"="khw-prod-595774067-0" "resource_namespace"="production" "type"="http-01"

On the container of the app I can see the .acme request being logged. Do I need to create an endpoint?

Where do I need to look? What could be the problem?

Environment details::

  • Kubernetes version (e.g. v1.10.2): 1.11.10-gke.5
  • GKE

/kind bug

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 12
  • Comments: 18 (1 by maintainers)

Most upvoted comments

Any solutions?? I have same problem and I am using azure with istio gateway.

+4
Sudharma on Nov 7, 2019

I am also seeing this, both on Azure and GCP. I am using ingress-nginx.

The error (third line) shows the HTML fetched from the domain of the certificate itself rather than a hash.

I1126 17:41:28.276214       1 sync.go:50] cert-manager/controller/ingress-shim "level"=0 "msg"="not syncing ingress resource as it does not contain a \"cert-manager.io/issuer\" or \"cert-manager.io/cluster-issuer\" annotation" "resource_kind"="Ingress" "resource_name"="cm-acme-http-solver-xxxxx" "resource_namespace"="default" 

I1126 17:41:28.276232       1 controller.go:135] cert-manager/controller/ingress-shim "level"=0 "msg"="finished processing work item" "key"="default/cm-acme-http-solver-xxxxx" 

E1126 17:41:28.293900       1 sync.go:184] cert-manager/controller/challenges "msg"="propagation check failed" "error"="presented key (**HTML HERE**) did not match expected (**HASH HERE**)" "dnsName"="abc.domain.com" "resource_kind"="Challenge" "resource_name"="tls-secret-XXXXXXXX-XXXXXXXXX-XXXXXX" "resource_namespace"="default" "type"="http-01"
+3
woxxy on Nov 26, 2019

Can you please try again with the newest version of cert-manager?

I don’t think this is a bug as such, rather a misconfiguration somewhere. If you’re using ingress-gce, which it looks like you might be, please don’t forget to set the acme.cert-manager.io/http01-override-ingress-name annotation on your Certificate resource to the name of the Ingress used to serve traffic for your domain: https://github.com/jetstack/cert-manager/blob/8d12d351e8a098e7d1323ffb99600571f6368095/pkg/apis/acme/v1alpha2/types.go#L20-L25

+1
munnerz on Oct 16, 2019
Read more comments on GitHub
← cert-manager: 6 certificaterequests are creating for one single certificate and causing daily limit to exceed
cert-manager: CA cert in Secret not updated when self-signed CA itself gets renewed. →