cert-manager: ErrVerifyACMEAccount: dial tcp: i/o timeout in v0.3.0

Is this a BUG REPORT or FEATURE REQUEST?: /kind bug

What happened: Got a ErrVerifyACMEAccount when creating an issuer.

$ kubectl describe issuer
Name:		v02-letsencrypt-staging
Namespace:	default
Labels:		<none>
Annotations:	<none>
API Version:	certmanager.k8s.io/v1alpha1
Kind:		Issuer
Metadata:
  Cluster Name:		
  Creation Timestamp:	2018-06-06T05:15:22Z
  Generation:		0
  Resource Version:	74067579
  Self Link:		/apis/certmanager.k8s.io/v1alpha1/namespaces/default/issuers/v02-letsencrypt-staging
  UID:			9ccfbd86-6948-11e8-93be-0a49fe81f092
Spec:
  Acme:
    Email:	email@somewhere
    Http 01:
    Private Key Secret Ref:
      Key:	
      Name:	v02-letsencrypt-staging
    Server:	https://acme-staging-v02.api.letsencrypt.org/directory
Status:
  Conditions:
    Last Transition Time:	2018-06-06T05:15:50Z
    Message:			Failed to verify ACME account: Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp: i/o timeout
    Reason:			ErrRegisterACMEAccount
    Status:			False
    Type:			Ready
Events:
  FirstSeen	LastSeen	Count	From		SubObjectPath	Type		Reason			Message
  ---------	--------	-----	----		-------------	--------	------			-------
  34m		34m		1	cert-manager			Warning		ErrVerifyACMEAccount	Failed to verify ACME account: Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp: i/o timeout
  34m		34m		1	cert-manager			Warning		ErrInitIssuer		Error initializing issuer: Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp: i/o timeout
  34m		11m		15	cert-manager			Warning		ErrVerifyACMEAccount	Failed to verify ACME account: Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp: i/o timeout
  34m		11m		15	cert-manager			Warning		ErrInitIssuer		Error initializing issuer: Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp: i/o timeout

What you expected to happen: The issuer should be initialised.

How to reproduce it (as minimally and precisely as possible):

  1. Install latest stable/cert-manager (v0.3.1)
helm install --name cert-manager stable/cert-manager --namespace kube-system
  1. Create an issuer: issuer.yaml file content:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: v02-letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: "email@somewhere"

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: v02-letsencrypt-staging

    # Enable the HTTP-01 challenge provider
    http01: {}

$ kubectl create -f /tmp/issuer.yaml

Anything else we need to know?: Logs from ‘cert-manager’ pod:

$ kubectl logs cert-manager-XYZ --namespace kube-system
...
I0606 06:09:33.874679       1 acme.go:159] getting private key (v02-letsencrypt-staging->tls.key) for acme issuer default/v02-letsencrypt-staging
I0606 06:09:33.874744       1 setup.go:46] v02-letsencrypt-staging: generating acme account private key "v02-letsencrypt-staging"
I0606 06:09:34.092759       1 logger.go:67] Calling GetAccount
I0606 06:09:39.093191       1 helpers.go:69] Setting lastTransitionTime for Issuer "v02-letsencrypt-staging" condition "Ready" to 2018-06-06 06:09:39.093172006 +0000 UTC m=+462.291870771
I0606 06:09:39.093261       1 sync.go:40] Error initializing issuer: Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp: i/o timeout
E0606 06:09:39.100548       1 controller.go:145] issuers controller: Re-queuing item "default/v02-letsencrypt-staging" due to error processing: Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp: i/o timeout
I0606 06:09:39.100588       1 controller.go:136] issuers controller: syncing item 'default/v02-letsencrypt-staging'
I0606 06:09:39.100626       1 acme.go:159] getting private key (v02-letsencrypt-staging->tls.key) for acme issuer default/v02-letsencrypt-staging
...

Environment:

  • Kubernetes version (use kubectl version):
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.8", GitCommit:"c138b85178156011dc934c2c9f4837476876fb07", GitTreeState:"clean", BuildDate:"2018-05-21T19:01:12Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"darwin/amd64"}

Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.8", GitCommit:"c138b85178156011dc934c2c9f4837476876fb07", GitTreeState:"clean", BuildDate:"2018-05-21T18:53:18Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
  • Cloud provider or hardware configuration: AWS

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 16 (1 by maintainers)

Most upvoted comments

Restarted one of coredns pods and recreated letsencrypt-prod ClusterIssuer then it solved the issue

+6
laimison on Feb 15, 2020

I found that the kube-dns deployment was missing! Indeed not an issue with cert-manager 👏

+2
huyph on Jun 7, 2018

It sounds like you’ve got some firewall configuration/setup incorrect, which is causing requests to the LE API to fail. Are you able to curl https://acme-staging-v02.api.letsencrypt.org/directory from within the cert-manager pod?

I cannot see any reported recent outages on the LE status page (https://letsencrypt.status.io/), so my guess is there is some networking issue in your cluster 😄

+2
munnerz on Jun 6, 2018
Read more comments on GitHub
← cert-manager: Error upgading cert-manager to v1.7
cert-manager: ErrVerifyACMEAccount Post : unsupported protocol scheme "" in v0.3.0-alpha.1 →