cert-manager: problem with kubernetes v 1.19 challange get 404 expected 200
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod
Key: M82-1nrXIbHmY-pq8P9kAaeFDtDi17C2kjkqlTfJ684.lGAZq-yiVZctaXgZ5FpFdoNUUK6-v1uJUDm1JT16vu0
Solver:
http01:
Ingress:
Class: nginx
Token: M82-1nrXIbHmY-pq8P9kAaeFDtDi17C2kjkqlTfJ684
Type: HTTP-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/10102893970/kAmYIQ
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: wrong status code '404', expected '200'
State: pending
Describe the bug:
Expected behaviour:
I expect that the challange request will be routed correct so it can be resolved Steps to reproduce the bug:
Anything else we need to know?:
apiVersion: v1
kind: Service
metadata:
name: hello-kubernetes-service
spec:
selector:
app: hello-kubernetes
ports:
- port: 80
targetPort: 8080
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-kubernetes
spec:
replicas: 3
selector:
matchLabels:
app: hello-kubernetes
template:
metadata:
labels:
app: hello-kubernetes
spec:
containers:
- name: hello-kubernetes
image: paulbouwer/hello-kubernetes:1.8
ports:
- containerPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: minimal-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- <domainname>
secretName: <secretName>
rules:
- host: <domain>
http:
paths:
- path: /test
pathType: Prefix
backend:
service:
name: hello-kubernetes-service
port:
number: 8080
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: <domainname>
spec:
secretName: secretName
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- <XXXX>
usages:
- server auth
dnsNames:
- <domainname>
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: default
spec:
acme:
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
server: https://acme-v02.api.letsencrypt.org/directory
email: <email>
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: letsencrypt-prod
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
Environment details::
- Kubernetes version: 1.19
- Cloud-provider/provisioner: IBM Cloud
- cert-manager version: v1.1.0
- Install method: e.g. helm/static manifests kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml /kind bug
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 2
- Comments: 17 (2 by maintainers)
@meyskens I’m facing exactly the same issue. curl replies 200 after adding the ingress annotation
nginx.ingress.kubernetes.io/ssl-redirect: false. But the certificate is issued by ‘cert-manager.local’.Can you do a curl on
<domain>/.well-known/acme-challenge/<token>and check if you do also get a 404? It seems somehow our generated ingress resource is not being passed to the outside correct./remove-kind bug /triage support
@pebodk Any luck in getting it to work? I’ve spent a good 10 hrs on this and I can’t find a root cause…