Cert-manager: ACME server does not allow selected challenge type for domain

Created on 25 May 2018 · 6Comments · Source: jetstack/cert-manager

Is this a BUG REPORT or FEATURE REQUEST?:

>
>
/kind bug
>

What happened:
Note : I've used "mydomain.com" in place of my actual domain.

My cluster issuer resource has following yaml.

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
  namespace: ingress
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    # Enable the HTTP-01 challenge provider
    http01: {}

I tried to issue a wildcard certificate for domain "mydomain.com". Following is my certificate resource yaml.

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: "wildcard-mydomain-com"
  namespace: myns
spec:
  secretName: "wildcard-mydomain-com-tls"
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  commonName: "*.mydomain.com"
  dnsNames:
  - "*.mydomain.com"
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - "*.mydomain.com"

When I submit above certificate resource to my k8s cluster, cert-manager shows following messages.

I0525 05:13:52.689367       1 controller.go:177] certificates controller: syncing item 'myns/wildcard-mydomain-com'
I0525 05:13:52.689486       1 sync.go:239] Preparing certificate myns/wildcard-mydomain-com with issuer
I0525 05:13:52.689526       1 acme.go:159] getting private key (letsencrypt-staging->tls.key) for acme issuer ingress/letsencrypt-staging
I0525 05:13:52.690105       1 logger.go:27] Calling GetOrder
I0525 05:13:52.881190       1 logger.go:52] Calling GetAuthorization
I0525 05:13:52.933512       1 prepare.go:263] Cleaning up old/expired challenges for Certificate myns/wildcard-mydomain-com
I0525 05:13:52.933555       1 sync.go:241] Error preparing issuer for certificate myns/wildcard-mydomain-com: ACME server does not allow selected challenge type for domain "mydomain.com"
E0525 05:13:52.938761       1 sync.go:168] [myns/wildcard-mydomain-com] Error getting certificate 'wildcard-mydomain-com-tls': secret "wildcard-mydomain-com-tls" not found
E0525 05:13:52.938807       1 controller.go:186] certificates controller: Re-queuing item "myns/wildcard-mydomain-com" due to error processing: ACME server does not allow selected challenge type for domain "mydomain.com"

What you expected to happen:

I expected to see secret for issued wildcard certificate.

How to reproduce it (as minimally and precisely as possible):
Using exact same configuration I've mentioned in "what happened" section above.

Anything else we need to know?:
I've tried using "mydomain.com" instead of "*.mydomain.com" in place of spec.acme.config[0].domains[0] in wildcard certificate resource mentioned above. It didn't help.

Note: I'm using same domain that I was using with cert-manager (v2.3.0). I already have few certificates (for 5 subdomains), issued for this domain (using same email, if that's related). I'm using cert-manager: quay.io/jetstack/cert-manager-controller:v0.3.0-alpha.2.

Environment:

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.6", GitCommit:"6260bb08c46c31eea6cb538b34a9ceb3e406689c", GitTreeState:"clean", BuildDate:"2017-12-21T06:34:11Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8+", GitVersion:"v1.8.8-gke.0", GitCommit:"6e5b33a290a99c067003632e0fd6be0ead48b233", GitTreeState:"clean", BuildDate:"2018-02-16T18:26:58Z", GoVersion:"go1.8.3b4", Compiler:"gc", Platform:"linux/amd64"}

Cloud provider or hardware configuration**:
google cloud (2 vcpu, 8gb per server - 4 server cluster)
Install tools:
Others:

kinbug

Source

belovebist

Most helpful comment

You have configured cert-manager to use http01 validation to obtain a wildcard certificate, which is not supported by Let's Encrypt (nor the ACME spec in general):

  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - "*.mydomain.com"

You should use DNS01 validation, as per this tutorial: https://cert-manager.readthedocs.io/en/latest/tutorials/acme/dns-validation.html in order to obtain a wildcard certificate.

ACME server does not allow selected challenge type for domain "mydomain.com" is expected, because the ACME server does not support HTTP01 validation for wildcards, and that is the challenge type you have configured/selected to use.

I'm going to close this off now as I believe it's down to user error - feel free to reopen though if you still hit issues after switching to DNS01!

/close

munnerz on 29 May 2018

👍13 🎉3

All 6 comments

I had this error, I fixed it by changing the URL of the CertificateIssuer :

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    email: [email protected]
    http01: {}
    privateKeySecretRef:
      name: letsencrypt-prod
    # test server
    # server: https://acme-staging-v02.api.letsencrypt.org/directory
    server: https://acme-v02.api.letsencrypt.org/directory

v01 becomes v02

smartpierre on 28 May 2018

Hi @smartpierre,

Thanks for your reply.
But it didn't work for me.

I changed the server url from staging to production, but I still get the same error.

New issuer:

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: ingress
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    http01: {}

And used this issuer (letsencrypt-prod) in new certificate. I still get same errors.

I0529 04:40:09.806045       1 controller.go:177] certificates controller: syncing item 'myns/wildcard-mydomain-com'
I0529 04:40:09.806178       1 sync.go:239] Preparing certificate myns/wildcard-mydomain-com with issuer
I0529 04:40:09.806194       1 acme.go:159] getting private key (letsencrypt-prod->tls.key) for acme issuer ingress/letsencrypt-prod
I0529 04:40:09.806617       1 logger.go:27] Calling GetOrder
I0529 04:40:09.995577       1 logger.go:52] Calling GetAuthorization
I0529 04:40:10.069552       1 prepare.go:263] Cleaning up old/expired challenges for Certificate myns/wildcard-mydomain-com
I0529 04:40:10.069863       1 sync.go:241] Error preparing issuer for certificate myns/wildcard-mydomain-com: ACME server does not allow selected challenge type for domain "mydomain.com"
E0529 04:40:10.077706       1 sync.go:168] [myns/wildcard-mydomain-com] Error getting certificate 'wildcard-mydomain-com-tls': secret "wildcard-mydomain-com-tls" not found
E0529 04:40:10.077912       1 controller.go:186] certificates controller: Re-queuing item "myns/wildcard-mydomain-com" due to error processing: ACME server does not allow selected challenge type for domain "mydomain.com"

belovebist on 29 May 2018

You have configured cert-manager to use http01 validation to obtain a wildcard certificate, which is not supported by Let's Encrypt (nor the ACME spec in general):

  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - "*.mydomain.com"

You should use DNS01 validation, as per this tutorial: https://cert-manager.readthedocs.io/en/latest/tutorials/acme/dns-validation.html in order to obtain a wildcard certificate.

I'm going to close this off now as I believe it's down to user error - feel free to reopen though if you still hit issues after switching to DNS01!

/close

munnerz on 29 May 2018

👍13 🎉3

@munnerz I just faced the same problem. It would be easier to debug if you could add the challenge type to the error message, e.g.

ACME server does not allow selected challenge type "http01" for domain "mydomain.com".

Or possibly something specific about wildcard certs not supporting http01 (which makes perfect sense since there's no way to verify ownership of every possible subdomain).

jkodroff on 26 Jun 2018

👍2

@munnerz Is it possible to use both dns and http challenges together? Dns challenge for *.mydomain.com and http challenge for a few subdomains under mydomain.com like git.mydomain.com, storage.mydomain.com, etc

belovebist on 3 Jul 2018

Yes - you'll need to manually create your Certificate to do that right now
however (ie no ingress shim)

On Tue, 3 Jul 2018 at 04:46, Belove notifications@github.com wrote:

@munnerz https://github.com/munnerz Is it possible to use both dns and
http challenges together? Dns challenge for *.mydomain.com and http
challenge for a few subdomains under mydomain.com like git.mydomain.com,
storage.mydomain.com, etc

—
You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub
https://github.com/jetstack/cert-manager/issues/579#issuecomment-402004625,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAMbP3cFYCDqSkuul_UU8UPEboXFujvnks5uCukSgaJpZM4UNZ4Z
.