Cert-manager: [Help Wanted] DNS01 Creates HTTP01

Created on 20 Aug 2018  路  6Comments  路  Source: jetstack/cert-manager

Describe the bug:

Im not sure if this is my configuration or a bug. We're using the latest 0.4.1 in the helm chart with almost no changes outside of the letsencrypt url. When setting up a DNS01 ClusterIssuer it attempts to generate an HTTP01 cert. We have one ClusterIssuer defined as shown below pullign from letsencrypt for two domain names with two subnets each. It works when tested using HTTP01 and a single domain but moving to DNS to support multiple kubernetes clusters doesn't.

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
  namespace: nginx-ingress
spec:
  acme:2
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-production
    dns01:
      providers:
      - name: route53-zone1
        route53:
          region: us-west-2
          hostedZoneID: asdfasdf1
          accessKeyID: bbbbbbbbbbbbbbbbbbb
          secretAccessKeySecretRef:
            name: certificates-manager-tls-credentials
            key: credentials

      - name: route53-zon2
        route53:
          region: us-west-2
          hostedZoneID: asdfasdf2
          accessKeyID: hhhhhhhhhhhhhhhhhhhh
          secretAccessKeySecretRef:
            name: certificates-manager-tls-credentials
            key: credentials

This creates a certificate section like

  spec:
    acme:
      config:
      - domains:
        - test1.domain1.com
        - test2.domain1.com
        - test1.domain2.com
        - test2.domain2.com
        http01:
          ingress: ""
          ingressClass: nginx
    commonName: ""
    dnsNames:
    - test1.domain1.com
    - test2.domain1.com
    - test1.domain2.com
    - test2.domain2.com
    issuerRef:
      kind: ClusterIssuer
      name: letsencrypt-production
    secretName: rudy-tls
  status:
    acme:
      order:
        url: https://acme-v02.api.letsencrypt.org/acme/order/40589237/43081146
    conditions:
    - lastTransitionTime: 2018-08-20T20:33:01Z
      message: '[ACME server does not allow selected challenge type or no provider
        is configured for domain "test1.domain1.com", ACME server does not allow
        selected challenge type or no provider is configured for domain "test2.domain1.com",
        ACME server does not allow selected challenge type or no provider is configured
        for domain "test1.domain2.com"]'

Expected Behaviour:

Certificat in namespace has dns01 issuer type

Environment Details

Kubernetes version: 1.10.3
Cloud-provider/provisioner: AWS/Kops
cert-manager version: 0.4.1
install method: helm

/kind help-wanted

picture sammerry

Most helpful comment

Possibly related to #630

Passing the following values to helm ingressShim.defaultACMEChallengeType=dns01,ingressShim.defaultACMEDNS01ChallengeProvider=route53 fixes it for me

picture sruon on 1 Sep 2018
👍3

All 6 comments

Are the certificates for your two hostedzone successfully issued? Did you enable the tls-acme: True or manually created the certificate? https://github.com/jetstack/cert-manager/issues/822 I encountered problem with multi hostedzone dns01 challenge...

tikael1011 picture tikael1011 on 20 Aug 2018

Added the error message to the ticket. The certificates are not issued and we're using tls-acme: True

      message: '[ACME server does not allow selected challenge type or no provider
        is configured for domain "test1.domain1.com", ACME server does not allow
        selected challenge type or no provider is configured for domain "test2.domain1.com",
        ACME server does not allow selected challenge type or no provider is configured
        for domain "test1.domain2.com"]'

Your link doesn't work for me. It may be missing a number?

sammerry picture sammerry on 20 Aug 2018

Found it by id. not sure why the link wasn't working for me.

sammerry picture sammerry on 20 Aug 2018

Possibly related to #630

Passing the following values to helm ingressShim.defaultACMEChallengeType=dns01,ingressShim.defaultACMEDNS01ChallengeProvider=route53 fixes it for me

sruon picture sruon on 1 Sep 2018
👍3

Yep you'll need to update ingress-shim's configuration to tell it to use DNS01 instead of HTTP01 (or otherwise, manually configure a Certificate resource).

I'm going to close this issue, as it appears to be down to configuration issues. Do let me know if the above does not resolve your issue!

munnerz picture munnerz on 7 Sep 2018

How can I add those if I am deploying cert-manager via yamls files and not with Helm? @sruon @munnerz

Passing the following values to helm ingressShim.defaultACMEChallengeType=dns01,ingressShim.defaultACMEDNS01ChallengeProvider=route53 fixes it for me

cepefernando picture cepefernando on 9 Sep 2018
😕1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Stono picture Stono  路  3Comments
r0bj picture r0bj  路  3Comments
f-f picture f-f  路  4Comments
jonathan-kosgei picture jonathan-kosgei  路  4Comments
jbouzekri picture jbouzekri  路  4Comments