Cert-manager: Cannot create dns ClusterIssuer with DigitalOcean provider

Created on 26 Nov 2018 · 3Comments · Source: jetstack/cert-manager

Describe the bug:

While creating ClusterIssuer with this config:

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: '[email protected]'
    privateKeySecretRef:
      name: letsencrypt
    dns01:
      providers:
        - name: dns
          digitalocean:
            tokenSecretRef:
              name: digitalocean-dns
              key: access-token

....

kubectl create secret generic digitalocean-dns -n=kube-system --from-file=access-token
kubectl create -f cluster-issuer.yml

cert-manager logs:

1 controller.go:140] clusterissuers controller: syncing item 'letsencrypt'
1 helpers.go:147] Setting lastTransitionTime for ClusterIssuer "letsencrypt" condition "Ready" to 2018-11-26 02:08:23.445923986 +0000 UTC m=+10271.676525736
1 controller.go:154] clusterissuers controller: Finished processing work item "letsencrypt"
1 controller.go:171] certificates controller: syncing item 'rdk/phpmyadmin-reportingdokapsy-cz-cert'
1 sync.go:120] Issuer letsencrypt not ready

ClusterIssuer description:

Name:         letsencrypt
Namespace:
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         ClusterIssuer
Metadata:
  Creation Timestamp:  2018-11-26T02:08:21Z
  Generation:          1
  Resource Version:    80905
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/clusterissuers/letsencrypt
  UID:                 25f73e31-f120-11e8-9375-de1a20202003
Spec:
  Acme:
    Dns 01:
      Providers:
        Name:  dns
    Email:     [email protected]
    Private Key Secret Ref:
      Key:
      Name:  letsencrypt
    Server:  https://acme-v02.api.letsencrypt.org/directory
Status:
  Conditions:
    Last Transition Time:  2018-11-26T02:08:23Z
    Message:               Resource validation failed: spec.acme.dns01.providers[0]: Required value: at least one provider must be configured
    Reason:                ConfigError
    Status:                False
    Type:                  Ready
Events:                    <none>

The same ClusterIssuer works ok with route53 provider.

Expected behaviour:
Creating ClusterIssuer should work.

Steps to reproduce the bug:

1) install cert-manager 0.5.2
2) create DO secret
3) create ClusterIssuer

Anything else we need to know?:

Environment details::

Kubernetes version (e.g. v1.10.2): 1.11.4
Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): scaleway
cert-manager version (e.g. v0.4.0): 0.5.2
Install method (e.g. helm or static manifests): helm (pharos-cluster)

/kind bug

kinbug

Source

jakubknejzlik

All 3 comments

I think cert-manager version 0.5.2 doesn't support DigitalOcean. I had the same issue but upgrading to the latest dev version (using the with-rbac.yaml file from here) fixed it for me.