Cert-manager: 0.7.2 : Challenge resource for Authorization: ACME server does not allow selected challenge type or no provider is configured for domain

Created on 7 May 2019 · 9Comments · Source: jetstack/cert-manager

Describe the bug:
Re-queuing item "default/echo-test-1668927883" due to error processing: Error constructing Challenge resource for Authorization: ACME server does not allow selected challenge type or no provider is configured for domain "echo.test.mydomain.com"

This used to work with the previous version 0.5.2

It looks like a "domains" configuration section was added to the dns01 configuration block which I found when searching for a solution? I tried adding it, but it's not made a difference.

Expected behaviour:
I expect this error not to occur.

Steps to reproduce the bug:
Guide: https://docs.cert-manager.io/en/latest/getting-started/install.html

Deploy CRD's
Deploy Cert Manager with Helm
Create Azure DNS ClusterIssuer Secret
Create Azure DNS ClusterIssuer

Anything else we need to know?:
ClusterIssuer

 apiVersion: certmanager.k8s.io/v1alpha1
 kind: ClusterIssuer
 metadata:
   name: letsencrypt-prodapi-dns
 spec:
   acme:
     server: https://acme-v02.api.letsencrypt.org/directory
     https://acme-v02.api.letsencrypt.org/directory
     email: [email protected]
     privateKeySecretRef:
       name: letsencrypt-prod-ssl-pkey
       dns01:
         providers:
             - name: azure
               azuredns:
                 # Service principal clientId (also called appId)
                 clientID: xxx
                 clientSecretSecretRef:
                   name: azure-dns-client-secret
                   key: client-secret
                 subscriptionID: xxx
                 tenantID: xxx
                 # ResourceGroup name where dns zone is provisioned
                 resourceGroupName: platform
                 hostedZoneName: test.mydomain.com
         domains:
         - "test.mydomain.com"

Certificate

 apiVersion: certmanager.k8s.io/v1alpha1
 kind: Certificate
 metadata:
   name: cert
   namespace: default
 spec:
   secretName: cert-tls
   issuerRef:
     name: letsencrypt-prodapi-dns
     kind: ClusterIssuer
   commonName: "echo.test.mydomain.com"
  # dnsNames:
  # - "echo.test.mydomain.com"
   acme:
     config:
     - dns01:
         provider: azure
       domains:
       - "echo.test.mydomain.com"

I added this domains: config block trying to resolve the issue but it's not made any difference

Environment details::

Kubernetes version: v1.12.6
Cloud-provider/provisioner: AKS
cert-manager version: 0.7.2
Install method: Helm

/kind bug

kinbug

Source

PirateBread

👍2

Most helpful comment

I finally managed to get the newer format working with clouddns. Maybe this is just the result of the documentation being very unclear as to how to use selectors? Since I'm only using clouddns, I removed all the http01 bits, and set my dns01 config to always be used.

ClusterIssuer

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - selector: {}
      dns01:
        clouddns:
          project: example-com
          serviceAccountSecretRef:
            name: prod-clouddns-svc-acct-secret
            key: service-account.json

Certificate

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example-com-prod
  namespace: default
spec:
  secretName: example-com-prod-tls
  commonName: '*.example.com'
  dnsNames:
  - example.com
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

skinlayers on 7 Aug 2019

🎉6 👍3 ❤2 🚀1

All 9 comments

So I'm not much of a developer but I looked through the codebase for the Azure DNS01 configuration and it looks like the documentation is perhaps out of date?

The code says zoneName and not hostedZoneName ... Am I reading this right?

https://github.com/jetstack/cert-manager/blame/release-0.7/pkg/issuer/acme/dns/azuredns/azuredns.go#L48

I tried that, and it seems to work fine, describing the Cluster Issuer shows:

Zone Name: test.mydomain.com

Still getting the error:

Error constructing Challenge resource for Authorization: ACME server does not allow selected challenge type or no provider is configured for domain: echo.test.mydomain.com

Can anyone tell me, where do we supply the configuration to satisfy this check ? It suggests we have to configure domains under the provider however I don't see that documented anywhere.

PirateBread on 7 May 2019

Hitting the same for DNS-01 challenge on v0.8.0.

ams0 on 3 Jun 2019

👍12

Has anyone made progress on this bug? I think I've run into it as well

erick-thompson on 28 Jun 2019

👍8

Having the same issue on v0.9.0

degivan on 29 Jul 2019

I'm also running into this issue while attempting to issue certs using route 53 and dns01 challenge (on both v0.8.0 and v0.9.0). Any update on this?

emilyzhang on 2 Aug 2019

I have encountered the same problem. Here is what actually works.

In ClusterIssuer, the DNS resolver config should be in acme.dns01.providers, not acme.solvers, although the api reference said acme.dns01 is DEPRECATED.

ClusterIssuer

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: [email protected]
    http01: {}
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    dns01:
      providers:
      - name: azure-dns
        azuredns:
          subscriptionID: 12345678-1234-5678-1234-1234567890ab
          tenantID: 12345678-1234-5678-1234-1234567890ab
          resourceGroupName: bar
          zoneName: bar.com
          clientID: 12345678-1234-5678-1234-1234567890ab
          clientSecretSecretRef:
            name: azure-dns
            key: password

Certificate

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: foo
spec:
  acme:
    config:
    - dns01:
        provider: azure-dns
      domains:
      - foo.bar.com
  commonName: foo.bar.com
  keyAlgorithm: ecdsa
  keySize: 256
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-prod
  secretName: foo-tls

zerda on 5 Aug 2019

👍4

Also does not appear to work with clouddns on v0.9.0, unless I revert to the deprecated format. I think the docs published on https://docs.cert-manager.io should be ~~reverted until the new format is functional~~ clarified. I lost a good chunk of yesterday on this as a result of heeding the deprecation warnings.

skinlayers on 5 Aug 2019

👍2

ClusterIssuer

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - selector: {}
      dns01:
        clouddns:
          project: example-com
          serviceAccountSecretRef:
            name: prod-clouddns-svc-acct-secret
            key: service-account.json

Certificate

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example-com-prod
  namespace: default
spec:
  secretName: example-com-prod-tls
  commonName: '*.example.com'
  dnsNames:
  - example.com
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

skinlayers on 7 Aug 2019

🎉6 👍3 ❤2 🚀1

I'm going to close this issue now as there's no one thing to solve here, and it we've been making incremental improvements to our documentation 😄