Cert-manager: error constructing Challenge resource for authorization: no configured challenge solvers can be used for this challenge

Please can you upgrade to v0.11.0 and update this issue with the most recent results? The solvers implementation is now the default, and we've made improvements to it since v0.9.0 😄

I am also seeing this problem using route53 and v0.12.0
cert-manager-788fb8fdf-pnrnh cert-manager E1208 04:42:43.587413 1 sync.go:111] cert-manager/controller/orders "msg"="Failed to determine the list of Challenge resources needed for the Order" "error"="no configured challenge solvers can be used for this challenge" "resource_kind"="Order"
issuer:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-iss
  namespace: cert-manager
spec:
  acme:
    email: xxxxxx
    privateKeySecretRef:
      name: letsencrypt-iss-key
    server: https://acme-staging-v02.api.letsencrypt.org/directory

  solvers:
    - selector:
      dnsZones:
        - "example.com"
      dns01:
        route53:
          hostedZoneID: xxxx
          accessKeyID: xxxxx
          region: us-west-2
          secretAccessKeySecretRef:
            key: secret-access-key
            name: aws-cert-manager

certificate:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: ingress-certs
spec:
  dnsNames:
    - "example.com"
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-iss
  secretName: ex-secret

_EDIT_: The issue was my solver was not under the acme block.

I was missing the acme block in the Certificate as well, but why is it gone from the docs? https://cert-manager.io/docs/usage/certificate/

v0.12.0

@hpohl how did you apply Certificate with acme block? I'm getting ValidationError(Certificate.spec): unknown field "acme" in io.cert-manager.v1alpha2.Certificate.spec when trying

This works for me:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: example
  namespace: istio-system
spec:
  secretName: example
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer

  dnsNames:
  - 'example.com'

  acme:
    config:
    - dns01:
        provider: cloudflare
      domains:
      - 'example.com'

@hpohl do you have your CRD's at version 0.12.0 as well? Because they no longer contain the acme field and trying to apply your example _should_ fail I assume.

@suda I do have the CRDs at version 0.12.0. But I also have the certmanager.k8s.io/disable-validation: "true" label on the cert-manager namespace still.

I had an issue similar to this, but it was when i changed the solver from httop01 to dns01 on an existing letsencrypt issuer, after recently creating a new cert on http01. When the order was created I got into a weird state of having two authorizations on it, one with http01 and the second with dns01. It seemed like cert manager only tried to use the first and saw that only http01 was authorized but i was trying to use dns01, and gave up.

I corrected it but deleting the letsencrypt issuer secret, so I guess got a whole new account + new order + new authorization that this time matched on dns01 and was able to receive my cert.

I'm also having this issue, i'm trying to use http validation.

this is my certificate resource:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: wildcard-cert
spec:
  dnsNames:
  - "*.quivr.be"
  issuerRef:
    kind: Issuer
    name: letsencrypt-prod
  secretName: wildcard-cert

and my issuer:

apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx

Can i not use the http solver? Or what's going wrong here?

I'm using cert-manager 0.13, deployed from the quickstart guide (manually without helm)

HTTP01 cannot be used to obtain wildcard certificates - you’ll need to use
DNS01 validation instead 🙂

On Sat, 8 Feb 2020 at 18:52, Frederik-Baetens notifications@github.com
wrote:

I'm also having this issue, i'm trying to use http validation.

this is my certificate resource:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: wildcard-cert
spec:
dnsNames:

• "*.quivr.be"
  issuerRef:
  kind: Issuer
  name: letsencrypt-prod
  secretName: wildcard-cert

and my issuer:

apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx

Can i not use the http solver? Or what's going wrong here?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/jetstack/cert-manager/issues/2127?email_source=notifications&email_token=AABRWP73SVPIFJC7RE7T52DRB35OFA5CNFSM4I3HEOHKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELFY6MI#issuecomment-583765809,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AABRWPZX3OJXI3WSSUDFZWTRB35OFANCNFSM4I3HEOHA
.