Cert-manager: Failed to determine a valid solver configuration

Created on 17 Dec 2019  路  5Comments  路  Source: jetstack/cert-manager

I was trying to follow the dns01 challenge solver described here https://cert-manager.io/docs/configuration/acme/dns01/google/ however, the cert cant be fetched with order error says Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge.

ClusterIssuer
Created in cert-manager namespace.

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
 name: letsencrypt
 namespace: cert-manager
spec:
  acme:
    # The ACME server URL
    # Staging
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Production
    #  server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [myemailaddress]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt
    # Enable the HTTP-01 challenge provider
    acme:
      solvers:
        - dns01:        
            clouddns:
              # The ID of the GCP project
              project: [project-id]
              # This is the secret used to access the service account
              serviceAccountSecretRef:
                name: clouddns-dns01-solver-svc-acct
                key: key.json

Certificate

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: my-tls
  namespace: sandpit
spec:
  secretName: my-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  commonName: '*.mydomain.com'
  dnsNames:
  - mydomain.com
  - '*.mydomain.com'

I also tried this configuration for Certificate:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: my-tls
  namespace: sandpit
spec:
  secretName: my-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  commonName: '*.mydomain.com'
  dnsNames:
  - mydomain.com
  - '*.mydomain.com'
  acme:
    config:
    - dns01:
        provider: clouddns
      domains:
      - mydomain.com
      - '*.mydomain.com'

The order created remains in pending state forever with Warning says:

Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge

Why cant the solver be found?

lifecyclrotten triagsupport
Source
picture arkadyb

Most helpful comment

Your ClusterIssuer definition is incorrect:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
 name: letsencrypt
 namespace: cert-manager
spec:
  acme:
    # The ACME server URL
    # Staging
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Production
    #  server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [myemailaddress]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt
    # Enable the HTTP-01 challenge provider
    acme:
      solvers:
        - dns01:        
            clouddns:
              # The ID of the GCP project
              project: [project-id]
              # This is the secret used to access the service account
              serviceAccountSecretRef:
                name: clouddns-dns01-solver-svc-acct
                key: key.json

should be:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
 name: letsencrypt
 namespace: cert-manager
spec:
  acme:
    # The ACME server URL
    # Staging
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Production
    #  server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [myemailaddress]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt
    # Enable the HTTP-01 challenge provider
    solvers:
      - dns01:        
          clouddns:
            # The ID of the GCP project
            project: [project-id]
            # This is the secret used to access the service account
            serviceAccountSecretRef:
              name: clouddns-dns01-solver-svc-acct
              key: key.json

i.e. there should not be an additional acme: before the solvers: line

picture munnerz on 17 Dec 2019
👍3

All 5 comments

Your ClusterIssuer definition is incorrect:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
 name: letsencrypt
 namespace: cert-manager
spec:
  acme:
    # The ACME server URL
    # Staging
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Production
    #  server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [myemailaddress]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt
    # Enable the HTTP-01 challenge provider
    acme:
      solvers:
        - dns01:        
            clouddns:
              # The ID of the GCP project
              project: [project-id]
              # This is the secret used to access the service account
              serviceAccountSecretRef:
                name: clouddns-dns01-solver-svc-acct
                key: key.json

should be:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
 name: letsencrypt
 namespace: cert-manager
spec:
  acme:
    # The ACME server URL
    # Staging
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Production
    #  server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [myemailaddress]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt
    # Enable the HTTP-01 challenge provider
    solvers:
      - dns01:        
          clouddns:
            # The ID of the GCP project
            project: [project-id]
            # This is the secret used to access the service account
            serviceAccountSecretRef:
              name: clouddns-dns01-solver-svc-acct
              key: key.json

i.e. there should not be an additional acme: before the solvers: line

munnerz picture munnerz on 17 Dec 2019
👍3

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

retest-bot picture retest-bot on 16 Mar 2020

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

retest-bot picture retest-bot on 15 Apr 2020

/close

meyskens picture meyskens on 24 Apr 2020

@meyskens: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jetstack-bot picture jetstack-bot on 24 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Azylog picture Azylog  路  3Comments
jbouzekri picture jbouzekri  路  4Comments
munnerz picture munnerz  路  4Comments
howardjohn picture howardjohn  路  3Comments
dontreboot picture dontreboot  路  3Comments