Cert-manager: HTTPS Challenge instead of HTTP01

Reading from https://letsencrypt.org/docs/challenge-types/#http-01-challenge let's encrypt does follow redirects on self signed certificates. Combined with "cert-manager.io/issue-temporary-certificate": "true" this should work.

The closes to there being a "HTTPS Challenge" is TLS-ALPN-01 which needs a special protocol implementation which would require a special ingress controller.

Support of TLS-ALPN-01 would be great to have.
I tried HTTP01 challenge with ACME Let's Encrypt and it didn't work with redirections.
When I turned off HTTP->HTTPS redirection it works, but it's not a solution to reconfigure global redirection all the time...

Can you get us more information on the challenge resource (kubectl describe challenge) before and after you turn that setting?

/triage needs-information

I can only write about previous experience. Some configurations of cert-manager and traefik:

Label for Certificate resource:

  labels:
    "use-http01-solver": "true"

Additional solver for ClusterIssuer resource:

       - http01:
           ingress:
             class: traefik
         selector:
           matchLabels:
             "use-http01-solver": "true"

Additional Args in traefik:

--providers.kubernetesingress=true,
--providers.kubernetescrd=true,
--providers.kubernetesIngress.ingressClass=traefik,

In cert-manager we can see error from Challenge resource "cert-manager/controller/challenges "msg"="propagation check failed" "error"="wrong status code '404', expected '200'"

Traefik is trying to redirect to https so it's looking for cert with secret, but it doesn't exist yet…

When we turn off http redirections in traefik, the http01 challenge works fine.

It saying 404 makes me think it is related to it incorrectly redirecting or traefik not picking up on the ACME solver ingress entry somehow. A describe of the ingress resource and testing the challenge URL would be helpful to debug this.

Adding some labels during triage-party 2020-05-22.
It seems to me that this issue might be solved by better documentation explaining that we do support http > https redirection

/area acme/http01
/triage support

I just run into this problem. The main issue seems to be the ingress deriving from the service definition which endpoints to use.
A service only listening on port 80 with this ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: traefik
    cert-manager.io/cluster-issuer: letsencrypt-testing
  name: hello-kubernetes
  namespace: ewoolution-testing
spec:
  rules:
  - host: hello-kubernetes.io
    http:
      paths:
      - path: /
        backend:
          serviceName: hello-kubernetes
          servicePort: 80
  tls:
  - hosts:
    - hello-kubernetes.io
    secretName: hello-kubernetes.io-cert
  - secretName: hello-kubernetes.io-cert

is not available on https. I need to explicitly activate tls e.g. by adding

metadata:
  annotations:
    traefik.ingress.kubernetes.io/router.tls: "true"

For cert-manager I could fix this problem by adding the following to the ClusterIssuer

spec:
  acme:
    solvers:
    - http01:
        ingress:
          class: traefik
          ingressTemplate:
            metadata:
              annotations:
                traefik.ingress.kubernetes.io/router.tls: "true"

I append one more annotation to make it work

    solvers:
    - http01:
        ingress:
          class: traefik
          ingressTemplate:
            metadata:
              annotations:
                traefik.ingress.kubernetes.io/router.tls: "true"
                traefik.ingress.kubernetes.io/frontend-entry-points: "https"

I am going to close this one, PRs to the documentaton are welcome!
/close

@meyskens: Closing this issue.