Kubernetes cert manager ssl error verify ACME account

7/16/2019

I can`t create wilcard ssl with cert manager, I add my domain to cloudflare but cert manager can`t verify ACME account. How i resolve this problem?

i want wilcard ssl for my domain and use any deployments how could i do?

I find error but how i resolve, error is my k8s doesnt resolve dns acme-v02.api.letsencrypt.org

error is k8s dns can't find My k8s is

Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.3-k3s.1", GitCommit:"8343999292c55c807be4406fcaa9f047e8751ffd", GitTreeState:"clean", BuildDate:"2019-06-12T04:56+00:00Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"linux/amd64"}

Error log:

I0716 13:06:11.712878       1 controller.go:153] cert-manager/controller/issuers "level"=0 "msg"="syncing item" "key"="default/issuer-letsencrypt" 
I0716 13:06:11.713218       1 setup.go:162] cert-manager/controller/issuers "level"=0 "msg"="ACME server URL host and ACME private key registration host differ. Re-checking ACME account registration" "related_resource_kind"="Secret" "related_resource_name"="issuer-letsencrypt" "related_resource_namespace"="default" "resource_kind"="Issuer" "resource_name"="issuer-letsencrypt" "resource_namespace"="default" 
I0716 13:06:11.713245       1 logger.go:88] Calling GetAccount
E0716 13:06:16.714911       1 setup.go:172] cert-manager/controller/issuers "msg"="failed to verify ACME account" "error"="Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: i/o timeout" "related_resource_kind"="Secret" "related_resource_name"="issuer-letsencrypt" "related_resource_namespace"="default" "resource_kind"="Issuer" "resource_name"="issuer-letsencrypt" "resource_namespace"="default" 
I0716 13:06:16.715527       1 sync.go:76] cert-manager/controller/issuers "level"=0 "msg"="Error initializing issuer: Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: i/o timeout" "resource_kind"="Issuer" "resource_name"="issuer-letsencrypt" "resource_namespace"="default" 
E0716 13:06:16.715609       1 controller.go:155] cert-manager/controller/issuers "msg"="re-queuing item  due to error processing" "error"="Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: i/o timeout" "key"="default/issuer-letsencrypt" 

my Issuer

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: issuer-letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: yusufkaan142@gmail.com
    privateKeySecretRef:
      name: issuer-letsencrypt
    dns01:
      providers:
      - name: cf-dns
        cloudflare:
          email: mail@gmail.com
          apiKeySecretRef:
            name: cloudflare-api-key
            key: api-key.txt

Secret:

apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-api-key
  namespace: cert-manager
type: Opaque
data:
  api-key.txt: base64encoded

My Certificate:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: wilcard-theykk-net
  namespace: cert-manager
spec:
  secretName: wilcard-theykk-net
  issuerRef:
    name: issuer-letsencrypt
    kind: Issuer
  commonName: '*.example.net'
  dnsNames:
  - '*.example.net'
  acme:
    config:
    - dns01:
        provider: cf-dns
      domains:
      - '*.example.net'
      - 'example.net'

Dns for k8s

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
  name: kube-dns
  namespace: kube-system
data:
  upstreamNameservers: |
    ["1.1.1.1","8.8.8.8"]
-- Kaan
cert-manager
certificate
kubernetes
lets-encrypt
ssl

1 Answer

7/17/2019

I would start with debugging DNS resolution function within your K8s cluster:

Spin up some container with basic network tools on a board:

kubectl run -i -t busybox --image=radial/busyboxplus:curl --restart=Never

From within busybox container check /etc/resolv.conf file and ensure that you can resolve Kubernetes DNS service kube-dns:

$ cat /etc/resolv.conf 
nameserver 10.96.0.10
search default.svc.cluster.local svc.cluster.local cluster.local c.org-int.internal google.internal
options ndots:5

Make a lookup request to kubernetes.default which should get output with a DNS nameserver without any issues:

$ nslookup kubernetes.default
Server:    10.96.0.10
Address 1: 10.96.0.10 kube-dns.kube-system.svc.cluster.local

Name:      kubernetes.default
Address 1: 10.96.0.1 kubernetes.default.svc.cluster.local

Due to the fact that you've defined upstreamNameservers in the corresponded kube-dns ConfigMap, check whether you can ping upstream nameservers: 1.1.1.1 and 8.8.8.8 that should be accessible from within a Pod.

Verify DNS pod logs for any suspicious events for each container(kubedns, dnsmasq, sidecar):

kubectl logs --namespace=kube-system $(kubectl get pods --namespace=kube-system -l k8s-app=kube-dns -o name | head -1) -c kubedns

kubectl logs --namespace=kube-system $(kubectl get pods --namespace=kube-system -l k8s-app=kube-dns -o name | head -1) -c dnsmasq

kubectl logs --namespace=kube-system $(kubectl get pods --namespace=kube-system -l k8s-app=kube-dns -o name | head -1) -c sidecar

If you are fine with all precedent steps then DNS discovery is working properly, thus you can also inspect Cloudflare DNS firewall configuration in order to exclude potential restrictions. More relevant information about troubleshooting DNS issue you can find in the official K8s documentation.

-- mk_sta
Source: StackOverflow