My letsencrypt order keeps pending. I am using cert-manager on my single node kubernetes plane. Also I am using letsencrypt.
kind: Certificate
metadata:
name: example-zone
namespace: default
spec:
secretName: example-zone-tls
renewBefore: 360h # 15d
commonName: example.zone
dnsNames:
- example.zone
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
Output:
pascal$ kubectl get cert,order
NAME READY SECRET AGE
certificate.certmanager.k8s.io/example-zone False example-zone-tls 79m
NAME STATE AGE
order.certmanager.k8s.io/example-zone-2971070786 pending 77m
Events received:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning NoMatchingSolver 15s cert-manager Failed to create challenge for domain "example.zone": no configured challenge solvers can be used for this challenge
The cert should be issued but I think it hangs up in my haproxy. No errors and I don't exactly know how to expose the acme challenge using haproxy, could someone explain me?
My ClusterIssuer:
pascal$ kubectl describe clusterissuer letsencrypt-prod
Name: letsencrypt-prod
Namespace: # yep, it's empty!?
Labels: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: ClusterIssuer
Spec:
Acme:
Email: <my-real-mail>
Http 01:
Ingress Class: haproxy
Private Key Secret Ref:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Status:
Acme:
Last Registered Email: <my-real-mail>
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/<hash>
Conditions:
Last Transition Time: 2019-08-17T11:49:05Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
So, I am now also using the dns01 challenge and this is working now. Another thing is, that I updated the annotations and added the method, clusterissuer
If you do not open port 80 in your network security rules, then the order from cert-manager cannot be fulfilled. The order remains in pending state. Ideally you should not open your port 80 open always, you can choose to close this port once your order is fulfilled (you need to manage the renewal process after 90 days with the same process).