cert-manager letsencrypt order pending

8/17/2019

My letsencrypt order keeps pending. I am using cert-manager on my single node kubernetes plane. Also I am using letsencrypt.

kind: Certificate
metadata:
  name: example-zone
  namespace: default
spec:
  secretName: example-zone-tls
  renewBefore: 360h # 15d
  commonName: example.zone
  dnsNames:
    - example.zone
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

Output:

pascal$ kubectl get cert,order
NAME                                          READY   SECRET             AGE
certificate.certmanager.k8s.io/example-zone   False   example-zone-tls   79m

NAME                                               STATE     AGE
order.certmanager.k8s.io/example-zone-2971070786   pending   77m

Events received:

Events:
  Type     Reason            Age   From          Message
  ----     ------            ----  ----          -------
  Warning  NoMatchingSolver  15s   cert-manager  Failed to create challenge for domain "example.zone": no configured challenge solvers can be used for this challenge

The cert should be issued but I think it hangs up in my haproxy. No errors and I don't exactly know how to expose the acme challenge using haproxy, could someone explain me?

My ClusterIssuer:

pascal$ kubectl describe clusterissuer letsencrypt-prod
Name:         letsencrypt-prod
Namespace:    # yep, it's empty!?
Labels:       <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         ClusterIssuer
Spec:
  Acme:
    Email:  <my-real-mail>
    Http 01:
      Ingress Class:  haproxy
    Private Key Secret Ref:
      Name:  letsencrypt-prod
    Server:  https://acme-v02.api.letsencrypt.org/directory
Status:
  Acme:
    Last Registered Email:  <my-real-mail>
    Uri:                    https://acme-v02.api.letsencrypt.org/acme/acct/<hash>
  Conditions:
    Last Transition Time:  2019-08-17T11:49:05Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>
-- Pascal K.
cert-manager
haproxy
kubernetes
lets-encrypt

2 Answers

8/19/2019

So, I am now also using the dns01 challenge and this is working now. Another thing is, that I updated the annotations and added the method, clusterissuer

-- Pascal K.
Source: StackOverflow

10/7/2019

If you do not open port 80 in your network security rules, then the order from cert-manager cannot be fulfilled. The order remains in pending state. Ideally you should not open your port 80 open always, you can choose to close this port once your order is fulfilled (you need to manage the renewal process after 90 days with the same process).

-- user1859658
Source: StackOverflow