K
Q

cert-manager letsencrypt order pending

8/17/2019

My letsencrypt order keeps pending. I am using cert-manager on my single node kubernetes plane. Also I am using letsencrypt.

kind: Certificate
metadata:
  name: example-zone
  namespace: default
spec:
  secretName: example-zone-tls
  renewBefore: 360h # 15d
  commonName: example.zone
  dnsNames:
    - example.zone
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

Output:

pascal$ kubectl get cert,order
NAME                                          READY   SECRET             AGE
certificate.certmanager.k8s.io/example-zone   False   example-zone-tls   79m

NAME                                               STATE     AGE
order.certmanager.k8s.io/example-zone-2971070786   pending   77m

Events received:

Events:
  Type     Reason            Age   From          Message
  ----     ------            ----  ----          -------
  Warning  NoMatchingSolver  15s   cert-manager  Failed to create challenge for domain "example.zone": no configured challenge solvers can be used for this challenge

The cert should be issued but I think it hangs up in my haproxy. No errors and I don't exactly know how to expose the acme challenge using haproxy, could someone explain me?

My ClusterIssuer:

pascal$ kubectl describe clusterissuer letsencrypt-prod
Name:         letsencrypt-prod
Namespace:    # yep, it's empty!?
Labels:       <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         ClusterIssuer
Spec:
  Acme:
    Email:  <my-real-mail>
    Http 01:
      Ingress Class:  haproxy
    Private Key Secret Ref:
      Name:  letsencrypt-prod
    Server:  https://acme-v02.api.letsencrypt.org/directory
Status:
  Acme:
    Last Registered Email:  <my-real-mail>
    Uri:                    https://acme-v02.api.letsencrypt.org/acme/acct/<hash>
  Conditions:
    Last Transition Time:  2019-08-17T11:49:05Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>
-- Pascal K.
cert-manager
haproxy
kubernetes
lets-encrypt

Similar Questions

Can not ping to pod's ip of worker node in kubernetes
Cert-managed with wilcard and Cloudflare DNS, stuck at 'OrderCreated'
Access from AKS to SQL Server is blocked by a firewall in Azure
How to deploy pods described in yaml files using client-go?
Error from server (InternalError): error when creating &quot;v2_0_0_full.yaml&quot;: Internal error occurred: failed calling webhook &quot;
Kubernetes: Create an Ingress for Kafka
In a Helm chart YAML, how do i include multiple lines of properties in one call?
Is it possible to serve a static file from s3 on ingress-nginx?

2 Answers

8/19/2019

So, I am now also using the dns01 challenge and this is working now. Another thing is, that I updated the annotations and added the method, clusterissuer

-- Pascal K.
Source: StackOverflow
10/7/2019

If you do not open port 80 in your network security rules, then the order from cert-manager cannot be fulfilled. The order remains in pending state. Ideally you should not open your port 80 open always, you can choose to close this port once your order is fulfilled (you need to manage the renewal process after 90 days with the same process).

-- user1859658
Source: StackOverflow