K
Q

Waiting for http-01 challenge propagation: failed to perform self timed out

3/25/2020

I setup a kubernetes cluster with currently two nodes and metallb as a loadbalancer.

Currently I would like to use an Ingress and secure it via ssl. For this I decided to use nginx ingress with cert-manager and put it on their site after the tutorial.

But now I get the error " Waiting for http-01 challenge propagation: failed to perform self check GET request 'http://example.....zone/.well-known/acme-challenge/A5lFUj69fDccpXlvlyVw9-ekATEjt_-DKiJUzJSafxs': Get "http://example.....zone/.well-known/acme-challenge/A5lFUj69fDccpXlvlyVw9-ekATEjt_-DKiJUzJSafxs": dial tcp 94.130.150.125:80: connect: connection timed out "

My current ClusterIssuer looks like this:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
 name: letsencrypt-prod
 namespace: cert-manager
spec:
 acme:
   # The ACME server URL
   server: https://acme-v02.api.letsencrypt.org/directory
   # Email address used for ACME registration
   email: letsencrypt@mymail.de
   # Name of a secret used to store the ACME account private key
   privateKeySecretRef:
     name: letsencrypt-prod
   # Enable the HTTP-01 challenge provider
   solvers:
   - http01:
       ingress:
         class:  nginx

And I am trying to automatically provide a certificate for

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    cert-manager.io/acme-challenge-type: http01
spec:
  tls:
  - hosts:
    - example.....zone
    secretName: example-...-zone-tls
  rules:
  - host: example.....zone
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx-service
          servicePort: 80

Manually I can reach any address perfectly.

-- Pascal K.
cert-manager
kubernetes
metallb

Similar Questions

Helmcharts- how to access values nested inside a key that is a number?
Cannot access Kubernetes pod
GKE pod connectivity to Cloud SQL
How to join my local PC to Google Kubernetes Engine cluster

2 Answers

3/31/2020

The error message you are getting can mean a wide variety of issues. However, there are some things you can check in order to fix it:

  1. Delete the Ingress, the certificates and the cert-manager. After that add them all back to make sure it installs clean. Sometimes stale certs or bad/multi Ingress pathing might be the issue.

  2. Make sure your traffic allows HTTP or has HTTPS with a trusted cert.

  3. Check if hairpin mode of your loadbalancer and make sure it is working.

  4. Add: nginx.ingress.kubernetes.io/ssl-redirect: "false" annotation to the Ingress rule. Wait a moment and see if valid cert will be created.

  5. GKE only: add this Ingress annotation: certmanager.k8s.io/acme-http01-edit-in-place: "true".

Please let me know if that helped.

-- OhHiMark
Source: StackOverflow
5/21/2020

This one worked for me.

Change LoadBalancer in ingress-nginx service.

Add/Change externalTrafficPolicy: Cluster.

Reason being, pod with the certificate-issuer wound up on a different node than the load balancer did, so it couldn’t talk to itself through the ingress.

Below is complete block taken from https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.26.1/deploy/static/provider/cloud-generic.yaml

kind: Service
apiVersion: v1
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  #CHANGE/ADD THIS
  externalTrafficPolicy: Cluster
  type: LoadBalancer
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  ports:
    - name: http
      port: 80
      targetPort: http
    - name: https
      port: 443
      targetPort: https

---
-- deepdive
Source: StackOverflow