cert-manager is trying to use dns-01 instead of https-01 resolver

5/31/2021

I'm trying to issue certificates for my Kubernetes cluster through the cert-manager using the HTTP challenge verification. However, for some reason, the challenge order is trying to use the dns-01 verifier, which is not configures.

I was trying to figure out with different configuration, removing and installing cert-manager again, but nothing helps. It is working from other ACME clients.

I'm using cert-manager v1.2.0.

This is my ClusterIssuer with the http-01 solver:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: clusterissuer-test-acme
  #namespace: default
spec:
  acme:
    server: https://lab03.test.com:8432/acme/directory
    # Email address used for ACME registration
    email: k8s-security-team@example.org
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: issuer-acme-secret
    # Enable HTTP01 validations
    solvers:
    # An empty 'selector' means that this solver matches all domains
    - selector: {}
      http01:
        ingress:
          class: public

This is a certificate I'm trying to issue:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-lab05-test-com
  namespace: default
spec:
  secretName: cert--secret-lab05-test-com
  renewBefore: 365h # 15d
  issuerRef:
    name: clusterissuer-test-acme
    kind: ClusterIssuer
  commonName: lab05.test.com
  dnsNames:
  - lab05.test.com

And I'm getting the following error:

Status:
  Authorizations:
    Challenges:
      Token:        QHYyjqayGWufzC6kz313UwkUvRillXZWdBgoEVKyfe83w32SXvaSgkxvYJEKUViVM884eQAAAXnDf-lT
      Type:         dns-01
      URL:          https://lab03.test.com:8432/acme/authz/yFwhSs9x3y4UcyPxCTXHfsSKhhpD1AAAAXnDf-lT/2
    Identifier:     lab05.test.com
    Initial State:  pending
    URL:            https://lab03.test.com:8432/acme/authz/yFwhSs9x3y4UcyPxCTXHfsSKhhpD1AAAAXnDf-lT
    Wildcard:       false
  Finalize URL:     https://lab03.test.com:8432/acme/order/c3a10096-ad3a-4e48-9160-f4d39a617299-7/finalize
  State:            pending
  URL:              https://lab03.test.com:8432/acme/order/c3a10096-ad3a-4e48-9160-f4d39a617299-7
Events:
  Type     Reason  Age   From          Message
  ----     ------  ----  ----          -------
  Warning  Solver  5m9s  cert-manager  Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge

I do not understand why is the challenge type dns-01 when it should be http-01 according the ClusterIssuer setup.

-- user1563721
acme
cert-manager
certificate
kubernetes

0 Answers