I'm trying to issue certificates for my Kubernetes cluster through the cert-manager
using the HTTP challenge verification. However, for some reason, the challenge order is trying to use the dns-01
verifier, which is not configures.
I was trying to figure out with different configuration, removing and installing cert-manager
again, but nothing helps. It is working from other ACME clients.
I'm using cert-manager
v1.2.0
.
This is my ClusterIssuer
with the http-01
solver:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: clusterissuer-test-acme
#namespace: default
spec:
acme:
server: https://lab03.test.com:8432/acme/directory
# Email address used for ACME registration
email: k8s-security-team@example.org
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: issuer-acme-secret
# Enable HTTP01 validations
solvers:
# An empty 'selector' means that this solver matches all domains
- selector: {}
http01:
ingress:
class: public
This is a certificate I'm trying to issue:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cert-lab05-test-com
namespace: default
spec:
secretName: cert--secret-lab05-test-com
renewBefore: 365h # 15d
issuerRef:
name: clusterissuer-test-acme
kind: ClusterIssuer
commonName: lab05.test.com
dnsNames:
- lab05.test.com
And I'm getting the following error:
Status:
Authorizations:
Challenges:
Token: QHYyjqayGWufzC6kz313UwkUvRillXZWdBgoEVKyfe83w32SXvaSgkxvYJEKUViVM884eQAAAXnDf-lT
Type: dns-01
URL: https://lab03.test.com:8432/acme/authz/yFwhSs9x3y4UcyPxCTXHfsSKhhpD1AAAAXnDf-lT/2
Identifier: lab05.test.com
Initial State: pending
URL: https://lab03.test.com:8432/acme/authz/yFwhSs9x3y4UcyPxCTXHfsSKhhpD1AAAAXnDf-lT
Wildcard: false
Finalize URL: https://lab03.test.com:8432/acme/order/c3a10096-ad3a-4e48-9160-f4d39a617299-7/finalize
State: pending
URL: https://lab03.test.com:8432/acme/order/c3a10096-ad3a-4e48-9160-f4d39a617299-7
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Solver 5m9s cert-manager Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge
I do not understand why is the challenge type dns-01
when it should be http-01
according the ClusterIssuer
setup.