My domain is:
zero-sum-seattle.net
I ran this command:
kubectl describe challenge -n
It produced this output:
Warning PresentError 8m27s (x12 over 110m) cert-manager-challenges Error presenting challenge: GoogleCloud API call failed: googleapi: Error 403: Forbidden, forbidden
My web server is (include version):
nginx-ingress (GKE pod)
The operating system my web server runs on is (include version):
uh whatever nginx-ingress is
My hosting provider, if applicable, is:
GCP
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
eh I'm getting there I have access to my terraform and GCP console
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
cert-manager-controller:v1.9.1
Hey guys! I am having an odd issue and have wasted so much time trying to figure this out..
I am currently using let's encrypt/cert-manager to handle the provisioning TLS/SSL certificates for my domain zero-sum-seattle.net. I love the product BTW, been using it for years!
I am setting up my own GCP project for a python project I am using. It's running a GKE cluster and what not. I have set up and used cert-manager to provision two certificates from a clusterissuer already for this domain. The issue I am running into started when I tried to deploy redmine to manage tickets for my little OS group. At first I thought it was an issue with the redmine helm chart, but it turned out to be false. I know this because I just created my own certificate manifest and tried to create a certificate that way, and also received a 403. However, I changed the manifest to use my nginx-ingress A record, and then the certificate provisoned away, so I thought to try my staging issuer for redmine and same error. I have WLI setup and a service account with dns.admin. I can link to my terraform.
I don't know if I'm overlooking some quota or rate limit issue with let's encrypt, but I thought that would be solved with switching to staging.
Here are some cert-manager pod logs:
Success!
I0914 21:28:01.728920 1 sync.go:257] cert-manager/orders "msg"="build set of domains for Order" "domains"=["nginx-ingress.zero-sum-seattle.net"] "resource_kind"="Order" "resource_name"="redmine-cert-zgj8j-2411455687" "resource_namespace"="jenkins" "resource_version"="v1"
I0914 21:28:01.729046 1 sync.go:260] cert-manager/orders "msg"="build set of IPs for Order" "domains"=["nginx-ingress.zero-sum-seattle.net"] "resource_kind"="Order" "resource_name"="redmine-cert-zgj8j-2411455687" "resource_namespace"="jenkins" "resource_version"="v1"
I0914 21:28:02.068073 1 logs.go:177] cert-manager/controller "msg"="Event(v1.ObjectReference{Kind:\"Order\", Namespace:\"jenkins\", Name:\"redmine-cert-zgj8j-2411455687\", UID:\"a21dcdba-138b-4520-80e0-f2350db0978f\", APIVersion:\"acme.cert-manager.io/v1\", ResourceVersion:\"1846068\", FieldPath:\"\"}): type: 'Normal' reason: 'Created' Created Challenge resource \"redmine-cert-zgj8j-2411455687-721461229\" for domain \"nginx-ingress.zero-sum-seattle.net\""
I0914 21:28:02.179396 1 sync.go:682] cert-manager/orders "msg"="Retrieved ACME order from server" "raw_data"={"URI":"","Status":"pending","Expires":"2022-09-21T21:28:01Z","Identifiers":[{"Type":"dns","Value":"nginx-ingress.zero-sum-seattle.net"}],"NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","AuthzURLs":["https://acme-v02.api.letsencrypt.org/acme/authz-v3/153414393827"],"FinalizeURL":"https://acme-v02.api.letsencrypt.org/acme/finalize/729354887/125525301747","CertURL":"","Error":null} "resource_kind"="Order" "resource_name"="redmine-cert-zgj8j-2411455687" "resource_namespace"="jenkins" "resource_version"="v1"
I0914 21:28:02.283266 1 sync.go:682] cert-manager/orders "msg"="Retrieved ACME order from server" "raw_data"={"URI":"","Status":"pending","Expires":"2022-09-21T21:28:01Z","Identifiers":[{"Type":"dns","Value":"nginx-ingress.zero-sum-seattle.net"}],"NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","AuthzURLs":["https://acme-v02.api.letsencrypt.org/acme/authz-v3/153414393827"],"FinalizeURL":"https://acme-v02.api.letsencrypt.org/acme/finalize/729354887/125525301747","CertURL":"","Error":null} "resource_kind"="Order" "resource_name"="redmine-cert-zgj8j-2411455687" "resource_namespace"="jenkins" "resource_version"="v1"
I0914 21:28:02.350366 1 dns.go:219] cert-manager/challenges/Present/solverForChallenge "msg"="preparing to create CloudDNS provider" "dnsName"="nginx-ingress.zero-sum-seattle.net" "domain"="nginx-ingress.zero-sum-seattle.net" "resource_kind"="Challenge" "resource_name"="redmine-cert-zgj8j-2411455687-721461229" "resource_namespace"="jenkins" "resource_version"="v1" "type"="DNS-01"
I0914 21:28:02.350563 1 dns.go:102] cert-manager/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="nginx-ingress.zero-sum-seattle.net" "domain"="nginx-ingress.zero-sum-seattle.net" "resource_kind"="Challenge" "resource_name"="redmine-cert-zgj8j-2411455687-721461229" "resource_namespace"="jenkins" "resource_version"="v1" "type"="DNS-01"
I0914 21:28:02.393100 1 sync.go:682] cert-manager/orders "msg"="Retrieved ACME order from server" "raw_data"={"URI":"","Status":"pending","Expires":"2022-09-21T21:28:01Z","Identifiers":[{"Type":"dns","Value":"nginx-ingress.zero-sum-seattle.net"}],"NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","AuthzURLs":["https://acme-v02.api.letsencrypt.org/acme/authz-v3/153414393827"],"FinalizeURL":"https://acme-v02.api.letsencrypt.org/acme/finalize/729354887/125525301747","CertURL":"","Error":null} "resource_kind"="Order" "resource_name"="redmine-cert-zgj8j-2411455687" "resource_namespace"="jenkins" "resource_version"="v1"
I0914 21:28:02.433655 1 wait.go:383] Returning discovered zone record "zero-sum-seattle.net." for fqdn "_acme-challenge.nginx-ingress.zero-sum-seattle.net."
I0914 21:28:02.487401 1 sync.go:682] cert-manager/orders "msg"="Retrieved ACME order from server" "raw_data"={"URI":"","Status":"pending","Expires":"2022-09-21T21:28:01Z","Identifiers":[{"Type":"dns","Value":"nginx-ingress.zero-sum-seattle.net"}],"NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","AuthzURLs":["https://acme-v02.api.letsencrypt.org/acme/authz-v3/153414393827"],"FinalizeURL":"https://acme-v02.api.letsencrypt.org/acme/finalize/729354887/125525301747","CertURL":"","Error":null} "resource_kind"="Order" "resource_name"="redmine-cert-zgj8j-2411455687" "resource_namespace"="jenkins" "resource_version"="v1"
I0914 21:28:02.541517 1 dns.go:219] cert-manager/challenges/Present/solverForChallenge "msg"="preparing to create CloudDNS provider" "dnsName"="nginx-ingress.zero-sum-seattle.net" "domain"="nginx-ingress.zero-sum-seattle.net" "resource_kind"="Challenge" "resource_name"="redmine-cert-zgj8j-2411455687-721461229" "resource_namespace"="jenkins" "resource_version"="v1" "type"="DNS-01"
I0914 21:28:02.541659 1 dns.go:102] cert-manager/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="nginx-ingress.zero-sum-seattle.net" "domain"="nginx-ingress.zero-sum-seattle.net" "resource_kind"="Challenge" "resource_name"="redmine-cert-zgj8j-2411455687-721461229" "resource_namespace"="jenkins" "resource_version"="v1" "type"="DNS-01"
Failed:
I0915 00:48:41.857793 1 leaderelection.go:278] successfully renewed lease kube-system/cert-manager-controller
I0915 00:48:42.039910 1 controller.go:153] cert-manager/challenges "msg"="syncing item" "key"="redmine/redmine-tls-pqjh7-1084067888-1050907113"
I0915 00:48:42.040018 1 dns.go:219] cert-manager/challenges/Present/solverForChallenge "msg"="preparing to create CloudDNS provider" "dnsName"="rm.zero-sum-seattle.net" "domain"="rm.zero-sum-seattle.net" "resource_kind"="Challenge" "resource_name"="redmine-tls-pqjh7-1084067888-1050907113" "resource_namespace"="redmine" "resource_version"="v1" "type"="DNS-01"
I0915 00:48:42.040087 1 dns.go:102] cert-manager/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="rm.zero-sum-seattle.net" "domain"="rm.zero-sum-seattle.net" "resource_kind"="Challenge" "resource_name"="redmine-tls-pqjh7-1084067888-1050907113" "resource_namespace"="redmine" "resource_version"="v1" "type"="DNS-01"
I0915 00:48:42.040095 1 wait.go:329] Returning cached zone record "zero-sum-seattle.net." for fqdn "_acme-challenge.rm.zero-sum-seattle.net."
E0915 00:48:42.117506 1 controller.go:166] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="GoogleCloud API call failed: googleapi: Error 403: Forbidden, forbidden" "key"="redmine/redmine-tls-pqjh7-1084067888-1050907113"
I0915 00:48:42.117654 1 logs.go:177] cert-manager/controller "msg"="Event(v1.ObjectReference{Kind:\"Challenge\", Namespace:\"redmine\", Name:\"redmine-tls-pqjh7-1084067888-1050907113\", UID:\"fd860839-99e3-497b-bdf3-d8fb2016884b\", APIVersion:\"acme.cert-manager.io/v1\", ResourceVersion:\"1946468\", FieldPath:\"\"}): type: 'Warning' reason: 'PresentError' Error presenting challenge: GoogleCloud API call failed: googleapi: Error 403: Forbidden, forbidden"
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: redmine-tls
namespace: redmine
spec:
dnsNames:
- rm.zero-sum-seattle.net
secretName: rm.zero-sum-seattle.net
issuerRef:
kind: ClusterIssuer
name: letsencrypt-prod
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: spahmatthew@gmail.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector: {}
dns01:
cloudDNS:
project: long-flame-659
Did I possibly hit a rate limit?
I checked my Google Quotas and I haven't hit any limit. I'm tired of staring at this please assist!