Acme challenge Failed k8s

Hi
Any help is appreciated

Could someone please help with this error:

k8s: 1.28.7
Cilium : 1.14.7
ingresscontroller: cilium in shared mode
the IP is port forwarded to the loadbalancerIp

Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://www.lakearch.co.uk/.well-known/acme-challenge/FJyxTxX3l3SH65faYCVuUT3fBox3OIrYeBWC1vCBt2g': Get "h β”‚
β”‚ ttp://www.lakearch.co.uk/.well-known/acme-challenge/FJyxTxX3l3SH65faYCVuUT3fBox3OIrYeBWC1vCBt2g": dial tcp 147.12.147.218:80: i/o timeout (Client.Timeout exceeded while awaiting headers)

test.txt (2.2 KB)

Hello @mohang6770, welcome to the Let's Encrypt community. :slightly_smiling_face:

Both Ports 80 & 443 are being filtered. Best Practice - Keep Port 80 Open

The HTTP-01 challenge of the Challenge Types - Let's Encrypt requires access to Port 80.

$ nmap -Pn -p80,443 www.lakearch.co.uk
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-26 20:46 UTC
Nmap scan report for www.lakearch.co.uk (147.12.147.218)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.26 seconds
1 Like

Thanks for quick reply,

What you mean is no port forwarding on port 80, is that right

2 Likes

You need to let the Public Internet to have access to your Public facing IP Address on Port 80.

1 Like

Yes I have that

I beg to disagree; your Ports 80 & 443 are being filtered, probably a firewall (possibly within a router),
but the Public Internet cannot access Port 80.

$ nmap -Pn -p80,443 www.lakearch.co.uk
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-26 21:28 UTC
Nmap scan report for www.lakearch.co.uk (147.12.147.218)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.20 seconds
2 Likes

Here is an online tool to check Open Port Check Tool - Test Port Forwarding on Your Router
This is what I see

1 Like

Thanks I understand now what you mea, I thinks it’s blocked by the community fibre isp

2 Likes

There is the DNS-01 challenge of the Challenge Types - Let's Encrypt that does not need access to Port 80.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.