Hello
I have a problem with staging certificates. The environment is an openshift cluster and the actual version of cert-manager (1.8.0) as operator.
I have no problem with live certificates. That went well. I created an ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-live
spec:
acme:
email: mail@domain.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-live
solvers:
- http01:
ingress:
class: openshift-default
And a certificate-ressource:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: letsencrypt-live-certificate
namespace: test
spec:
secretName: letsencrypt-live-secret
issuerRef:
name: letsencrypt-live
kind: ClusterIssuer
dnsNames:
- "myhost"
duration: 2160h
renewBefore: 720h
subject:
organizations:
- "my company"
("hyhost is only a placeholder here, I used the host from the route.) And as result I get a secret with the certificate. Nice.
Then I created a second Clusterissuer and used the staging api url:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: mail@domain.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: openshift-default
The creation of both issuers went well.
But if I then use a certificate ressource for the staging environment (issuerRef with my staging clusterissuer), I do not get the certificate. I stays in state pending and if I open the challenge URL (https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/xyz) I get:
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Method not allowed",
"status": 405
}
I took a long look at the google university and found on letsencrypt zertifikate erstellen - fehlschlag - KeyHelp Community that there might be a difference between the live and staging APIs.
But I do not know the difference or what I have to change to get staging certifiates working. What I tried is to minimalize the issuer (no mail) and the certificate-ressource (deleting parts beginning with "duration" to the end).
Has anyone an idea?