Can't get staging certificates with cert-manager on openshift

Hello :slight_smile:

I have a problem with staging certificates. The environment is an openshift cluster and the actual version of cert-manager (1.8.0) as operator.

I have no problem with live certificates. That went well. I created an ClusterIssuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-live
spec:
acme:
email: mail@domain.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-live
solvers:
- http01:
ingress:
class: openshift-default

And a certificate-ressource:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: letsencrypt-live-certificate
namespace: test
spec:
secretName: letsencrypt-live-secret
issuerRef:
name: letsencrypt-live
kind: ClusterIssuer
dnsNames:
- "myhost"
duration: 2160h
renewBefore: 720h
subject:
organizations:
- "my company"

("hyhost is only a placeholder here, I used the host from the route.) And as result I get a secret with the certificate. Nice.

Then I created a second Clusterissuer and used the staging api url:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: mail@domain.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: openshift-default

The creation of both issuers went well.

But if I then use a certificate ressource for the staging environment (issuerRef with my staging clusterissuer), I do not get the certificate. I stays in state pending and if I open the challenge URL (https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/xyz) I get:

{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Method not allowed",
"status": 405
}

I took a long look at the google university and found on letsencrypt zertifikate erstellen - fehlschlag - KeyHelp Community that there might be a difference between the live and staging APIs.

But I do not know the difference or what I have to change to get staging certifiates working. What I tried is to minimalize the issuer (no mail) and the certificate-ressource (deleting parts beginning with "duration" to the end).

Has anyone an idea?

A tip with the staging server: you can replace /acme/ in the URL with /get/ to access it in a browser, as long as the challenge is sufficiently old (at least 15 minutes).

This won't have anything to do with your problems but it can be useful for troubleshooting.

3 Likes