Cert-Manager failing because associated order is in an "invalid" state

Hi, I'm unable to create certificate and cluster-issuer using helm chart getting error "The certificate request has failed to complete and will be retried: Failed to wait for order resource "ml-models-tls-secret-1-3822340619" to become ready: order is in "invalid" state" Im using helm chart for deploying

1. nginx-ingress-controller
2. cert-manager
3. cert-manager-issuer
4. my service/deployment

All this 4 im deploying using helm chart in AKS Cluster Below is the certificate showing False in ready state

kubectl get certificate -n test
NAME                   READY   SECRET                 AGE
ml-models-tls-secret   False   ml-models-tls-secret   88s

Here is the command to describe in details

kubectl describe certificate ml-models-tls-secret -n test
Events:
  Type     Reason     Age   From                                       Message
  ----     ------     ----  ----                                       -------
  Normal   Issuing    114s  cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal   Generated  114s  cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "ml-models-tls-secret-xf8vl"
  Normal   Requested  114s  cert-manager-certificates-request-manager  Created new CertificateRequest resource "ml-models-tls-secret-1"
  Warning  Failed     82s   cert-manager-certificates-issuing          The certificate request has failed to complete and will be retried: Failed to wait for order resource "ml-models-tls-secret-1-3822340619" to become ready: order is in "invalid" state:

Here is showing secret

kubectl get secret -n test
NAME                                        TYPE                 DATA   AGE
sh.helm.release.v1.cert-manager-issuer.v1   helm.sh/release.v1   1      3m1s
sh.helm.release.v1.ml-models.v1             helm.sh/release.v1   1      2m23s

Here is the ingress attached to correct IP Address

kubectl get ingress -n test
NAME                CLASS   HOSTS             ADDRESS          PORTS     AGE
ingress-ml-models   nginx   me.ml.test.ai   20.233.205.227   80, 443   6m35s

Here is cluster issuer showing state in True

kubectl get clusterissuer
NAME             READY   AGE
letsencrypt-me   True    8m1s

Here is showing order in invalid state

kubectl get order -n test
NAME                                STATE     AGE
ml-models-tls-secret-1-3822340619   invalid   7m51s

Here is showing challenges in invalid state

kubectl get challenges -n test
NAME                                           STATE     DOMAIN            AGE
ml-models-tls-secret-1-3822340619-3896448402   invalid   me.ml.test.ai   9m15s

kubectl logs pod/cert-manager-8576d99cc8-vw4sj -n cert-manager

sync.go:403] "error waiting for authorization" err="acme: authorization error for me.ml.test.ai: 400 urn:ietf:params:acme:error:connection: 20.233.205.227: Fetching http://me.ml.test.ai/.well-known/acme-challenge/R1665D99bj_6hF1uG69ajDId8xXilq8rjomXrSG8T1o: Timeout during connect (likely firewall problem)" logger="cert-manager.controller.acceptChallenge" resource_name="ml-models-tls-secret-1-3822340619-3896448402" resource_namespace="test" resource_kind="Challenge" resource_version="v1" dnsName="me.ml.test.ai" type="HTTP-01" E0309 11:27:01.183367 1 controller.go:104] "Unhandled Error" err="ingress 'test/cm-acme-http-solver-wwbc6' in work queue no longer exists" logger="UnhandledError" I0309 11:27:01.568965 1 conditions.go:201] "Found status change for Certificate condition; setting lastTransitionTime" logger="cert-manager" certificate="test/ml-models-tls-secret" condition="Issuing" oldStatus="True" status="False" lastTransitionTime="2025-03-09 11:27:01.56894821 +0000 UTC m=+15172.283709596" I0309 11:27:01.582382 1 trigger_controller.go:202] "Backing off from issuance due to previously failed issuance(s). Issuance will next be attempted at 2025-03-09 12:27:01.0000008 +0000 UTC m=+18771.714762286" logger="cert-manager.controller" key="test/ml-models-tls-secret" I0309 11:27:01.611463 1 trigger_controller.go:202] "Backing off from issuance due to previously failed issuance(s). Issuance will next be attempted at 2025-03-09 12:27:01.0000007 +0000 UTC m=+18771.714762086" logger="cert-manager.controller" key="test/ml-models-tls-secret" E0309 11:27:01.885881 1 sync.go:75] "failed to update status" logger="cert-manager.controller" resource_name="ml-models-tls-secret-1-3822340619" resource_namespace="test" resource_kind="Order" resource_version="v1" I0309 11:27:01.885920 1 controller.go:152] "re-queuing item due to optimistic locking on resource" logger="cert-manager.controller" error="Operation cannot be fulfilled on orders.acme.cert-manager.io \"ml-models-tls-secret-1-3822340619\": the object has been modified; please apply your changes to the latest version and try again" lated_resource_kind="" related_resource_version="" E0309 11:26:04.054167 1 sync.go:208] "propagation check failed" err="wrong status code '502', expected '200'" logger="cert-manager.controller" resource_name="ml-models-tls-secret-1-3822340619-1399653640" resource_namespace="test" resource_kind="Challenge" resource_version="v1" dnsName="me.ml.test.ai" type="HTTP-01"

Please tell me where im wrong and i did it wrong

and also tell which one should i deploy first ingress-nginx or cert-manager or letsen

I don't have any specific advice as I don't know K8s very well. But, since it has been almost a day and no one has responded I thought I'd at least say this much.

You might want to ask on a K8s forum for help if no one else offers comments here. Also, be sure to review this guide:

And perhaps this Troubleshooting Guide

You'll likely find that http(over TCP port 80) just isn't working, possibly because it's blocked before it even reaches your k8s cluster, or the port isn't enabled. If you can get basic (external network) http requests working against your nginx that might help.