I'm a problem with Cert-Manager for days and I already tried everything to try to solve it but nothing seems to work. I have a Domain (example.com) and I want to create a certificate for multiple subdomains, for example (online.example.com & admin.example.com). For that I created an Issuer (I also tried with the ClusterIssuer and didn't work). I leave the code for the Issuer bellow:
apiVersion: cert-manager.io/v1
#kind: ClusterIssuer
kind: Issuer
metadata:
name: letsencrypt-example
namespace: example-developement
spec:
# ACME issuer configuration
# `email` - the email address to be associated with the ACME account (make sure it's a valid one)
# `server` - the URL used to access the ACME server’s directory endpoint
# `privateKeySecretRef` - Kubernetes Secret to store the automatically generated ACME account private key
acme:
email: my_email@example.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-example-private-key
solvers:
# Use the HTTP-01 challenge provider
- http01:
ingress:
class: nginx
and I also created an Ingress that listens for the desire ports and subdomains. I leave the code for the Ingress bellow:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-deployment
namespace: example-developement
annotations:
#cert-manager.io/cluster-issuer: letsencrypt-example
cert-manager.io/issuer: letsencrypt-example
#acme.cert-manager.io/http01-edit-in-place: "true"
kubernetes.io/ingress.class: "nginx"
spec:
ingressClassName: nginx
# This section is only required if TLS is to be enabled for the Ingress
tls:
- secretName: letsencrypt-example
hosts:
- online.example.com
- admin.example.com
#- "*.example.com"
rules:
- host: online.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-deployment-1
port:
number: 5000
- host: admin.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-deployment-2
port:
number: 5050
The two services are running because they are now ClusterIP services, but before they were NodePort services with an open NodePort for each service and they worked. The two services have those ports (5000, 5050) open and I verified multiple times the domains if they are correct with the DNS settings and no problems there. Before I tried the Cert-Manager I had the domains pointed to those services.
The Cert-Manager currently installed is the version 1.8.0, but I tried before with the version 1.11.0 and still didn't work.
The challenge ACME is constantly giving me the error:
Token: yOnqojz1VkV_7qiMS7SYr6RgqUoayv0Dr4R5VqCD4oo
Type: HTTP-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/214222226707/pHSajg
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://admin.example.com/.well-known/acme-challenge/yOnqojz1VkV_7qiMS7SYr6RgqUoayv0Dr4R5VqCD4oo': Get "http://admin.example.com/.well-known/acme-challenge/yOnqojz1VkV_7qiMS7SYr6RgqUoayv0Dr4R5VqCD4oo": EOF
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 6m40s cert-manager-challenges Challenge scheduled for processing
Normal Presented 6m39s cert-manager-challenges Presented challenge using HTTP-01 challenge mechanism
And the certificaterequest is constantly pending, the order is pending, the challenges (there is two there) are both pending, the certificate id Ready=TRUE and the issuer is Ready=TRUE, but still don't have my pages with valid certificates.
I waited maximum 8 hours for the pending message to change, but nothing happens. I am stuck for 3 days in here with no clue. I tried to change the domain to "*.example.com", but it didn't work. I tried to change to ClusterIssuer but nothing works. I deleted the cluster and started all over to see if it would work but it didn't change a thing.
I deleted multiple times the the Ingress and uninstall the Cert-Manager and install it back again to see if it would work, but nothing changed as well.
