Cert-Manager, Letsencrypt in Kubernetes not giving me a Certification

I'm a problem with Cert-Manager for days and I already tried everything to try to solve it but nothing seems to work. I have a Domain (example.com) and I want to create a certificate for multiple subdomains, for example (online.example.com & admin.example.com). For that I created an Issuer (I also tried with the ClusterIssuer and didn't work). I leave the code for the Issuer bellow:

apiVersion: cert-manager.io/v1
#kind: ClusterIssuer
kind: Issuer
  name: letsencrypt-example
  namespace: example-developement
  # ACME issuer configuration
  # `email` - the email address to be associated with the ACME account (make sure it's a valid one)
  # `server` - the URL used to access the ACME server’s directory endpoint
  # `privateKeySecretRef` - Kubernetes Secret to store the automatically generated ACME account private key
    email: my_email@example.com
    server: https://acme-v02.api.letsencrypt.org/directory
      name: letsencrypt-example-private-key
      # Use the HTTP-01 challenge provider
      - http01:
            class: nginx

and I also created an Ingress that listens for the desire ports and subdomains. I leave the code for the Ingress bellow:

apiVersion: networking.k8s.io/v1
kind: Ingress
  name: ingress-deployment
  namespace: example-developement
    #cert-manager.io/cluster-issuer: letsencrypt-example
    cert-manager.io/issuer: letsencrypt-example
    #acme.cert-manager.io/http01-edit-in-place: "true"
    kubernetes.io/ingress.class: "nginx"
  ingressClassName: nginx
  # This section is only required if TLS is to be enabled for the Ingress
    - secretName: letsencrypt-example
      - online.example.com
      - admin.example.com
      #- "*.example.com"
    - host: online.example.com
          - path: /
            pathType: Prefix
                name: example-deployment-1
                  number: 5000
    - host: admin.example.com
          - path: /
            pathType: Prefix
                name: example-deployment-2
                  number: 5050

The two services are running because they are now ClusterIP services, but before they were NodePort services with an open NodePort for each service and they worked. The two services have those ports (5000, 5050) open and I verified multiple times the domains if they are correct with the DNS settings and no problems there. Before I tried the Cert-Manager I had the domains pointed to those services.

The Cert-Manager currently installed is the version 1.8.0, but I tried before with the version 1.11.0 and still didn't work.

The challenge ACME is constantly giving me the error:

Token:       yOnqojz1VkV_7qiMS7SYr6RgqUoayv0Dr4R5VqCD4oo
  Type:        HTTP-01
  URL:         https://acme-v02.api.letsencrypt.org/acme/chall-v3/214222226707/pHSajg
  Wildcard:    false
  Presented:   true
  Processing:  true
  Reason:      Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://admin.example.com/.well-known/acme-challenge/yOnqojz1VkV_7qiMS7SYr6RgqUoayv0Dr4R5VqCD4oo': Get "http://admin.example.com/.well-known/acme-challenge/yOnqojz1VkV_7qiMS7SYr6RgqUoayv0Dr4R5VqCD4oo": EOF
  State:       pending
  Type    Reason     Age    From                     Message
  ----    ------     ----   ----                     -------
  Normal  Started    6m40s  cert-manager-challenges  Challenge scheduled for processing
  Normal  Presented  6m39s  cert-manager-challenges  Presented challenge using HTTP-01 challenge mechanism

And the certificaterequest is constantly pending, the order is pending, the challenges (there is two there) are both pending, the certificate id Ready=TRUE and the issuer is Ready=TRUE, but still don't have my pages with valid certificates.

I waited maximum 8 hours for the pending message to change, but nothing happens. I am stuck for 3 days in here with no clue. I tried to change the domain to "*.example.com", but it didn't work. I tried to change to ClusterIssuer but nothing works. I deleted the cluster and started all over to see if it would work but it didn't change a thing.

I deleted multiple times the the Ingress and uninstall the Cert-Manager and install it back again to see if it would work, but nothing changed as well.

Hello @N.Miguel, welcome to the Let's Encrypt community. :slightly_smiling_face:

You are presently using a HTTP-01 challenge of the Challenge Types - Let's Encrypt; I would suggest looking at DNS-01 challenge so that you can use a certificate containing wildcard domain name, as an option. If you do consider the DNS-01 challenge here is a list of DNS providers who easily integrate with Let's Encrypt DNS validation. That would help with as HTTP-01 needs Port 80; Best Practice - Keep Port 80 Open

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.