Certificate Request for a gandi domain for a k8s loadbalancer service is stuck in pending state

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: preprod.telecelplay.io

I ran this command: I deployed certificate manager on my k8s using following manifest file
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: telecelplay-preprod
namespace: telecelplay-preprod
spec:
acme:

The ACME server URL

server: https://acme-v02.api.letsencrypt.org/directory

Email address used for ACME registration

email: xyz@abc

Name of a secret used to store the ACME account private key

privateKeySecretRef:
name: telecelplay-xyz

Enable the HTTP-01 challenge provider

solvers:
- http01:
ingress:
class: nginx

It produced this output: CertificateIssuer and Certificate is in ready state but CertificateRequest is not ready and has '
Waiting on certificate issuance from order telecelplay-preprod/telecelplay-staging: "pending" '. Order and challenge are stuck in pending state, with ' * Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://preprod.telecelplay.io/.well-known/acme-challenge/_leuZIO3aZMt30krSnz_uNb_Gu5zFHKOcDZWBLn_qYE': Get "http://preprod.telecelplay.io/.well-known/acme-challenge/_leuZIO3aZMt30krSnz_uNb_Gu5zFHKOcDZWBLn_qYE": EOF" in Challenge.

My web server is (include version): nginx/1.21.6

The operating system my web server runs on is (include version): OS Image
Ubuntu 20.04.4 LTS 55eb8c8c71, Kubelet version
v1.24.3

My hosting provider, if applicable, is: Gandi

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

That is not a valid email address.

3 Likes

Can you place a sample test file in that folder?
[So we can check if it can be accessed via the Internet]

This is BAD:

curl -Ii http://preprod.telecelplay.io/.well-known/acme-challenge/Test_File-1234

HTTP/1.1 403 Forbidden
Date: Fri, 06 Jan 2023 17:36:42 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
5 Likes

cert-manager is trying to make this request but failing. This is the same request that the CA will make, but cert-manager isn't requesting that because it internally thinks it will fail.

  1. Make sure that URL is publicly accessible so the CA can check it.
  2. Make sure cert-manager is able to talk to that interface as well.

Without more details of how your kubernetes cluster network is set up, it's hard to make any more precise guidance.

8 Likes

@barf7709 Actually its my mail id, just changed it for posting.

@rg305 Its * Waiting for HTTP-01 challenge propagation: failed to perform self check GET request 'http://preprod.telecelplay.io/.well-known/acme-challenge/_leuZIO3aZMt30krSnz_uNb_Gu5zFHKOcDZWBLn_qYE': Get "http://preprod.telecelplay.io/.well-known/acme-challenge/_leuZIO3aZMt30krSnz_uNb_Gu5zFHKOcDZWBLn_qYE": EOF

@mcpherrinm can you please guide what details are required for more precise guidance?

You are not reading the error message correctly.

All requests are faced with authentication required and fail.
You must not place such requirements on the challenge requests.

5 Likes