Certificate status is stuck in FALSE state

Hello, I just setup cert-manager with letsencrypt clusterissuer.
When I tried to create kubernetes ingress, cert was created but in FALSE state and the challenges stuck in PENDING state.

Error from challenges shows: Waiting for http-01 challenge propagation: wrong status code ‘404’, expected ‘200’

letsencrpty-prod:

Name: letsencrypt-prod
Namespace:
Labels:
Annotations:
API Version: certmanager.k8s.io/v1alpha1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2019-09-03T09:28:23Z
Generation: 2
Resource Version: 247873
Self Link: /apis/certmanager.k8s.io/v1alpha1/clusterissuers/letsencrypt-prod
UID: 2cd96251-ce2d-11e9-82c5-848f69e1c04f
Spec:
Acme:
Email: *******************
http01:
Private Key Secret Ref:
Name: letsencrypt-prod
Server: https://acme-v02.api.letsencrypt.org/directory
Status:
Acme:
Last Registered Email: ***************
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/***********
Conditions:
Last Transition Time: 2019-09-03T09:28:24Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events:

ingress:

Name: external-wordpress
Namespace: wordpress
Address: 11.0.0.36,11.0.0.45
Default backend: default-http-backend:80 ()
TLS:
wordpress-tls terminates blog.paloitcloud.com.sg
Rules:
Host Path Backends
blog.paloitcloud.com.sg
/.well-known/acme-challenge/u7vTuRvEYPch15hfEWTiGd9XUbRFJ-LXuKB7o_y9rEU cm-acme-http-solver-v98mb:8089 (10.42.2.9:8089)
/ external-service:80 (192.168.0.6:443)
Annotations:
nginx.ingress.kubernetes.io/from-to-www-redirect: true
nginx.ingress.kubernetes.io/permanent-redirect: https://b.paloitcloud.com.sg
nginx.ingress.kubernetes.io/ssl-redirect: true
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
kubernetes.io/tls-acme: true
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/secure-backends: true
certmanager.k8s.io/acme-http01-edit-in-place: true
field.cattle.io/publicEndpoints: [{“addresses”:[“11.0.0.36”],“port”:443,“protocol”:“HTTPS”,“serviceName”:“wordpress:cm-acme-http-solver-v98mb”,“ingressName”:“wordpress:external-wordpress”,“hostname”:“blog.paloitcloud.com.sg”,“path”:"/.well-known/acme-challenge/u7vTuRvEYPch15hfEWTiGd9XUbRFJ-LXuKB7o_y9rEU",“allNodes”:true},{“addresses”:[“11.0.0.36”],“port”:443,“protocol”:“HTTPS”,“serviceName”:“wordpress:external-service”,“ingressName”:“wordpress:external-wordpress”,“hostname”:“blog.paloitcloud.com.sg”,“path”:"/",“allNodes”:true}]
Events:
Type Reason Age From Message
Normal CREATE 4m12s nginx-ingress-controller Ingress wordpress/external-wordpress
Normal CREATE 4m12s nginx-ingress-controller Ingress wordpress/external-wordpress
Normal CreateCertificate 4m12s cert-manager Successfully created Certificate “wordpress-tls”
Normal UPDATE 3m51s (x3 over 4m10s) nginx-ingress-controller Ingress wordpress/external-wordpress
Normal UPDATE 3m51s (x3 over 4m10s) nginx-ingress-controller Ingress wordpress/external-wordpress

certificate:

Name: wordpress-tls
Namespace: wordpress
Labels:
Annotations:
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-09-03T09:32:46Z
Generation: 2
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: external-wordpress
UID: c9dad3ae-ce2d-11e9-82c5-848f69e1c04f
Resource Version: 248594
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/wordpress/certificates/wordpress-tls
UID: c9dbd29f-ce2d-11e9-82c5-848f69e1c04f
Spec:
Acme:
Config:
Domains:
blog.paloitcloud.com.sg
http01:
Ingress: external-wordpress
Dns Names:
blog.paloitcloud.com.sg
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod
Secret Name: wordpress-tls
Status:
Conditions:
Last Transition Time: 2019-09-03T09:32:46Z
Message: Certificate issuance in progress. Temporary certificate issued.
Reason: TemporaryCertificate
Status: False
Type: Ready
Events:
Type Reason Age From Message
Normal OrderCreated 6m4s cert-manager Created Order resource “wordpress-tls-1424225308”

challenge:

Name: wordpress-tls-1424225308-0
Namespace: wordpress
Labels: acme.cert-manager.io/order-name=wordpress-tls-1424225308
Annotations:
API Version: certmanager.k8s.io/v1alpha1
Kind: Challenge
Metadata:
Creation Timestamp: 2019-09-03T09:32:48Z
Finalizers:
finalizer.acme.cert-manager.io
Generation: 4
Owner References:
API Version: certmanager.k8s.io/v1alpha1
Block Owner Deletion: true
Controller: true
Kind: Order
Name: wordpress-tls-1424225308
UID: c9de73aa-ce2d-11e9-82c5-848f69e1c04f
Resource Version: 248619
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/wordpress/challenges/wordpress-tls-1424225308-0
UID: caac4663-ce2d-11e9-82c5-848f69e1c04f
Spec:
Authz URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/159262939
Config:
http01:
Ingress: external-wordpress
Dns Name: blog.paloitcloud.com.sg
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod
Key: u7vTuRvEYPch15hfEWTiGd9XUbRFJ-LXuKB7o_y9rEU.ZdVrcRAApk77sHsqfEUWSNz9a9Zu6bg5QScLJtjpW0o
Token: u7vTuRvEYPch15hfEWTiGd9XUbRFJ-LXuKB7o_y9rEU
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/159262939/UqERSA
Wildcard: false
Status:
Presented: true
Processing: true
Reason: Waiting for http-01 challenge propagation: wrong status code ‘404’, expected ‘200’
State: pending
Events:
Type Reason Age From Message
Normal Started 7m30s cert-manager Challenge scheduled for processing
Normal Presented 7m30s cert-manager Presented challenge using http-01 challenge mechanism

This is an error reported by a preflight check inside cert-manager. It does not come from Let's Encrypt.

I think that this should perhaps be filed as a support issue or bug with the cert-manager project.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.