Error 503 using cert-manager

robinmonjo · December 5, 2019, 5:25pm

Hello,

I’m using cert-manager version 0.10.1 and my certificates are not getting generated. Here is the full error:

cert-manager/controller/challenges "msg"="propagation check failed" "error"="wrong status code '503', expected '200'" "dnsName"="nantes.apecconnect.apec.fr" "resource_kind"="Challenge" "resource_name"="nantes.apecconnect.apec.fr-cert-3638574816-0" "resource_namespace"="eventmaker" "type"="http-01"

Looks like letsenncrypt returns a 503 status code when I want to request a challenge. Anyone know what may be going on ? I’m blacklisted ? Same thing when I try with another domain …

stevenzhu · December 5, 2019, 5:31pm

Can you try to upgrade your cert-manager?
The latest version is 0.12.0

On 0.11.0 cert-manager changed name (website) for their API spaces due to upstream policy, so your 503 error might caused by one of the API changed since the old domain is no longer available.

JuergenAuer · December 5, 2019, 5:33pm

Hi @robinmonjo

that's not a Letsencrypt error, that's a check of cert-manager.

Cert-manager expects http status 200, but sees a 503.

But curious: There are checks of your domain, ~~20 minutes old - https://check-your-website.server-daten.de/?q=nantes.apecconnect.apec.fr

There is no http status 503 visible.

-->> check, if there is an update, perhaps an internal bug.

robinmonjo · December 5, 2019, 5:43pm

Thank you all for your answers, I just deleted my ingresses having trouble and recreated them and everything went back to normal. I plan to upgrade cert-manager but transitioning from 0.10 to 0.11 seems risky … Will tackle this another day

robinmonjo · December 5, 2019, 5:48pm

My guess is that I had a couple of domains not properly configured (at the DNS Level) so cert-manager was looping constantly and ask letsencrypt to validate a challenge. These requests made the letsencrypt API blacklist me and answer me with 503 everytime. I cleaned up the domains, wait 10 minutes to let the letsencrypt API have some rest and created my domains again and it works. Is this a possible scenario ?

JuergenAuer · December 5, 2019, 5:50pm

If your dns is wrong, the cert-manager precheck can't work.

robinmonjo · December 5, 2019, 6:02pm

Yes exactly but that were domains that used to be properly configured then customers changed the CNAME. I’m pretty sure the letsencrypt API have some kind of rate limiting after this experience. Having a confirmation about this would comfort me as we rely a lot on letsencrypt …

JuergenAuer · December 5, 2019, 6:18pm

That's the reason the precheck may not work.

Rate limits have the status 429, not 503. And the error isn't a Letsencrypt error, these look completely different.

robinmonjo · December 5, 2019, 6:30pm

Ok so I’m in the dark on what happened … I’ll keep a close look at my logs. Anyway I know I can get quick help here that’s awesome, again thank you !

system · January 4, 2020, 6:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.