Hi. My domain is test01.locky.me
We use kubernetes add-on cert-manager for automate issuance of certificates, and we have some strange problem. We have configuration which is normally works for one server and didn’t works for another.
Domain is test01.locky.me. When we try to get certificate using HTTP validation, the challenge start but then we get the error in logs:
I0529 12:19:07.435434 1 controller.go:213] cert-manager/controller/challenges “level”=0 “msg”=“syncing resource” “key”=“test/test01lockyme-3966551427-0”
I0529 12:19:07.436132 1 pod.go:58] cert-manager/controller/challenges/http01/selfCheck/http01/ensurePod “level”=0 “msg”=“found one existing HTTP01 solver pod” “dnsName”=“test01.locky.me” “related_resource_kind”=“Pod” “related_resource_name”=“cm-acme-http-solver-xvh8t” “related_resource_namespace”=“test” “resource_kind”=“Challenge” “resource_name”=“test01lockyme-3966551427-0” “resource_namespace”=“test” “type”=“http-01”
I0529 12:19:07.436254 1 service.go:43] cert-manager/controller/challenges/http01/selfCheck/http01/ensureService “level”=0 “msg”=“found one existing HTTP01 solver Service for challenge resource” “dnsName”=“test01.locky.me” “related_resource_kind”=“Service” “related_resource_name”=“cm-acme-http-solver-cbkbl” “related_resource_namespace”=“test” “resource_kind”=“Challenge” “resource_name”=“test01lockyme-3966551427-0” “resource_namespace”=“test” “type”=“http-01”
I0529 12:19:07.436345 1 ingress.go:91] cert-manager/controller/challenges/http01/selfCheck/http01/ensureIngress “level”=0 “msg”=“found one existing HTTP01 solver ingress” “dnsName”=“test01.locky.me” “related_resource_kind”=“Ingress” “related_resource_name”=“cm-acme-http-solver-hnd6d” “related_resource_namespace”=“test” “resource_kind”=“Challenge” “resource_name”=“test01lockyme-3966551427-0” “resource_namespace”=“test” “type”=“http-01”
E0529 12:19:10.455477 1 sync.go:180] cert-manager/controller/challenges “msg”=“propagation check failed” “error”="failed to perform self check GET request ‘http://test01.locky.me/.well-known/acme-challenge/LKc3v0sB53eDkc6haj9QQtFBuebvOFutQnC3_b1RLWQ’: Get http://test01.locky.me/.well-known/acme-challenge/LKc3v0sB53eDkc6haj9QQtFBuebvOFutQnC3_b1RLWQ: dial tcp 95.216.76.14:80: connect: no route to host" “dnsName”=“test01.locky.me” “resource_kind”=“Challenge” “resource_name”=“test01lockyme-3966551427-0” “resource_namespace”=“test” “type”=“http-01”
I0529 12:19:10.455695 1 controller.go:219] cert-manager/controller/challenges “level”=0 “msg”=“finished processing work item” “key”=“test/test01lockyme-3966551427-0”
It seems like Let’s encrypt server can’t get access to test01.locky.me because of “no route to host”. The challenge URL is accessible. In the same time, with the same configuration, on another kubernetes cluster test02.locky.me everything is ok.