Is this DNS configuration error or relate to the k8s and cert-manager configuration?

jeffenhuang · August 10, 2023, 9:21am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nmis-digf-sarif-a.nms.strath.ac.uk

I ran this command: sudo certbot certonly --nginx --test-cert

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): nmis-digf-sarif-a.nms.strath.ac.uk
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nmis-digf-sarif-a.nms.strath.ac.uk
Waiting for verification...
Challenge failed for domain nmis-digf-sarif-a.nms.strath.ac.uk
http-01 challenge for nmis-digf-sarif-a.nms.strath.ac.uk
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: nmis-digf-sarif-a.nms.strath.ac.uk
Type: unauthorized
Detail: : Invalid response from
https://nmis-digf-sarif-a.nms.strath.ac.uk/.well-known/acme-challenge/fiLrMOVswbe0ZvrYLjGsg2yt63C85GlRfY8UJ3yW4Yw:
404

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version):nginx

The operating system my web server runs on is (include version): kubernetes cluster run on Ubuntu 20.04

My hosting provider, if applicable, is: local host

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
/usr/bin/certbot:6: DeprecationWarning: pkg_resources is deprecated as an API. See Package Discovery and Resource Access using pkg_resources - setuptools 68.0.0.post20230808 documentation
from pkg_resources import load_entry_point
certbot 0.40.0

rg305 · August 10, 2023, 12:01pm

"Is this DNS configuration error or relate to the k8s and cert-manager configuration?"
I don't see a DNS error.
I see:

outdated certbot
see: Certbot Instructions | Certbot (eff.org)
404 error:

I would review the entire nginx config.

jeffenhuang · August 10, 2023, 12:10pm

Thanks for your reply!

I am not sure how to select the from the cerbot instruction page. currently, it's a nginx, nginx-ingress controller and cert-manager in the k8s master. I can confirm the first will be 'nginx' but I don't see k8s from the second selection list.

for the ingress, I deployed:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-resource
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    -  nmis-digf-sarif-a.nms.strath.ac.uk
    secretName: letsencrypt-staging
  rules:
  - host: nmis-digf-sarif-a.nms.strath.ac.uk
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx
            port:
              number: 80

jvanasco · August 10, 2023, 4:47pm

As @rg305 said, this is an incredibly outdated Certbot - dating back to 2019-11-05.

In the (almost) 4 years since that release, the majority of updates to Certbot have been involved with addressing issues and edge cases with Nginx and Apache plugins.

It is honestly not worth attempting to troubleshoot your situation until you update Certbot to a more recent version, as that is likely to solve your problem or give more informative errors.

Bruce5051 · August 11, 2023, 1:50am

Supplemental information:
The certificate presently being served was issued by (STAGING) Artificial Apricot R3 that is from the Staging Environment.
This certificate https://search.censys.io/certificates/cae1afdabf51f9109e0a0af3e9eb4cbc0ea8cbc571330960a44322cfe90ba661

https://decoder.link/sslchecker/nmis-digf-sarif-a.nms.strath.ac.uk/443
https://www.ssllabs.com/ssltest/analyze.html?d=nmis-digf-sarif-a.nms.strath.ac.uk

$ curl -k -Ii http://nmis-digf-sarif-a.nms.strath.ac.uk/.well-known/acme-challenge/sometestfile                      HTTP/1.1 308 Permanent Redirect
Date: Fri, 11 Aug 2023 01:48:49 GMT
Content-Type: text/html
Content-Length: 164
Connection: keep-alive
Location: https://nmis-digf-sarif-a.nms.strath.ac.uk/.well-known/acme-challenge/sometestfile

$ curl -k -Ii https://nmis-digf-sarif-a.nms.strath.ac.uk/.well-known/acme-challenge/sometestfile                     HTTP/2 404
date: Fri, 11 Aug 2023 01:48:54 GMT
content-type: text/html
content-length: 153
strict-transport-security: max-age=15724800; includeSubDomains

And the certificate being served as seen by openssl s_client -showcerts -servername nmis-digf-sarif-a.nms.strath.ac.uk -connect nmis-digf-sarif-a.nms.strath.ac.uk:443 < /dev/null

$ openssl s_client -showcerts -servername nmis-digf-sarif-a.nms.strath.ac.uk -connect nmis-digf-sarif-a.nms.strath.ac.uk:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
verify return:1
depth=0 CN = nmis-digf-sarif-a.nms.strath.ac.uk
verify return:1
---
Certificate chain
 0 s:CN = nmis-digf-sarif-a.nms.strath.ac.uk
   i:C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  9 12:50:09 2023 GMT; NotAfter: Nov  7 12:50:08 2023 GMT
-----BEGIN CERTIFICATE-----
MIIFQTCCBCmgAwIBAgITAPpOvhPRYblTCHwnJSBK3d8F6zANBgkqhkiG9w0BAQsF
ADBZMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXKFNUQUdJTkcpIExldCdzIEVuY3J5
cHQxKDAmBgNVBAMTHyhTVEFHSU5HKSBBcnRpZmljaWFsIEFwcmljb3QgUjMwHhcN
MjMwODA5MTI1MDA5WhcNMjMxMTA3MTI1MDA4WjAtMSswKQYDVQQDEyJubWlzLWRp
Z2Ytc2FyaWYtYS5ubXMuc3RyYXRoLmFjLnVrMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAwQXh8a6Lw2aYUrddF6qDHMjyGukk4tOMkjxHhMCg0+wD0Yqg
A1ZCVjKCC/gampfcjM3G0g4wWGvg4SMIqElKrkwcbc+9F4DHAeirHOR8fgRSxbuH
FInOsAIcK26Aq6EBZ5T0FqHTgkd0ZsJI32ITRXdtGCOMeJy0Bx5ZT+HMF8kmOIRT
vqurCTDQIyA3pPugRsniERdHaRisBHQLq9IEPBJ8zEmiqH9K3SsqjzLMKm7r4YCW
+PjAaCYcif51yxy0/vR4s3H7IfKTp9iUxIn2pgHP/LJdL4k8iBHeaGGk9liMTRF6
iFjcjDsHWVNOgzW/610E/juE0qVUiFHQzCKCtQIDAQABo4ICLDCCAigwDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBT5SgzRbySy+Y22Oz3qrv74FA35sjAfBgNVHSMEGDAW
gBTecnpI3zHDplDfn4Uj31c3S10uZTBdBggrBgEFBQcBAQRRME8wJQYIKwYBBQUH
MAGGGWh0dHA6Ly9zdGctcjMuby5sZW5jci5vcmcwJgYIKwYBBQUHMAKGGmh0dHA6
Ly9zdGctcjMuaS5sZW5jci5vcmcvMC0GA1UdEQQmMCSCIm5taXMtZGlnZi1zYXJp
Zi1hLm5tcy5zdHJhdGguYWMudWswEwYDVR0gBAwwCjAIBgZngQwBAgEwggEEBgor
BgEEAdZ5AgQCBIH1BIHyAPAAdQCwzIPlpfl9a698CcwoSQSHKsfoixMsY1C3xv0m
4WxsdwAAAYnaj+D/AAAEAwBGMEQCIH/ZXXQDGTrhIMPQycwrY0CK5GNz04kKuc+e
7nv6WfpaAiAjPSGlPmCbo7ajGlj+OXbFxyyAxDkPqO0XsFxTCjHb8wB3AO2rnR3d
g3OVn/UqiORrtLzDxMxNdopgzP9ONi1/uNZoAAABidqP4vYAAAQDAEgwRgIhAMN9
iwAkKxJrZG/ZFxmJYydx7F7o8SENqPXqb61qJ3MxAiEAq/3l+eFZOu8r10hbhcQr
oEVqlrnZNSALbLEMF8eKReIwDQYJKoZIhvcNAQELBQADggEBAJK7E/y3CsI4kalD
nQRU6KcML3HRK0eCyl/DYBIyhobXfSFxrczhbAMHPtZMCLKvBWSbPGSWz7FzTwsF
uYxhipCs4qQewmxNqNscRUTFLbV84wIJNZ0+wwaSGoQR2Zel4NTCxkrsOfL0xgLr
O9WsELCM3/4ZLg4s3tTN8ctnXlEepVh4im9VsAUrSafwOt9so8eEOmHO1Zeoi9oJ
i5qnpkV0V+vQ2bZMH9+Zxk4Ha2YOzb92P6TUT4xO6gi+aLmZB3CjTa9bC/LA5TJy
Ec/Ahi5fU3dF83qoCV80O/jFuLs0ElbCQfrJkJoNMf4jDeuxG5wfvTcaWf9jY4Vd
Xjonhnc=
-----END CERTIFICATE-----
 1 s:C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
   i:C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFWzCCA0OgAwIBAgIQTfQrldHumzpMLrM7jRBd1jANBgkqhkiG9w0BAQsFADBm
MQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3Vy
aXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQ
ZWFyIFgxMB4XDTIwMDkwNDAwMDAwMFoXDTI1MDkxNTE2MDAwMFowWTELMAkGA1UE
BhMCVVMxIDAeBgNVBAoTFyhTVEFHSU5HKSBMZXQncyBFbmNyeXB0MSgwJgYDVQQD
Ex8oU1RBR0lORykgQXJ0aWZpY2lhbCBBcHJpY290IFIzMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu6TR8+74b46mOE1FUwBrvxzEYLck3iasmKrcQkb+
gy/z9Jy7QNIAl0B9pVKp4YU76JwxF5DOZZhi7vK7SbCkK6FbHlyU5BiDYIxbbfvO
L/jVGqdsSjNaJQTg3C3XrJja/HA4WCFEMVoT2wDZm8ABC1N+IQe7Q6FEqc8NwmTS
nmmRQm4TQvr06DP+zgFK/MNubxWWDSbSKKTH5im5j2fZfg+j/tM1bGaczFWw8/lS
nukyn5J2L+NJYnclzkXoh9nMFnyPmVbfyDPOc4Y25aTzVoeBKXa/cZ5MM+WddjdL
biWvm19f1sYn1aRaAIrkppv7kkn83vcth8XCG39qC2ZvaQIDAQABo4IBEDCCAQww
DgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAS
BgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTecnpI3zHDplDfn4Uj31c3S10u
ZTAfBgNVHSMEGDAWgBS182Xy/rAKkh/7PH3zRKCsYyXDFDA2BggrBgEFBQcBAQQq
MCgwJgYIKwYBBQUHMAKGGmh0dHA6Ly9zdGcteDEuaS5sZW5jci5vcmcvMCsGA1Ud
HwQkMCIwIKAeoByGGmh0dHA6Ly9zdGcteDEuYy5sZW5jci5vcmcvMCIGA1UdIAQb
MBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCN
DLam9yN0EFxxn/3p+ruWO6n/9goCAM5PT6cC6fkjMs4uas6UGXJjr5j7PoTQf3C1
vuxiIGRJC6qxV7yc6U0X+w0Mj85sHI5DnQVWN5+D1er7mp13JJA0xbAbHa3Rlczn
y2Q82XKui8WHuWra0gb2KLpfboYj1Ghgkhr3gau83pC/WQ8HfkwcvSwhIYqTqxoZ
Uq8HIf3M82qS9aKOZE0CEmSyR1zZqQxJUT7emOUapkUN9poJ9zGc+FgRZvdro0XB
yphWXDaqMYph0DxW/10ig5j4xmmNDjCRmqIKsKoWA52wBTKKXK1na2ty/lW5dhtA
xkz5rVZFd4sgS4J0O+zm6d5GRkWsNJ4knotGXl8vtS3X40KXeb3A5+/3p0qaD215
Xq8oSNORfB2oI1kQuyEAJ5xvPTdfwRlyRG3lFYodrRg6poUBD/8fNTXMtzydpRgy
zUQZh/18F6B/iW6cbiRN9r2Hkh05Om+q0/6w0DdZe+8YrNpfhSObr/1eVZbKGMIY
qKmyZbBNu5ysENIK5MPc14mUeKmFjpN840VR5zunoU52lqpLDua/qIM8idk86xGW
xx2ml43DO/Ya/tVZVok0mO0TUjzJIfPqyvr455IsIut4RlCR9Iq0EDTve2/ZwCuG
hSjpTUFGSiQrR2JK2Evp+o6AETUkBCO1aw0PpQBPDQ==
-----END CERTIFICATE-----
 2 s:C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
   i:C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Doctored Durian Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFVDCCBDygAwIBAgIRAO1dW8lt+99NPs1qSY3Rs8cwDQYJKoZIhvcNAQELBQAw
cTELMAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1
cml0eSBSZXNlYXJjaCBHcm91cDEtMCsGA1UEAxMkKFNUQUdJTkcpIERvY3RvcmVk
IER1cmlhbiBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQw
M1owZjELMAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBT
ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEiMCAGA1UEAxMZKFNUQUdJTkcpIFByZXRl
bmQgUGVhciBYMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbagEdD
Ta1QgGBWSYkyMhscZXENOBaVRTMX1hceJENgsL0Ma49D3MilI4KS38mtkmdF6cPW
nL++fgehT0FbRHZgjOEr8UAN4jH6omjrbTD++VZneTsMVaGamQmDdFl5g1gYaigk
kmx8OiCO68a4QXg4wSyn6iDipKP8utsE+x1E28SA75HOYqpdrk4HGxuULvlr03wZ
GTIf/oRt2/c+dYmDoaJhge+GOrLAEQByO7+8+vzOwpNAPEx6LW+crEEZ7eBXih6V
P19sTGy3yfqK5tPtTdXXCOQMKAp+gCj/VByhmIr+0iNDC540gtvV303WpcbwnkkL
YC0Ft2cYUyHtkstOfRcRO+K2cZozoSwVPyB8/J9RpcRK3jgnX9lujfwA/pAbP0J2
UPQFxmWFRQnFjaq6rkqbNEBgLy+kFL1NEsRbvFbKrRi5bYy2lNms2NJPZvdNQbT/
2dBZKmJqxHkxCuOQFjhJQNeO+Njm1Z1iATS/3rts2yZlqXKsxQUzN6vNbD8KnXRM
EeOXUYvbV4lqfCf8mS14WEbSiMy87GB5S9ucSV1XUrlTG5UGcMSZOBcEUpisRPEm
QWUOTWIoDQ5FOia/GI+Ki523r2ruEmbmG37EBSBXdxIdndqrjy+QVAmCebyDx9eV
EGOIpn26bW5LKerumJxa/CFBaKi4bRvmdJRLAgMBAAGjgfEwge4wDgYDVR0PAQH/
BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLXzZfL+sAqSH/s8ffNE
oKxjJcMUMB8GA1UdIwQYMBaAFAhX2onHolN5DE/d4JCPdLriJ3NEMDgGCCsGAQUF
BwEBBCwwKjAoBggrBgEFBQcwAoYcaHR0cDovL3N0Zy1kc3QzLmkubGVuY3Iub3Jn
LzAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vc3RnLWRzdDMuYy5sZW5jci5vcmcv
MCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEB
CwUAA4IBAQB7tR8B0eIQSS6MhP5kuvGth+dN02DsIhr0yJtk2ehIcPIqSxRRmHGl
4u2c3QlvEpeRDp2w7eQdRTlI/WnNhY4JOofpMf2zwABgBWtAu0VooQcZZTpQruig
F/z6xYkBk3UHkjeqxzMN3d1EqGusxJoqgdTouZ5X5QTTIee9nQ3LEhWnRSXDx7Y0
ttR1BGfcdqHopO4IBqAhbkKRjF5zj7OD8cG35omywUbZtOJnftiI0nFcRaxbXo0v
oDfLD0S6+AC2R3tKpqjkNX6/91hrRFglUakyMcZU/xleqbv6+Lr3YD8PsBTub6lI
oZ2lS38fL18Aon458fbc0BPHtenfhKj5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = nmis-digf-sarif-a.nms.strath.ac.uk
issuer=C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4662 bytes and written 416 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
DONE

Bruce5051 · August 11, 2023, 1:58am

Supplemental on DNS
https://unboundtest.com/m/A/nmis-digf-sarif-a.nms.strath.ac.uk/HJ3E4EK5
https://dnsviz.net/d/nmis-digf-sarif-a.nms.strath.ac.uk/dnssec/
https://dnssec-debugger.verisignlabs.com/nmis-digf-sarif-a.nms.strath.ac.uk
https://www.hardenize.com/report/nmis-digf-sarif-a.nms.strath.ac.uk/1691718057#domain_dns
https://dnsspy.io/scan/strath.ac.uk

$ nslookup nmis-digf-sarif-a.nms.strath.ac.uk dns0.strath.ac.uk.
Server:         dns0.strath.ac.uk.
Address:        130.159.248.11#53

Name:   nmis-digf-sarif-a.nms.strath.ac.uk
Address: 130.159.132.219

I concur with @rg305

griffin · August 11, 2023, 2:14pm

I'm really confused what you're trying to do. If you're using cert-manager with a ClusterIssuer, what do you need certbot for?

system · September 25, 2023, 11:32am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.