Hello.
the domain is area.3di.it
I followed this guide:
and I am attempting http challenge.
If I give:
kubectl -n default get certificateRequest -o wide
NAME APPROVED DENIED READY ISSUER REQUESTOR STATUS AGE
tls-area-ingress-http-25rzz True False area-challenge system:serviceaccount:cert-manager:cert-manager Failed to wait for order resource "tls-area-ingress-http-25rzz-3094969806" to become ready: order is in "errored" state: Failed to retrieve Order resource: 400 urn:ietf:params:acme:error:malformed: KeyID header contained an invalid account URL: "https://acme-v02.api.letsencrypt.org/acme/acct/2103372487"
do you have some suggestions on how to fix it, or documentation about letsencrtypt and certificate manager in kubernetes?
Kindest Regards you all.
KeyID header contained an invalid account URL: "https://acme-v02.api.letsencrypt.org/acme/acct/.....
This error means you've tried to use a production account against the staging server.
I'm not an expert at cert-manager, but I think if you change your privateKeySecretRef it'll make a new account against whatever server you currently have configured.
kubectl -n default get issuer -o wide
NAME READY STATUS AGE
area-challenge True The ACME account was registered with the ACME server 16h
kubectl -n default get certificateRequest -o wide
NAME APPROVED DENIED READY ISSUER REQUESTOR STATUS AGE
tls-area-ingress-http-555xv True False area-challenge system:serviceaccount:cert-manager:cert-manager Failed to wait for order resource "tls-area-ingress-http-555xv-3094969806" to become ready: order is in "errored" state: Failed to retrieve Order resource: 404 urn:ietf:params:acme:error:malformed: No order found for account ID 2103372487 12h
kubectl -n default get certificates
NAME READY SECRET AGE
tls-area-ingress-http False tls-area-ingress-http 16h
kubectl -n default describe secret tls-area-ingress-http
Error from server (NotFound): secrets "tls-area-ingress-http" not found
Reading again at my original reference it seems that: HTTP challenge
For most common scenarios the HTTP-01 challenge is a convenient start to solve an ACME based validation. To make this scenario work, Traefik Proxy needs to be reachable from the internet on HTTP port 80, and the used DNS domain has to be configured to point to it. Maybe the issue is that I have not touched the dns?
If I ask for the logs of the traefik pod i can see
ERR error="service port not found: 80" ingress=area-ingress namespace=default providerName=kubernetescrd
ERR Error configuring TLS error="secret default/tls-area-ingress-http does not exist" ingress=area-ssl-ingress namespace=default providerName=kubernetes
ERR error="service port not found: 80" ingress=area-ingress namespace=default providerName=kubernetescrd
maybe the certificates are failing for that reason? or that is just another issue I have?
There are two main ways to validate your domain control: http-01 (validate your domain using http on TCP port 80) or dns-01 (validate your domain using a TXT record in DNS).
If your service can provide challenge responses over http (TCP port 80) then you can continue to use that approach.
As an aside, you perhaps already know this but Kubernetes is an incredibly sophisticated platform for scalable service hosting and is specifically designed for very large scale systems, it's not the easiest way to host something. If your service only has one instance, do not use Kubernetes, instead I would suggest just hosting your app directly on a linux virtual machine.
maybe deleting it and making it again is working.
Is now in Pending state.
kubectl -n default get certificateRequest -o wide
NAME APPROVED DENIED READY ISSUER REQUESTOR STATUS AGE
tls-area-ingress-http-xxhhd True False area-challenge system:serviceaccount:cert-manager:cert-manager Waiting on certificate issuance from order default/tls-area-ingress-http-xxhhd-3094969806: "pending" 51s