Question regarding self signed certificate and http-01 challenge


#1

Hey everyone,

I’m currently running jetstack/cert-manager on a kubernetes cluster. i have a setup that creates a self signed certificate on install for the gateway and i redirect all http traffic to https. now, for some installs of the application i want to switch to lets encrypt certificates. todo so i’m creating a new resource and cert-manager creates the acme order with http-01 validation (can’t use dns-01). but from then on, nothing happens. the order status stays at pending (for http-01 and all others).

i tried the system with http (80) validation and it worked. also, if i install a valid lets encrypt certificate and then delete it, cert-manager requests a new one which works too (i’m not sure if there is a shortcut or if this gets validated through a new challenge again?). i’ve tested the redirect with a curl -v -L -k command to follow and accept the certificate, and it returns the key on the challenge path.

From what i could find here, the http -> https redirect should be allowed (?), but i couldn’t find anything if the insecure self signed certificate would be allowed too.

This is more of a “concept” question rather than needing help fixing an issue, and since I’m currently in development the system would be mostly down again. But if someone can confirm that my use case should actually already work, then i’ll setup an environment where i’d be happy if someone could help me out :slight_smile:

besides that, i’d be excited to here tipps on how to debug such issues, since i dont get any errors in the system and the order status does not have any feedback either.

sry for the lengthy text!
thanks for reading & helping out!


#2

Hi @LiVe

both is allowed. When validating via http-01 - challenge, Letsencrypt follows redirects.

And ignores certificate errors.

So you can start with a self signed or expired certificate. Or with a certificate with the wrong name.


#3

Hi @LiVe,

@JuergenAuer’s answer is correct (thanks!) - redirects from port 80 for the authorization domain are allowed to port 80/443 of another domain (not bare IP addresses and not any other ports). Any certificates received on 443 are not validated. I don’t know that we have that documented anywhere user-facing but you can verify it is true experimentally and with the Boulder sourcecode for the Let’s Encrypt validation authority (VA).


#4

Thank you @JuergenAuer and @cpu!

because of your clarification i think i was able to track down the issue. it looks like an issue with cert-manager (it tries to validate the certificate on a self check). i’ve contacted them to clarify if thats a bug, but besides that, everything else should work fine. thanks again!!