Stop acme-challenge from retrying

harshmaur · June 3, 2020, 7:36am

I am using cert-manager in my kubernetes cluster on IBM Cloud.
When I was configuring for the first time, I made a few mistakes, but my domain now runs fine on https.

However my server logs mention that there are still some acme-challenges http calls being made to the server resulting in 404 and they are irrelevant. It has been happening for over 2 months now.

I want to stop them. Is there a way to do that?

_az · June 3, 2020, 8:20am

What’s the IP address of the requester? Is it Let’s Encrypt or is it the cert-manager preflight?

harshmaur · June 3, 2020, 8:41am

I am not too sure. here is the request.

127.0.0.1 - - [03/Jun/2020:08:39:23 +0000] "GET /.well-known/acme-challenge/Bh47ah1DUyh_TWk2CrTCHFemEvUqBc7n6BXOZxxxxxx HTTP/1.1" 404 - "http://stage.books.8om.io/.well-known/acme-challenge/Bh47ah1DUyh_TWk2CrTCHFemEvUqBc7n6BXOZxxxxxx" "Go-http-client/1.1" "-"

This is from another domain that I am getting issues with.

_az · June 3, 2020, 8:46am

Yes, that's cert-manager's preflight request. This means there's some open Certificate resource which includes that domain, which continues trying to fulfill itself.

You should be able to locate the offending Certificate resource using kubectl or the Kubernetes web interface and delete it.

harshmaur · June 3, 2020, 9:17am

I just have this.

➜ kubectl get certificates --all-namespaces
NAMESPACE NAME READY SECRET AGE
istio-system ingress-cert True ingress-cert 76d

From the looks of it, it is already fine.

_az · June 3, 2020, 9:30am

Humm. Are there any CertificateRequest, Order or Challenge resources?

I’m not a cert-manager user myself, but it seems to me that there should be some sign of it in the form of a resource.

harshmaur · June 3, 2020, 10:21am

➜ kubectl get CertificateRequest --all-namespaces
NAMESPACE      NAME                      READY   AGE
istio-system   ingress-cert-3740439329   True    17d

➜ kubectl get Order --all-namespaces
NAMESPACE      NAME                                STATE   AGE
istio-system   ingress-cert-3740439329-276182855   valid   17d

➜ kubectl get Challenge --all-namespaces
No resources found

Does this help?

_az · June 3, 2020, 10:35am

I’m not sure where the request would be coming from, then. Might be worth asking on the cert-manager Slack channel.

system · July 3, 2020, 10:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.