Stop acme-challenge from retrying

harshmaur · June 3, 2020, 7:36am

I am using cert-manager in my kubernetes cluster on IBM Cloud.
When I was configuring for the first time, I made a few mistakes, but my domain now runs fine on https.

However my server logs mention that there are still some acme-challenges http calls being made to the server resulting in 404 and they are irrelevant. It has been happening for over 2 months now.

I want to stop them. Is there a way to do that?

_az · June 3, 2020, 8:20am

What’s the IP address of the requester? Is it Let’s Encrypt or is it the cert-manager preflight?

harshmaur · June 3, 2020, 8:41am

I am not too sure. here is the request.

127.0.0.1 - - [03/Jun/2020:08:39:23 +0000] "GET /.well-known/acme-challenge/Bh47ah1DUyh_TWk2CrTCHFemEvUqBc7n6BXOZxxxxxx HTTP/1.1" 404 - "http://stage.books.8om.io/.well-known/acme-challenge/Bh47ah1DUyh_TWk2CrTCHFemEvUqBc7n6BXOZxxxxxx" "Go-http-client/1.1" "-"

This is from another domain that I am getting issues with.

_az · June 3, 2020, 8:46am

Yes, that's cert-manager's preflight request. This means there's some open Certificate resource which includes that domain, which continues trying to fulfill itself.

You should be able to locate the offending Certificate resource using kubectl or the Kubernetes web interface and delete it.

harshmaur · June 3, 2020, 9:17am

I just have this.

➜ kubectl get certificates --all-namespaces
NAMESPACE NAME READY SECRET AGE
istio-system ingress-cert True ingress-cert 76d

From the looks of it, it is already fine.

_az · June 3, 2020, 9:30am

Humm. Are there any CertificateRequest, Order or Challenge resources?

I’m not a cert-manager user myself, but it seems to me that there should be some sign of it in the form of a resource.

harshmaur · June 3, 2020, 10:21am

➜ kubectl get CertificateRequest --all-namespaces
NAMESPACE      NAME                      READY   AGE
istio-system   ingress-cert-3740439329   True    17d

➜ kubectl get Order --all-namespaces
NAMESPACE      NAME                                STATE   AGE
istio-system   ingress-cert-3740439329-276182855   valid   17d

➜ kubectl get Challenge --all-namespaces
No resources found

Does this help?

_az · June 3, 2020, 10:35am

I’m not sure where the request would be coming from, then. Might be worth asking on the cert-manager Slack channel.

system · July 3, 2020, 10:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kubernetes cert-manager Challenge Failing with ACME Unauthorized Error Help	6	943	August 11, 2024
HTTP 01 challenges Help	9	1370	March 16, 2022
Kubernetes cert-manager silently gives up after creating HTTP-01 challenge file? Help	6	1113	May 2, 2022
Issue with certificate using cert-manager Kubernetes Help	3	1993	April 29, 2020
Internal Network and DNS challenge with Cert Manager Help	6	4994	July 14, 2019

Stop acme-challenge from retrying

Related topics