The client lacks sufficient authorization: letsencrypt POD fails to start in K8S

lsambolino · June 11, 2020, 9:25am

Hi, I am spinning up a simple nginx+letsencrypt deployment in minikube to replicate a production environment locally. I launch letsencrypt image by a kubernetes job.

My domain is: kubernetes-letsencrypt.luigisambolino
I ran this command: kubectl logs letsencrypt-job-56m8m -n default
It produced this output:

NAMESPACE: default
HOME: /root
PID: 7
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
An unexpected error occurred:
The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
Please see the logfiles in /var/log/letsencrypt for more details.
/entrypoint.sh: line 24:     7 Terminated              python -m SimpleHTTPServer 80
DOMAINS: kubernetes-letsencrypt.luigisambolino
ls: cannot access '/etc/letsencrypt/live/kubernetes-letsencrypt.luigisambolino': No such file or directory.

My web server is: nginx 1.15.0
The operating system my web server runs on is (include version): kubernetes v.1.13 over minikube v.1.11.0. Host OS is Windows 10
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine: Yes on both Windows Host OS and minikube, the pod fails to start
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is: unable to login into the pod due to failing in starting

The kubernetes job is as follows:

apiVersion: batch/v1
kind: Job
metadata:
  name: letsencrypt
  labels:
    app: letsencrypt
spec:
  template:
    metadata:
      name: letsencrypt
      labels:
        app: letsencrypt
    spec:
      containers:
      - image: sjenning/kube-nginx-letsencrypt:0.8.1-1
        name: letsencrypt
        imagePullPolicy: Always
        ports:
        - name: letsencrypt
          containerPort: 80
        env:
        - name: DOMAINS
          value: kubernetes-letsencrypt.luigisambolino
        - name: EMAIL
          value: admin@example.com
        - name: SECRET
          value: nginx
        - name: DEPLOYMENT
          value: nginx
      restartPolicy: Never

How should I start the letsencrypt job successfully ?

JuergenAuer · June 11, 2020, 9:30am

Hi @lsambolino

please read your error message:

Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555.

lsambolino · June 11, 2020, 10:32am

Hi JuergenAuer,
Thanks for supporting. I switched to installing certbot inside the nginx pod and I am now trying to register the domain there. I will update asap. I wonder if the error related to the client version is linked to the image I linked to in the job manifest.

system · July 11, 2020, 10:32am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.