Unable to create certificate for Kubernetes web-app. cert-manager/challenges: propagation check failed" err="wrong status code '503', expected '200'"

Artyom2 · June 29, 2023, 2:26pm

Hello! I am working on deploying my app in k8s cluster. So, I decided to enable https connection to my application. I've created DNS name on the web-site Noip and connected it with the IP of my k8s cluster.
After that, I deployed cert-manager, ClusterIssuer, Certificate and then Ingress.

So, after applying a certificate i have the issue. Here are some logs of the pod of certificate-manager:

I0629 13:50:39.836830       1 service.go:45] "cert-manager/challenges/http01/selfCheck/http01/ensureService: found one existing HTTP01 solver Service for challenge resource" resource_name="cert-pd292-3618130802-4138407347" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="nodeart.bounceme.net" type=HTTP-01 related_resource_name="cm-acme-http-solver-k2vs5" related_resource_namespace="default" related_resource_kind="" related_resource_version=""
I0629 13:50:39.836965       1 ingress.go:99] "cert-manager/challenges/http01/selfCheck/http01/ensureIngress: found one existing HTTP01 solver ingress" resource_name="cert-pd292-3618130802-4138407347" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="nodeart.bounceme.net" type=HTTP-01 related_resource_name="cm-acme-http-solver-56pdn" related_resource_namespace="default" related_resource_kind="Ingress" related_resource_version="v1"
E0629 13:50:39.840308       1 sync.go:190] "cert-manager/challenges: propagation check failed" err="wrong status code '503', expected '200'" resource_name="cert-pd292-3618130802-4138407347" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="nodeart.bounceme.net" type=HTTP-01

Can you help me with this, please?

Bruce5051 · June 29, 2023, 2:49pm

Hello @Artyom2, welcome to the Let's Encrypt community.

Using the online tool Let's Debug yields these results https://letsdebug.net/nodeart.bounceme.net/1533951

ReservedAddress
Fatal
A private, inaccessible, IANA/IETF-reserved IP address was found for nodeart.bounceme.net. Let's Encrypt will always fail HTTP validation for any domain that is pointing to an address that is not routable on the internet. You should either remove this address and replace it with a public one or use the DNS validation method instead.
192.168.59.100

The IPv4 address 192.168.59.100 is part of IPv4 Private Address Space and Filtering and cannot but used for the HTTP-01 challenge of the Challenge Types - Let's Encrypt

Artyom2 · June 29, 2023, 2:52pm

it's the ip of my k8s cluster...
but how can i reach the website?

Bruce5051 · June 29, 2023, 2:56pm

Sorry but I do not know about k8s clusters
Kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.

Artyom2 · June 29, 2023, 2:57pm

maybe you know the information about getting a certificate for your local dns?

Bruce5051 · June 29, 2023, 3:00pm

Maybe this is of help Certificates for localhost - Let's Encrypt

Rip · June 29, 2023, 3:16pm

There are al whole bunch of references answering your concern. READ ON!

rg305 · June 29, 2023, 5:18pm

Either:

switch to a public IP [might not be possible]
switch to DNS authentication
[automation requires using a DSP, and ACME client, that support DNS zone updates via API]

system · July 29, 2023, 5:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.