Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS secrets don't seem to be used for ACME validation #526

Closed
groner opened this issue Sep 22, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@groner
Copy link

commented Sep 22, 2017

I'm trying to get voyager to get a certificate from let's encrypt. I've created a secret containing AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY and I've created a voyager certificate TPR referencing that secret.

The voyager operator logs show it failing to make the call to route 53, and the error message indicates it is using the identity provided to the EC2 host the pod is running on, rather than the expected identity associated with the access key mentioned above.

I0922 22:03:44.692800       1 controller.go:225] trying to retrive acmeUser data
I0922 22:03:44.696485       1 controller.go:252] ACMEUserInfo data found is secretacme-jenkins2-cert
I0922 22:03:44.764078       1 logs.go:19] [INFO][jenkins2.x.io] acme: Obtaining bundled SAN certificate
I0922 22:03:45.309837       1 logs.go:19] [INFO][jenkins2.x.io] AuthURL: https://acme-v01.api.letsencrypt.org/acme/authz/xxx...
I0922 22:03:45.309869       1 logs.go:19] [INFO][jenkins2.x.io] acme: Could not find solver for: tls-sni-01
I0922 22:03:45.309877       1 logs.go:19] [INFO][jenkins2.x.io] acme: Could not find solver for: http-01
I0922 22:03:45.309884       1 logs.go:19] [INFO][jenkins2.x.io] acme: Trying to solve DNS-01
I0922 22:03:45.685164       1 controller.go:183] Error occurred for jenkins2.x.io, reason Error presenting token: Failed to determine Route 53 hosted zone ID: AccessDenied: User: arn:aws:sts::111111111111:assumed-role/kube24-Nodepool1-U5VAGNWC1MHX-IAMRoleWorker-EG19YHC6EJ7S/i-01d5e28d360712cfc is not authorized to perform: route53:ListHostedZonesByName
        status code: 403, request id: e72fd92f-9fe1-11e7-a9be-2bd1577fb68c
@tamalsaha

This comment has been minimized.

Copy link
Member

commented Sep 23, 2017

#506 should fix this issue.

tamalsaha added a commit that referenced this issue Sep 24, 2017

Reimplement certificate controller (#506)
Fixes #505
Fixes #370
Fixes #382
Fixes #526 
Fixes #366 
Fixes #393 
Fixes #356

tamalsaha added a commit that referenced this issue Dec 13, 2017

Reimplement certificate controller (#506)
Fixes #505
Fixes #370
Fixes #382
Fixes #526 
Fixes #366 
Fixes #393 
Fixes #356
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.