-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Route53 DNS01 cannot process due to refused error #1627
Comments
hi @nmiculinic , this is a problem in k8s internal cluster, to solve just add to your cert-manager config yaml this: apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: cert-manager
namespace: "cert-manager"
labels:
app: cert-manager
chart: cert-manager-v0.7.2
release: cert-manager
heritage: Tiller
spec:
replicas: 1
selector:
matchLabels:
app: cert-manager
release: cert-manager
template:
metadata:
labels:
app: cert-manager
release: cert-manager
annotations:
prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
prometheus.io/port: '9402'
spec:
serviceAccountName: cert-manager
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-controller:v0.7.2"
imagePullPolicy: IfNotPresent
args:
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=$(POD_NAMESPACE)
- --dns01-recursive-nameservers="8.8.8.8:53"
- --dns01-recursive-nameservers-only
ports:
- containerPort: 9402
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
requests:
cpu: 10m
memory: 32Mi or in helm values config: extraArg: for me this is an information problem in the cert-manager documentation, but I will open a PR for this. |
@wiltonfelix Thanks! I've noticed that you have used Also, could you edit your comment and add markdown format to it by using triple backticks? (check this) |
@PabloCastellano, |
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
Rotten issues close after 30d of inactivity. |
@retest-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/reopen Do we have documentation around this problem? |
@chrislovecnm: You can't reopen an issue/PR unless you authored it or you are a collaborator. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
#1627 (comment) fixed the problem on EKS |
Describe the bug:
In kubernetes I have cert-manager providing TLS certificated. It correctly created the TXT entry on the route53, but it cannot fetch it for some reason.
Expected behaviour:
Correctly fetch the
_acme-challenge.ascalia.io.
TXT entry which has successfuly setup in an earlier stepA concise description of what you expected to happen.
Steps to reproduce the bug:
Anything else we need to know?:
The route53 credentials have full route53 admin permissions
helm setup:
Certificate in question:
Logs:
There exists a private zone ascalia.io, though I see cert-manager create the DNS TXT entry in the proper public zone.
Environment details::
/kind bug
The text was updated successfully, but these errors were encountered: