New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ingress-gce: ACME certificates fail to issue for the first time #1343
Comments
If you have a reliable repro (like a very small manual Ingress file), I recommend filing that to the |
I'll put something more formal together, but the repro is basically creating a Secret that contains only a An error is then returned by the GCP API, which smells to me like ingress-gce isn't ever checking Whilst this could be seen as a bug their end, I think we should probably do something to mitigate this case anyway? Interested to know what you think 😄 |
I think ingress-gce shouldn't be making a GCE API request when That said, even after the bug is fixed, it may take several months for the fix to ship. So I'd say maybe suggest GKE users to use an older version of cert-manager? |
Rather than have GKE users run an older versions, I think we'll modify cert-manager to generate a self signed cert or similar in the meantime, or otherwise advise users to just create the Certificate resource themselves without using ingress-shim. Advising users to use a version we don't support anymore seems like bad practice 😬, especially given the fairly substantial differences in v0.6. |
Hi, I'm having exactly the same error on certificate issue for the first time.
Is there any solution for now? I'm new to Kubernates. So can someone explain me what are the steps to fix it? |
I had same issue and generated a self-signed cert using the Hope that helps and tl;dr is make sure every domain in ingress file resolves to the IP served by ingress (I use external DNS with GoDaddy) |
Hi All,
What I'm missing here |
I've got just one domain in my ingress hosts list and I know it's pointing to the correct IP. I'm still getting these events. If I'm reading that correctly, it needs a certificate to be able to create a certificate. Is that correct? I'm on v0.11 with ingress-nginx. |
I am using 0.12 version and got the below error |
I'm having this same issue. I tried it with the ingress shim and with my own dns01 issuer and I get the same problem. |
I'm also having this same issue within my k8s cluster. On 0.12.0 |
I had the same problem with ingress-gce on GKE platform, solved by:
After some time ingress will pull new certificate from lets encrypt and start using it. |
I did not get the 3rd point. In which file I need to edit this block. @ashitikov suggestion, please. |
@munnerz seems like the regression is "back"? Or are the steps in this comment the official way to solve it? #1343 (comment) |
I use ClusterIssuer kind in this way:
and ingress manifest's annotation section should be:
I don't understand the whole process of acquiring certificates by cert-manager, but to me:
More info about http01-edit-in-place annotation: https://cert-manager.io/docs/usage/ingress/ |
Hi, Why was this issue closed? |
We just came across this issue too, running 0.13.0. I managed to fix it by swapping the issuer out for the self-signed one, waiting for the Ingress sync and then switching it back to use the acme issuer. |
Is your feature request related to a problem? Please describe.
When using ingress-shim to automatically generate a Certificate resource for a GCE ingress using v0.6.0, if an existing Secret containing a signed keypair does not exist ahead of time, ingress-gce will enter a state where it won't update the GCLB in the google api to add the HTTP01 challenge solver paths.
Users will see an error such as:
when running
kubectl describe
on their ingress resource.Describe the solution you'd like
This is a new bug introduced in v0.6 - notably because as part of v0.6, we now generate a private key for the certificate before obtaining the signed certificate. This means we leave the Secret resource with only a
tls.key
entry, and notls.crt
.This leads ingress-gce to throw errors, because
tls.crt
is empty. It then refuses to update the paths, which prevents the HTTP01 challenge passing.We should automatically generate a self signed certificate if only a private key has been generated and no certificate already exists. This is probably useful behaviour for all Issuer types that only return private keys that need to be persisted sometimes.
Describe alternatives you've considered
In the meantime, users can either:
ingress.spec.tls[]
entry temporarily, and instead manually create the Certificate resource - ingress-gce will not try and enable TLS on the LB until you manually add this entry again. This will allow the Certificate to be issued. Upon renewal, there will already be an existing secret there, meaning this problem won't be hit again at renew time.Additional context
This is a regression from v0.5, and whilst it doesn't break existing deployments, it does cause problems for new users deploying v0.6 for the first time.
Environment details (if applicable):
/kind bug
/priority important-soon
/milestone v0.7
/area acme
/area acme/http01
cc @rimusz @ahmetb
The text was updated successfully, but these errors were encountered: