Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failed to verify ACME account #641

Closed
scher200 opened this issue Jun 8, 2018 · 9 comments

Comments

@scher200
Copy link

commented Jun 8, 2018

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug

/kind feature

I deployed cert-manager with helm like this:

What happened:
The result of my deployment was like this:

Name:         letsencrypt-prod
Namespace:    
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"letsencrypt-prod","namespace":""},"spec":{"acme...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         ClusterIssuer
Metadata:
  Cluster Name:        
  Creation Timestamp:  2018-06-08T09:09:04Z
  Generation:          1
  Resource Version:    13377
Spec:
  Acme:
    Email:  test@test.de
    Http 01:
    Private Key Secret Ref:
      Key:   
      Name:  letsencrypt-prod
    Server:  https://acme-v01.api.letsencrypt.org/directory
Status:
  Conditions:
    Last Transition Time:  2018-06-08T09:09:04Z
    Message:               Failed to verify ACME account: Get https://acme-v01.api.letsencrypt.org/directory: x509: certificate is valid for ingress.local, not acme-v01.api.letsencrypt.org
    Reason:                ErrRegisterACMEAccount
    Status:                False
    Type:                  Ready
Events:
  Type     Reason                Age                 From                     Message
  ----     ------                ----                ----                     -------
  Warning  ErrInitIssuer         20m (x12 over 21m)  cert-manager             Error initializing issuer: Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate is valid for ingress.local, not acme-v02.api.letsencrypt.org
  Warning  ErrVerifyACMEAccount  10m (x16 over 21m)  cert-manager             Failed to verify ACME account: Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate is valid for ingress.local, not acme-v02.api.letsencrypt.org
  Warning  ErrInitIssuer         2m (x12 over 2m)    cert-manager-controller  Error initializing issuer: Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate is valid for ingress.local, not acme-v02.api.letsencrypt.org
  Warning  ErrVerifyACMEAccount  2m (x13 over 2m)    cert-manager-controller  Failed to verify ACME account: Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate is valid for ingress.local, not acme-v02.api.letsencrypt.org
  Warning  ErrVerifyACMEAccount  4s (x3 over 1m)     cert-manager-controller  Failed to verify ACME account: Get https://acme-v01.api.letsencrypt.org/directory: x509: certificate is valid for ingress.local, not acme-v01.api.letsencrypt.org
  Warning  ErrInitIssuer         4s (x3 over 1m)     cert-manager-controller  Error initializing issuer: Get https://acme-v01.api.letsencrypt.org/directory: x509: certificate is valid for ingress.local, not acme-v01.api.letsencrypt.org

What you expected to happen:
that all ran well just as on my other servers

How to reproduce it (as minimally and precisely as possible):
I ran the following helm commands (tried also with --set image.tag=v0.2.4 on cert-manager too):

helm install --namespace kube-system --name nginx-ingress stable/nginx-ingress --set rbac.create=false --set controller.hostNetwork=true
sleep 10
kubectl apply -f ./yaml/letsencrypt-prod.yaml
sleep 10
helm upgrade cert-manager --set rbac.create=false --set ingressShim.extraArgs='{--default-issuer-name=letsencrypt-prod,--default-issuer-kind=ClusterIssuer}' --namespace kube-system stable/cert-manager

the content of letsencrypt-prod.yaml is:

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v01.api.letsencrypt.org/directory
    email: test@test.de
    privateKeySecretRef:
      name: letsencrypt-prod
    http01: {}

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:17:39Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:05:37Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64
  • Cloud provider or hardware configuration**:
homeserver
  • Install tools:
microk8s
  • Others:
@tcassaert

This comment has been minimized.

Copy link

commented Jun 25, 2018

@scher200, did you manage to solve this issue? I'm currently running into the exact same error message.

@scher200

This comment has been minimized.

Copy link
Author

commented Jun 25, 2018

I got around it by using kubeadm, although it was quite rough too!
First changed my DNS in /etc/resolv.conf to 8.8.8.8 (or in network configrution)
This made me pool the images again.
Then I got other troubles and left microk8s for kubeadm.
This again made me remove all search ... lines from /etc/resolv.conf but then it instantly started working nicely!
Maybe microk8s would have worked by then too, but I wouldn't know..

@scher200

This comment has been minimized.

Copy link
Author

commented Jun 25, 2018

@tcassaert by the way if you like to use kubeadm you can have my winning starting command:
First I Installed kubelet and started/enabled see more -> https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/
Then ran the winning kubeadm command:

kubeadm init --apiserver-cert-extra-sans="mydomainhere.com" --pod-network-cidr="10.244.0.0/16" --service-cidr="10.96.0.0/12" --apiserver-advertise-address="0.0.0.0"

(configured kubectl as in the kubadm example)
used flannel for networking:

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/v0.10.0/Documentation/kube-flannel.yml

and tainted my single master as node too:

kubectl taint nodes --all node-role.kubernetes.io/master-
@tcassaert

This comment has been minimized.

Copy link

commented Jun 25, 2018

@scher200 Thanks a lot for your quick answer. Unfortunately I used Kubespray and I can't really use kubeadm. Will have to find some other way to fix it.

@scher200

This comment has been minimized.

Copy link
Author

commented Jun 26, 2018

Yes kubespray is great!
@tcassaert can you tell me what you do to presist you cluster if one master falls down within you kubespray cluster?

@tcassaert

This comment has been minimized.

Copy link

commented Jun 26, 2018

I would love to talk more to you about it, but maybe we shouldn't do that it in this issue as that would lead us too far. We could continue the conversation in the Kubernetes Slack.

@scher200

This comment has been minimized.

Copy link
Author

commented Jun 26, 2018

@munnerz

This comment has been minimized.

Copy link
Member

commented Jun 29, 2018

It seems like you have some strange DNS configuration going on, as the Let's Encrypt API URLs seem to be resolving to an address that points to your ingress controller. I'm not too sure exactly what's happened here, but it does not seem like an issue with cert-manager itself to me.

I'm going to close this to keep the issue board clear, and would advise you jump onto the #cert-manager channel in the Kubernetes slack so we can dig into your issues!

@munnerz munnerz closed this Jun 29, 2018

@scher200

This comment has been minimized.

Copy link
Author

commented Jun 29, 2018

yes you are right @munnerz.
It was about DNS and not cert-manager

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.