Issue with switching from LE staging to LE prod: 403 urn:acme:error:unauthorized: No registration exists matching provided key" #160
Comments
I actually started from scratch, and when I use
The moment I switch to staging back and restart the kube-lego pod (and change nothing else!), bam!, it succeeds:
|
I enabled
Weird enough, this http://n.alp.im/.well-known/acme-challenge/_selftest thing works just fine on my machine and on a separate container:
I have no idea why |
Kube-Lego keeps some LE account data in a secret, and when switching the end points I needed to reset (aka remove) that secret. |
This seems like a case where your client is using an account key that was registered with the staging environment with the production environment. Accounts are not portable across Let's Encrypt staging & production, they are entirely separate systems. |
@cpu I am not aware what an account key is. Is it my email address? Is it some secret resource that I should delete? Since I'm a user of this project and not low level LE concepts, I have no idea how to fix this problem. Any pointers are appreciated. |
@ahmetb I'm sorry I can't help more directly. I'm coming at the problem from the other end with no experience with the project and only understanding of the low level concepts. I hope a maintainer/user can help you figure out a concrete solution. |
OK I figured this out. Turns out when you start a Keeping this issue open as it's not documented anywhere and figuring this out requires a somewhat non-beginner understanding of how things work (which, it shouldn't). Ideally if switching between LE endpoints requires deleting the |
Indeed. Note also #125 - pretty much the same issue. |
Looks like it's now documented at https://github.com/jetstack/kube-lego#run-kube-lego
|
I was able to successfully follow the examples/gce/README.md on Google Container Engine and have my container serving with
Fake LE Root X1
CA. I saw that the Kubernetes secret was created fine too.Then I decided to switch from LE staging to LE prod. Here's what I did and at the end you'll see the continuous error from kube-lego:
kubectl delete secret echoserver-tls
kubectl edit configmap/kube-lego -n kube-lego
https://acme-v01.api.letsencrypt.org/directory
, save, exitkubectl delete pods --all -n kube-lego
so that new config map values get picked upkube-lego
container started.kube-lego
container, see repeated error:Am I doing something wrong?
The text was updated successfully, but these errors were encountered: