Error presenting challenge: the server is currently unable to handle the request

[simiwe]

ClusterIssuer:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # Change to your letsencrypt email
    email: xx@aa.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: spoil-twinkle-rob-therein
    solvers:
    - dns01:
        webhook:
          groupName: acme.yourcompany.com
          solverName: alidns
          config:
            region: ""
            accessKeySecretRef:
              name: alidns-secret
              key: access-key
            secretKeySecretRef:
              name: alidns-secret
              key: secret-key

kubectl describe challenges.acme.cert-manager.io

...
tatus:
  Presented:   false
  Processing:  true
  Reason:      the server is currently unable to handle the request (post alidns.acme.yourcompany.com)
  State:       pending
Events:
  Type     Reason        Age               From          Message
  ----     ------        ----              ----          -------
  Normal   Started       10s               cert-manager  Challenge scheduled for processing
  Warning  PresentError  5s (x3 over 10s)  cert-manager  Error presenting challenge: the server is currently unable to handle the request (post alidns.acme.yourcompany.com)

kubectl version
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.5", GitCommit:"20c265fef0741dd71a66480e35bd69f18351daea", GitTreeState:"clean", BuildDate:"2019-10-15T19:16:51Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"17+", GitVersion:"v1.17.4-gke.10", GitCommit:"302b55804ee4a09c6ad5be81a380a3f333f72fcf", GitTreeState:"clean", BuildDate:"2020-04-14T17:30:11Z", GoVersion:"go1.13.8b4", Compiler:"gc", Platform:"linux/amd64"}

cert-manager is v0.14.1.

How to set the groupName?

[simiwe]

When I set the groupName to xxx.com, I got the following error message:

alidns.xxx.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "alidns" in API group "xxx.com" at the cluster scope

Status:
  Presented:   false
  Processing:  true
  Reason:      alidns.xxx.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "alidns" in API group "xxx.com" at the cluster scope
  State:       pending
Events:
  Type     Reason        Age               From          Message
  ----     ------        ----              ----          -------
  Normal   Started       11s               cert-manager  Challenge scheduled for processing
  Warning  PresentError  6s (x3 over 11s)  cert-manager  Error presenting challenge: alidns.xxx.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "alidns" in API group "xxx.com" at the cluster scope

[pragkent]

Hi simicn,

GroupName should be set the same as group names of CRDs in bundle.yaml. So if you changed groupName to xxx.com, you also need to change bundle.yaml.

For the first question, please check the log of the alidns-webhook pod, might be caused by wrong alicloud access key or letsencrypt account.

[simiwe]

Hi simicn,

GroupName should be set the same as group names of CRDs in bundle.yaml. So if you changed groupName to xxx.com, you also need to change bundle.yaml.

For the first question, please check the log of the alidns-webhook pod, might be caused by wrong alicloud access key or letsencrypt account.

Thanks for your help

[kaelzhang]

I set the groupName of the ClusterIssuer as 'xxx.com' and also changed all occurrences of groupName in bundle.yml, but I still got the similar error:

Error presenting challenge: the server is currently unable to handle the request (post alidns.xxx.com)

Was the request of post alidns.xxx.com sent by cert-manager itself ?

[pragkent]

I set the groupName of the ClusterIssuer as 'xxx.com' and also changed all occurrences of groupName in bundle.yml, but I still got the similar error:

Error presenting challenge: the server is currently unable to handle the request (post alidns.xxx.com)

Was the request of post alidns.xxx.com sent by cert-manager itself ?

@kaelzhang Please check the log of the alidns-webhook pod, might be caused by wrong alicloud access key or letsencrypt account.

[kaelzhang]

Thanks for your reply.

Seems cert-manager eats all logs and I could only see those logs of RunWebhookServer but no logs of the webhook.

Or anywhere else I could check the logs, or how to turn on log output ?

[pragkent]

Please check the metadata.name of APIService resource for the webhook.
If you changed group name, you have to change the apiservice resource name in bundle.yml.
If you hadn't set apiservice name properly, you could find some error logs in kube-apiserver logs.
Please refer to k8s api extension document for more information.

apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  name: v1alpha1.acme.yourcompany.com
  labels:
    app: alidns-webhook
  annotations:
    cert-manager.io/inject-ca-from: "cert-manager/alidns-webhook-webhook-tls"
spec:
  group: acme.yourcompany.com
  groupPriorityMinimum: 1000
  versionPriority: 15
  service:
    name: alidns-webhook
    namespace: cert-manager
  version: v1alpha1

[kaelzhang]

I had changed metadata.name & spec.group of APIService, container.env.GROUP_NAME of deployment, and apiGroups.0 of ClusterRole in bundle.yml before I saw the Error presenting challenge

[pragkent]

Could you please upload your bundle.yml here?