Closed rbaumgar closed 2 years ago
Hello Robert,
this looks like a permission issue with the service account used for the hook. Looks like the used service account is not allowed to create resources at cluster scope.
Unfortunately, my clusters are all setup without (correct/useful) rbac, so my knowledge here is limited. Can you please try to assign a clusterrole with the required permissions to service account "system:serviceaccount:openshift-operators:cert-manager"? (I am not sure which permissions are needed exactly though)
Regarding the crd: I'm also not sure which CRD is used to manage these API groups. (EDIT: apiGroups refers to apiGroups in ClusterRoles)
This issue here looks similar to your error: https://github.com/jetstack/cert-manager/issues/3432
I also ran into problems when using Issuer
. Maybe this resource is causing an issue.
There is no Issuer
resource (apart from the ones deployed by cert-manager) running in my clusters.
After researching a bit more the cause seems to be the following Cluster Role: dynu-webhook:domain-solver
I suspect that this role might have been created incorrectly/incompletely from the Helm template.
Can you please attach the definition of that cluster role please?
after applying cluster-admin role to SA cert-manager I get another error
I1029 07:11:41.917257 1 setup.go:202] cert-manager/controller/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="acme-secret" "related_resource_namespace"="openshift-operators" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-dynu-demo" "resource_namespace"="" "resource_version"="v1"
I1029 07:11:41.933442 1 setup.go:202] cert-manager/controller/issuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-issuer" "related_resource_namespace"="cert-manager" "resource_kind"="Issuer" "resource_name"="letsencrypt-issuer" "resource_namespace"="cert-manager" "resource_version"="v1"
I1029 07:11:43.361469 1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="demo.openshift.freeddns.org" "domain"="demo.openshift.freeddns.org" "resource_kind"="Challenge" "resource_name"="demo-certificate-8q5pp-4023394078-3266066746" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
E1029 07:11:43.368712 1 controller.go:163] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="the server could not find the requested resource (post dynu.dynu-webhook-1635453893)" "key"="cert-manager/demo-certificate-8q5pp-4023394078-3266066746"
I1029 07:11:53.376339 1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="demo.openshift.freeddns.org" "domain"="demo.openshift.freeddns.org" "resource_kind"="Challenge" "resource_name"="demo-certificate-8q5pp-4023394078-3266066746" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
E
a POST request to https://{{hostname}}:{{port}}/apis/acme.freeddns.org/v1alpha1/dynu gives
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "the object provided is unrecognized (must be of type ChallengePayload): couldn't get version/kind; json parse error: unexpected end of JSON input (<empty>)",
"reason": "BadRequest",
"code": 400
}
So it looks like the webhook is working but with a little different name (?)...
So I was able to fix the problem with the name by changing the groupname in the issuer/clusterissuer to the name specified in the helm install... But still have an error in the cainjector pod:
E1101 22:15:48.510753 1 sources.go:201] cert-manager/secret/customresourcedefinition/generic-inject-reconciler "msg"="unable to fetch associated secret" "error"="Secret \"cert-manager-webhook-ca\" not found" "resource_kind"="CustomResourceDefinition" "resource_name"="certificaterequests.cert-manager.io" "resource_namespace"="" "resource_version"="v1" "secret"={"Namespace":"cert-manager","Name":"cert-manager-webhook-ca"}
I1101 22:15:48.510788 1 controller.go:166] cert-manager/secret/customresourcedefinition/generic-inject-reconciler "msg"="could not find any ca data in data source for target" "resource_kind"="CustomResourceDefinition" "resource_name"="certificaterequests.cert-manager.io" "resource_namespace"="" "resource_version"="v1"
Shouldn't point this to my existing secrets?
dynu-webhook-1635504520-ca True dynu-webhook-1635504520-ca 3d20h
dynu-webhook-1635504520-webhook-tls True dynu-webhook-1635504520-webhook-tls 3d20h
problem solved. wrong groupName in the ClusterIssuer, correct one from the "helm install..."
Thanks for sticking with it until you fixed it!
I installed cert-manager 0.16
then I installed dynu webhook (justed changed the port to 10250)
I created an issuer
I created a ClusterIssuer
at least on certificate
Now I got an error in the cert-manager
But I do NOT find any resource(crd?) dynu! Any hint?