rbaumgar
commented
1 year ago can you explain the exact error you get? when? what is your configuration? ...
Closed 4inn closed 1 year ago
rbaumgar
commented
1 year ago can you explain the exact error you get? when? what is your configuration? ...
4inn
commented
1 year ago Sorry for the delay in answering, I use Dynu as a provider, and many times when using certbot or other systems via api, I need to increase the waiting time to 120s so that I can solve the challenge..
I currently have another problem and that is that the clusterissuer remains in a false state (Ready False)
NAME READY AGE
letsencrypt-prod False 3m10s
letsencrypt-staging False 3m17sStatus:
Acme:
Conditions:
Last Transition Time: 2023-06-24T21:06:32Z
Message: Failed to register ACME account: Get "https://acme-staging-v02.api.letsencrypt.org/directory": dial tcp: lookup acme-staging-v02.api.letsencrypt.org on 10.96.0.10:53: server misbehaving
Observed Generation: 1
Reason: ErrRegisterACMEAccount
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ErrInitIssuer 100s (x5 over 3m32s) cert-manager-clusterissuers Error initializing issuer: Get "https://acme-staging-v02.api.letsencrypt.org/directory": dial tcp: lookup acme-staging-v02.api.letsencrypt.org on 10.96.0.10:53: server misbehaving
I already did the installation from scratch 3 times to rule out installation problems and I get the same result.
Any ideas ?
Thanks !
rbaumgar
commented
1 year ago can you please explain more about your details? Which Kubernetes, which version clusterissuer definition logfile ...
I am using Kubernetes 1.26 / OpenShift 4.13
ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email:
and this is from the cert-manager log I0625 04:57:42.592711 1 setup.go:111] cert-manager/clusterissuers "msg"="generating acme account private key" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-prod" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-prod" "resource_namespace"="" "resource_version"="v1" I0625 04:57:42.737144 1 setup.go:221] cert-manager/clusterissuers "msg"="ACME server URL host and ACME private key registration host differ. Re-checking ACME account registration" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-prod" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-prod" "resource_namespace"="" "resource_version"="v1" I0625 04:57:43.544660 1 setup.go:311] cert-manager/clusterissuers "msg"="verified existing registration with ACME server" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-prod" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-prod" "resource_namespace"="" "resource_version"="v1" I0625 04:57:43.544741 1 conditions.go:96] Setting lastTransitionTime for Issuer "letsencrypt-prod" condition "Ready" to 2023-06-25 04:57:43.544710147 +0000 UTC m=+311131.536153393 I0625 04:57:43.559067 1 setup.go:204] cert-manager/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-prod" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-prod" "resource_namespace"="" "resource_version"="v1"
4inn
commented
1 year ago Yes of course, I'll give you what can help !
Versions :
Client Version: v1.27.3
Kustomize Version: v5.0.1
Server Version: v1.27.3
clientVersion:
buildDate: "2023-06-14T09:53:42Z"
compiler: gc
gitCommit: 25b4e43193bcda6c7328a6d147b1fb73a33f1598
gitTreeState: clean
gitVersion: v1.27.3
goVersion: go1.20.5
major: "1"
minor: "27"
platform: linux/amd64
kustomizeVersion: v5.0.1Describe of ClusterIssuer :
Name: letsencrypt-staging
Namespace:
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1
Kind: ClusterIssuer
Metadata:
Creation Timestamp: 2023-06-25T04:38:31Z
Generation: 1
Resource Version: 299569
UID: 49aef7c9-27e5-45d5-8a22-99cdae191933
Spec:
Acme:
Email: michel@marroche.com
Preferred Chain:
Private Key Secret Ref:
Name: letsencrypt-staging
Server: https://acme-staging-v02.api.letsencrypt.org/directory
Solvers:
dns01:
Cname Strategy: Follow
Webhook:
Config:
Secret Name: dynu-secret
Group Name: com.github.dopingus.cert-manager-webhook-dynu
Solver Name: dynu
Status:
Acme:
Conditions:
Last Transition Time: 2023-06-25T04:38:36Z
Message: Failed to register ACME account: Get "https://acme-staging-v02.api.letsencrypt.org/directory": dial tcp: lookup acme-staging-v02.api.letsencrypt.org on 10.96.0.10:53: server misbehaving
Observed Generation: 1
Reason: ErrRegisterACMEAccount
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ErrInitIssuer 2m40s (x126 over 10h) cert-manager-clusterissuers Error initializing issuer: Get "https://acme-staging-v02.api.letsencrypt.org/directory": dial tcp: lookup acme-staging-v02.api.letsencrypt.org on 10.96.0.10:53: server misbehavingI don't get to have the issuer ready (clusterissuer) so I don't get to the generation of the certificate ..
rbaumgar
commented
1 year ago It looks like the DNS server on 10.96.0.10 can't find acme-staging-v02.api.letsencrypt.org. Port 53 is DNS.
4inn
commented
1 year ago Hello, I'm sorry, the server is at the moment. I'm going to try to force the DNS exit, I don't know why it tries to resolve it on that IP
I'll do the tests tonight and let you know.
Thank you !
4inn
commented
1 year ago You are correct, I manually configured the DNS in Ubuntu and it worked!
Now I'm seeing why in staging it generates the certificate quickly but in production it doesn't or it takes a while..
I close the issue
Thank you
It takes me a while to obtain the certificate and several times it gives an error, when using letsencrypt with other tools such as certbot I have solved this by increasing the TTL, but here I cannot find how to set it or if it is implemented, apparently it is fixed at 60s
Thanks