failed to get working the dns challenge

[zerr0s]

Hi,

I'm trying to use this webhook to get wildcard certificates from LE and ovh DNS api. But it stucks with these errors:

I0110 19:30:38.311687       1 dns.go:88] cert-manager/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="xxxx.com" "domain"="xxxx.com" "resource_kind"="Challenge" "resource_name"="xxxx.com-tls-bllzj-3833872274-269418431" "resource_namespace"="ns" "resource_version"="v1" "type"="DNS-01"
E0110 19:30:38.317566       1 controller.go:167] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="ovh.xxxx.com is forbidden: User \"system:serviceaccount:cert-manager-system:tf-certmanager-cert-manager-controller\" cannot create resource \"ovh\" in API group \"xxx.com\" at the cluster scope" "key"="ns/xxxx.com-tls-bllzj-3833872274-269418431"

It seems to be a simple rbac issue, but I don't understand what to do because of rbac has already been set by the chart.

the values (xxxx is the domain in ovh):

groupName: xxx.com
certManager:
  namespace: cert-manager-system
  serviceAccountName: cert-manager

issuers:
  # Name of this issuer
  - name: le-ovh-staging
    create: true
    kind: ClusterIssuer
    namespace: cert-manager-system
    cnameStrategy: None
    acmeServerUrl: https://acme-staging-v02.api.letsencrypt.org/directory
    email: xxxxxxxx@gmail.com
    ovhEndpointName: ovh-eu
    ovhAuthenticationRef:
      applicationKeyRef:
        name: ovh-credentials
        key: applicationKey
      applicationSecretRef:
        name: ovh-credentials
        key: applicationSecret
      consumerKeyRef:
        name: ovh-credentials
        key: consumerKey

securityContext:
  enabled: true
  runAsUser: 1000
  runAsGroup: 1000
  allowPrivilegeEscalation: false

image:
  repository: ghcr.io/aureq/cert-manager-webhook-ovh
  tag: v0.4.1
  pullPolicy: IfNotPresent
  pullSecrets: []

nameOverride: ""
fullnameOverride: ""

# Use this field to add environment variables relevant to this webhook.
# These fields will be passed on to the container when Chart is deployed.
environment:
  # Use these variables to configure the HTTP_PROXY environment variables
  # HTTP_PROXY: "http://proxy:8080"
  # HTTPS_PROXY: "http://proxy:8080"
  # NO_PROXY: "127.0.0.1,localhost,10.0.0.0/8"

# number of replicas in this deployment
replicas: 1

service:
  type: ClusterIP
  port: 443

resources: {}
nodeSelector: {}
tolerations: []
affinity: {}

Any idea please ?

[zerr0s]

Hello,

I have uninstall all and reinstall from scratch and still not working. what am I doing bad ???

Error presenting challenge: ovh.mydomain.com is forbidden: User "system:serviceaccount:cert-manager-system:tf-certmanager-cert-manager-controller" cannot create resource "ovh" in API group "youshopia.com" at the cluster scope

it seems to be a rbac problem ...

[aureq]

Are you sure the OVH credentials are correct? And correctly set in ovh-credentials secret?

[zerr0s]

ok found. The cert-manager controller was already installed with custom values and the serviceAccountName used by this component was different.

I set the correct serviceAccountName (tf-certmanager-cert-manager-controller) and all is working now !

Maybe an indication in the documentation could help :)

[aureq]

Could you please further explain ?

[zerr0s]

my cert-manager congtroller was deployed using customs values from terraform and argocd. The serviceaccountnanme used my the controller (not the webhook) was "tf-certmanager-cert-manager-controller".

But in the chart values of the webhook I have put "cert-manager-system". So the crontroller wasn't able to create any resource in the groupName because there wasn't any binding for "tf-certmanager-cert-manager-controller".

The serviceAccountName of the webhook needs to be the same of the serviceAccountName used by the controller.

and voila

[aureq]

Thanks @zerr0s That makes more sense now. I'll update the doc to make it clear that the 2 values need to match.