cert-manager and HTTP01 challenges

bmassemin commented 1 year ago

What happened?

I was looking at the ingress-nginx access log, and I noticed that cert-manager was trying to make HTTP calls on the .well-known urls.

[IP REDACTED] - - [30/Sep/2023:10:59:04 +0000] "GET /.well-known/acme-challenge/t859ZHbfYQ95VzcuTLtQtQJDoX4Jt0yYwVf2gI4wT4Y HTTP/1.1" 404 351 "http://[REDACTED]/.well-known/acme-challenge/t859ZHbfYQ95VzcuTLtQtQJDoX4Jt0yYwVf2gI4wT4Y" "cert-manager-challenges/v1.8.0 (linux/amd64) cert-manager/e466a521bc5455def8c224599c6edcd37e86410c" 355 0.024 [REDACTED-80] [] [REDACTED]:80 351 0.023 404 8c13f4965af6e55454a8f036c02a0c41

Expected Behavior

I was thinking that cert-manager-webhook-ovh would only use DNS01 challenges, and the HTTP challenges are failling since the ingress is not created by cert-manager (I guess?)

Steps to reproduce

here is my helmfile:

  - name: cert-manager
    namespace: cert-manager
    chart: jetstack/cert-manager
    version: v1.13.1
    values:
      - installCRDs: true
  - name: cm-webhook-ovh
    namespace: cert-manager
    chart: cert-manager-webhook-ovh-charts/cert-manager-webhook-ovh
    version: 0.5.0
    values:
      - groupName: [REDACTED]
      - issuers:
          - name: [REDACTED]
            create: true
            kind: ClusterIssuer
            namespace: cert-manager
            cnameStrategy: None
            acmeServerUrl: https://acme-v02.api.letsencrypt.org/directory
            email: [REDACTED]
            ovhEndpointName: ovh-eu
            ovhAuthenticationRef:
              applicationKeyRef:
                name: ovh-credentials
                key: applicationKey
              applicationSecretRef:
                name: ovh-credentials
                key: applicationSecret
              consumerKeyRef:
                name: ovh-credentials
                key: consumerKey

and the status of the Certificate resource:

status:
  conditions:
    - lastTransitionTime: '2023-09-14T22:31:52Z'
      message: Certificate is up to date and has not expired
      observedGeneration: 2
      reason: Ready
      status: 'True'
      type: Ready
  notAfter: '2023-12-13T21:31:50Z'
  notBefore: '2023-09-14T21:31:51Z'
  renewalTime: '2023-11-13T21:31:50Z'
  revision: 1

Versions in use

0.5.0

Additional context

K8S 1.25

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

aureq commented 1 year ago

Yes, this webhook only support DNS01. Looking at the way you have deployed it (via a subchart), I'm not 100% sure if the deployment was actually done correctly. Seems like it is missing some data too.

I'd recommend the following

uninstall cert-manager and the webhook entirely.
install cert-manager via Helm, including the CRDs.
install this webhook via Helm.
Use the staging LE server.
Issue a certificate.
Check the webhook logs so you see it's been triggered.

aureq commented 12 months ago

closing due to inactivity

aureq / cert-manager-webhook-ovh