m4dm4rtig4n
commented
2 years ago I have reset cert-manager namespace and now i have this error message : GET /domain/zone/fr/status - Error 400: "Invalid signature"
Open m4dm4rtig4n opened 2 years ago
m4dm4rtig4n
commented
2 years ago I have reset cert-manager namespace and now i have this error message : GET /domain/zone/fr/status - Error 400: "Invalid signature"
m4dm4rtig4n
commented
2 years ago I don't understand why he is trying to make an API call with /domain/zone/fr/status instead of my full domain /domain/zone/mydomain.fr/status :/
lambda2
commented
2 years ago Hello, I've the same problem
m4dm4rtig4n
commented
2 years ago @lambda2 The "Error 400: "Invalid signature"" is linked to an authentication (or right) problem. Personally, I solved the problem, but now I have recovered the 404.
Which is not an error in itself given that the API does return a 404 on the "/domain/zone/fr/status" calls. Now, I would like to understand why cert-manager call on "/domain/zone/fr/status" instead of "/domain/zone/mydomain.fr/status"
Any Idea @baarde ?
lambda2
commented
2 years ago @m4dm4rtig4n I still have the 404 issue, I didn't managed to pass to the 400 one 😁
In my case, the error is OVH API call failed: GET /domain/zone/com/status - Error 404: "This service does not exist" instead of your GET /domain/zone/fr/status. Since my domain ends with a .com, I suppose it's a parsing/basename issue on the FQDN. Reseting the cert-manager namespace didn't solved the issue
m4dm4rtig4n
commented
2 years ago The 404 error is rather an evolution compared to the 400 (authentication problem) in you is good (well like me) Now we have to find out why the FQDN is not parsed correctly: /
m4dm4rtig4n
commented
2 years ago @lambda2 I have post directly on cert-manager repository : https://github.com/jetstack/cert-manager/issues/4651
m4dm4rtig4n
commented
2 years ago In fact the problem does not come from the OVH webhook, I have the same problem in HTTP-01 challenge
Waiting for HTTP-01 challenge propagation: wrong status code '404', expected '200'
lambda2
commented
2 years ago Oh, interesting !
m4dm4rtig4n
commented
2 years ago @lambda2 Well fed up with OVH, I switched my DNS management to CloudFlare and used the native mode of cert-manager Bye bye the OVH webhook
eburghar
commented
2 years ago I can confirm the bug. cerbot generated the certificate correctly from the DNS01 challenge, so I'll manually insert the TLS secret into kubernetes for now.
Somehow the ResolvedFQDN field of the ChallengeRequest received by the webhook service seems incomplete (it only get the last part). Something has changed on OVH side because nor certmanager, nor the webhook changed in my setup and last renewal was successful.
eburghar
commented
2 years ago I finally took some time to track down the issue before the expiration of all my certificiates. This was a dns configuration error on my side. For those who also use opnsense with unbound dns and a local zone with the same name than the remote (ovh) zone, be sure to select typetransparent as the local zone type. (Unbound NS/SOA records for private domains)
The symptom is that when you do
dig soa your.domainYou receive an empty response. That's why the last domain component was used as the ovh zone
Hello,
Since few minutes i have this error : OVH API call failed: GET /domain/zone/fr/status - Error 404: \"This service does not exist\"
Any idea why ?