search

deyaeddin / cert-manager-webhook-hetzner

cert-manager webhook for Hetzner DNS Public API (1.1.1)
https://dns.hetzner.com/api-docs
Apache License 2.0
7 stars 4 forks source link

Error presenting challenge - Forbidden #64

Open fmendez89 opened 3 years ago

fmendez89 commented 3 years ago

Hi, I'm getting this error on the Challenge object

Error presenting challenge: hetzner.acme.example.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "hetzner" in API group "acme.example.com" at the cluster scope

Am I missing something about permissions?

The configuration is this below:

apiVersion: v1
kind: Secret
metadata:
  name: hetzner-secret-app
type: Opaque
data:
  api-key: XXXXXXXBASE64XXXXX=
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging-app
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: info@example.com
    privateKeySecretRef:
      name: letsencrypt-staging-app
    solvers:
      - dns01:
          webhook:
            groupName: acme.example.com
            solverName: hetzner
            config:
              secretName: hetzner-secret-app
              zoneName: example.com.
              apiUrl: https://dns.hetzner.com/api/v1
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-staging
  namespace: cert-manager
spec:
  commonName: example.com
  dnsNames:
    - example.com
  issuerRef:
    name: letsencrypt-staging-app
    kind: ClusterIssuer
  secretName: cert-staging
deyaeddin commented 3 years ago

Hi @fmendez89 You can not use example.com, you need to use a real domain record.

fmendez89 commented 3 years ago

I'm using my current domain, that was just for masquing the real one.

Probably I will try again because I solved a problem I had with the CNI.

3deep5me commented 1 year ago

same issue here:

  Warning  PresentError  15s (x3 over 20s)  cert-manager-challenges  Error presenting challenge: unable to get secret `cert-manager`; unable to get secret `dns-config/cert-manager`; secrets "dns-config" is forbidden: User "system:serviceaccount:cert-manager:cert-manager-cert-manager-webhook-hetzner" cannot get resource "secrets" in API group "" in the namespace "cert-manager"

can-i test:

$ kubectl auth can-i get secrets --as=system:serviceaccount:cert-manager:cert-manager-cer
t-manager-webhook-hetzner
no

Could there something be wrong with the template rendering? Are you open for a PR? Then i would investigate more.