Open bd-spl opened 1 year ago
but I can be wrong, it seems there is http.Client used down the road...
then I'm not sure why I see HTTP 400 in the manager logs, like:
{"level":"error","ts":1670487898.6010566,"logger":"controller.issuer","msg":"Reconciler error","reconciler group":"certmanager.freeipa.org","reconciler kind":"Issuer","name":"issuer-sample-creds","namespace":"foo","error":"initial login falied: unexpected http status code: 400"
@bd-spl did you find out what was the reason? We are getting the same error.
I've added a firewall rule to allow egress traffic to port 80, so that cert-manager could reach out freeipa servers by HTTP (tcp:80). I believe this is fine, as it gets redirected to HTTPS afterwards
freeipa.go code uses low level http.transport which doesn't follow redirects
https://github.com/guilhem/freeipa-issuer/blob/master/provisionners/freeipa.go#L32 https://github.com/golang/go/blob/master/src/net/http/transport.go#L71
So when it tries to connect IPA server via unencrypted HTTP and by chance gets redirested to
https://ipa.beer.best/ipa/session/login_password , it fails with HTTP 400