I followed your instructions but the ACME challenge failed: Error presenting challenge: otcdns.xxx-development.otc-cert-manager-webhook is forbidden: User "system:serviceaccount:xxx-certmanager:certmanager-cert-manager-controller" cannot create resource "otcdns" in API group "xxx-development.otc-cert-manager-webhook" at the cluster scope
I have no idea, that what I have done for troubleshooting:
(b) Cluster issuer (Credentials secrets are existing too)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: info@xxxx.de # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging-otcdms
solvers:
- dns01:
webhook:
groupName: xxx-development.otc-cert-manager-webhook
solverName: otcdns
config:
authURL: "https://iam.eu-de.otc.t-systems.com:443/v3"
region: "eu-de"
# Only for local testing, if no secrets are available.
# accessKey: ACCESSKEY
# secretKey: SECRETKEY
accessKeySecretRef:
name: otcdns-credentials
key: accessKey
secretKeySecretRef:
name: otcdns-credentials
key: secretKey
(d) Certificates are created in differnt namepsace (not certmanager)
Name: xxx-cloud.de-tls
Namespace: xxx-keycloak
Labels: app.kubernetes.io/component=keycloak
app.kubernetes.io/instance=keycloak
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=keycloak
helm.sh/chart=keycloak-15.1.7
Annotations: <none>
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
Creation Timestamp: 2023-08-24T10:39:49Z
Generation: 1
Owner References:
API Version: networking.k8s.io/v1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: keycloak
UID: a0087ade-a18c-4988-aab8-21c638c04e08
Resource Version: 4650231
UID: fdd70cf8-c6ca-4b94-a420-0e0580c3cb5a
Spec:
Dns Names:
xxx-cloud.de
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
Secret Name: xxx-cloud.de-tls
Usages:
digital signature
key encipherment
Status:
Conditions:
Last Transition Time: 2023-08-24T10:39:49Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: False
Type: Ready
Last Transition Time: 2023-08-24T10:39:49Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: xxx.de-tls-sj845
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager-certificates-trigger Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "xxx-cloud.de-tls-sj845"
Normal Requested 18m cert-manager-certificates-request-manager Created new CertificateRequest resource "xxx-cloud.de-tls-7qdrq"
(e) Certificate request
Name: xxx.de-tls-7qdrq
Namespace: xxx-keycloak
Labels: app.kubernetes.io/component=keycloak
app.kubernetes.io/instance=keycloak
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=keycloak
helm.sh/chart=keycloak-15.1.7
Annotations: cert-manager.io/certificate-name: xxx-cloud.de-tls
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: xxx-cloud.de-tls-sj845
API Version: cert-manager.io/v1
Kind: CertificateRequest
Metadata:
Creation Timestamp: 2023-08-24T10:39:49Z
Generate Name: xxx-cloud.de-tls-
Generation: 1
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: xxx-cloud.de-tls
UID: fdd70cf8-c6ca-4b94-a420-0e0580c3cb5a
Resource Version: 4650252
UID: 5d016903-5319-4753-bfaf-9c5756121533
Spec:
Extra:
authentication.kubernetes.io/pod-name:
certmanager-cert-manager-controller-5489f79646-7w4zj
authentication.kubernetes.io/pod-uid:
10ebd0e2-77fc-4ce1-ac98-69479264467a
Groups:
system:serviceaccounts
system:serviceaccounts:xxx-certmanager
system:authenticated
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2dqQ0NBV29DQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxsawp2bDd6dTlvdkozUU5URXoyRmxqS2NFZkswRFhqWmRYU3dMV3B2NXpQTGZnelRZZjkwOWdDNjYyWithWXVyWDE5CmhBYVJEemRnMW1SeENrdkxWT0JETGt5ZFBZWTZIZE1wY2VZMGEvWHVlOVE2RmlSYnpwaFBrbGdXVzFmMHlOQU4KLzZNcWwvM2ptSjl0WDJFaU9RbkVKRFF3RkZ0SzAxOGdzYlV1Y21VNXVXNDVDSEgzTFJ4VWNmRmFDYWVXSzBpcQpreVZ1VTdVdm9hRWdEanV2TVFuN3lkZ1RsV3ZEcll3QWVoVUVlZnp2eTM1QjdoVnlUQzVMVnYzMVV0Mys3RzNtCkFhSGdRVnVEcUdJeGZGM1A3UjN3b3MyTzJQVU1PMldFVGJFeHRWVFFEWXo1OHB5empwdFl6TVc2Um5JSm9rOWUKVXZDS1dLdGFkRVRzZ1JzUmFCVUNBd0VBQWFBOU1Ec0dDU3FHU0liM0RRRUpEakV1TUN3d0hRWURWUjBSQkJZdwpGSUlTYUdNdGRtbHphVzl1TFdOc2IzVmtMbVJsTUFzR0ExVWREd1FFQXdJRm9EQU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBUUVBc3hqOHV4RVNQYjVaQ0ZxcW9nYlEwbjY1S2U5NmhnTytWeXlBNDNvZGxDTXcvekFRSEN5ZmtYR1AKZGNaSTVsNEdXSk5DeCtXVGprTmNNZUlSRFVyWnV1dVFBTWVVSi9nY1QxY2Roc0RKTFJFYzhUM3NrVHVYMENaSQpFdW1vaXAzK0VOcVR1Qjk3S3c4N1hpcmtpTTgvV2lqb3J5ejF4ay91d1RvM2xQNXJ0OU11NTJkc08zTHRBdUppCm1DYWZZNlFWekVjYWRkaWVIdklsL3VNaDVxNmJKYnlmVlFyRHl4RW5jc0ZJRmJXc3I2L1hjcjJQUzVCdUhXTTEKVVVuSGpPNWR0eUZBVFpIUjU3RGRRUENOSlVwRUcxdTg2K3JMeWxzVFNqQzVOTlprTVN2dWRpTGVRVkU3VVZjWApva21YQXkxNmJ6L0tyU1RWSjNYRUZ5aXU5R2sza0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
UID: b08953a3-459a-48e1-a43b-8e964fb5a6b1
Usages:
digital signature
key encipherment
Username: system:serviceaccount:xxx-certmanager:certmanager-cert-manager-controller
Status:
Conditions:
Last Transition Time: 2023-08-24T10:39:49Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2023-08-24T10:39:49Z
Message: Waiting on certificate issuance from order xxx-keycloak/xxx-cloud.de-tls-7qdrq-3502903507: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal WaitingForApproval 24m cert-manager-certificaterequests-issuer-ca Not signing CertificateRequest until it is Approved
Normal WaitingForApproval 24m cert-manager-certificaterequests-issuer-venafi Not signing CertificateRequest until it is Approved
Normal WaitingForApproval 24m cert-manager-certificaterequests-issuer-vault Not signing CertificateRequest until it is Approved
Normal WaitingForApproval 24m cert-manager-certificaterequests-issuer-selfsigned Not signing CertificateRequest until it is Approved
Normal WaitingForApproval 24m cert-manager-certificaterequests-issuer-acme Not signing CertificateRequest until it is Approved
Normal cert-manager.io 24m cert-manager-certificaterequests-approver Certificate request has been approved by cert-manager.io
Normal OrderCreated 24m cert-manager-certificaterequests-issuer-acme Created Order resource xxx-keycloak/xxx-cloud.de-tls-7qdrq-3502903507
Normal OrderPending 24m cert-manager-certificaterequests-issuer-acme Waiting on certificate issuance from order xxx-keycloak/xxx-cloud.de-tls-7qdrq-3502903507: ""
I followed your instructions but the ACME challenge failed: Error presenting challenge: otcdns.xxx-development.otc-cert-manager-webhook is forbidden: User "system:serviceaccount:xxx-certmanager:certmanager-cert-manager-controller" cannot create resource "otcdns" in API group "xxx-development.otc-cert-manager-webhook" at the cluster scope
I have no idea, that what I have done for troubleshooting:
(a) Setup: values.yaml
(b) Cluster issuer (Credentials secrets are existing too)
(c) Ingress Configuration (Helm extracted)
(d) Certificates are created in differnt namepsace (not certmanager)
(e) Certificate request
(f) Order
(g) ACME Challenge