search

jetstack / kube-lego

DEPRECATED: Automatically request certificates for Kubernetes Ingress resources from Let's Encrypt
Apache License 2.0
2.16k stars 267 forks source link

Handle mismatch between ACME URL and the known registration URL #125

Open ankon opened 7 years ago

ankon commented 7 years ago

kube-lego keeps account information in the kube-lego-account secret: a registration URL and a private key. The registration URL contains the ACME URL as a base. When one afterwards changes the ACME URL (for example from staging to production) one will get 403 errors like this one:

2017-03-24T19:42:41.505266422Z time="2017-03-24T19:42:41Z" level=debug msg="error while authorizing: getting authorization failed: 403 urn:acme:error:unauthorized: No registration exists matching provided key" context=acme domain=....

This can be manually fixed by removing the kube-lego-account secret, so that kube-lego produces a new key and registration.

Ideally this could be handled automatically when starting up (compare the URLs, and re-register if mismatch), and minimally we might just want to document that one needs to delete the secret when switching URLs.

ankon commented 7 years ago

Related to: https://github.com/jetstack/kube-lego/issues/43