Closed olalonde closed 7 years ago
http://metabase.mydomain.com
is proxied through cloudflare and redirects to https://metabase.mydomain.com
, would that prevent the ACME flow from working? (I don't really need tls for that host but it would prevent metabase.prod.mydomain.com from getting a cert)
Hi @olalonde - did you manage to resolve this issue? Without seeing the cause of the prior failed authorisations it's quite difficult to debug from here.
I'm unsure how ACME requests will work if proxied for Cloudflare. Theoretically they should work, however if Cloudflare is redirecting all requests to the https
equivalent, I think the ACME challenge request won't make it through to kube-lego. Does it work if you don't set cloudflare to redirect users, and instead redirect using the ingress.kubernetes.io/force-ssl-redirect: 'true'
annotation on the ingress?
I'm unsure how ACME requests will work if proxied for Cloudflare. Theoretically they should work, however if Cloudflare is redirecting all requests to the https equivalent, I think the ACME challenge request won't make it through to kube-lego. Does it work if you don't set cloudflare to redirect users, and instead redirect using the ingress.kubernetes.io/force-ssl-redirect: 'true' annotation on the ingress?
Yes, I think that's what was happening (I did have a forced https redirect setup in Cloudflare). It's no longer an issue as I simply disabled SSL on that domain and don't have time to test it but it looks like your solution would probably work.
I just switched from traefik+acme to nginx-ingress + kube-lego. Here's some error logs I'm getting:
Why do I have many invalid authorizations? I used the same email I was using with Traefik. Should I use another one? Also, since I re-used the same email but didn't have to enter a password, how does the authorization even work? I understand that domains are verified with special http requests but how does authorization work with my email?