jetstack / kube-lego

DEPRECATED: Automatically request certificates for Kubernetes Ingress resources from Let's Encrypt
Apache License 2.0
2.16k stars 267 forks source link

No domain could be authorized successfully #191

Closed olalonde closed 7 years ago

olalonde commented 7 years ago

I just switched from traefik+acme to nginx-ingress + kube-lego. Here's some error logs I'm getting:

time="2017-05-25T12:56:15Z" level=warning msg="authorization failed after 1m0s: getting authorization failed: 429 urn:acme:error:rateLimited: Error creating new authz :: Too many invalid authorizations recently." context=acme domain=metabase.prod.mydomain.com
time="2017-05-25T12:56:17Z" level=warning msg="authorization failed after 1m0s: getting authorization failed: 429 urn:acme:error:rateLimited: Error creating new authz :: Too many invalid authorizations recently." context=acme domain=metabase.mydomain.com
time="2017-05-25T12:56:17Z" level=error msg="Error while processing certificate requests: no domain could be authorized successfully" context=kubelego

Why do I have many invalid authorizations? I used the same email I was using with Traefik. Should I use another one? Also, since I re-used the same email but didn't have to enter a password, how does the authorization even work? I understand that domains are verified with special http requests but how does authorization work with my email?

olalonde commented 7 years ago

http://metabase.mydomain.com is proxied through cloudflare and redirects to https://metabase.mydomain.com, would that prevent the ACME flow from working? (I don't really need tls for that host but it would prevent metabase.prod.mydomain.com from getting a cert)

munnerz commented 7 years ago

Hi @olalonde - did you manage to resolve this issue? Without seeing the cause of the prior failed authorisations it's quite difficult to debug from here.

I'm unsure how ACME requests will work if proxied for Cloudflare. Theoretically they should work, however if Cloudflare is redirecting all requests to the https equivalent, I think the ACME challenge request won't make it through to kube-lego. Does it work if you don't set cloudflare to redirect users, and instead redirect using the ingress.kubernetes.io/force-ssl-redirect: 'true' annotation on the ingress?

olalonde commented 7 years ago

I'm unsure how ACME requests will work if proxied for Cloudflare. Theoretically they should work, however if Cloudflare is redirecting all requests to the https equivalent, I think the ACME challenge request won't make it through to kube-lego. Does it work if you don't set cloudflare to redirect users, and instead redirect using the ingress.kubernetes.io/force-ssl-redirect: 'true' annotation on the ingress?

Yes, I think that's what was happening (I did have a forced https redirect setup in Cloudflare). It's no longer an issue as I simply disabled SSL on that domain and don't have time to test it but it looks like your solution would probably work.