Closed deadcyclo closed 7 years ago
Not much you can do here because Google Cloud Load Balancer route changes take a few minutes to propagate across the globe, in the meanwhile kube-lego will check the domain name instead of asking Let's Encrypt to validate it (and then get rate-limited).
As above, I think this is just an unfortunate implication of using the GCLB controller. Route updates take time to propagate, and in the meantime there's nothing that kube-lego can do to accelerate this. The selftest that you see failing there is actually stopping you hit your rate limits on LE.
I'm using the GCE example from the repo, but only changing domain and other things that need to be changed, like email. And on kube-lego behaves very odd.
The log spews out the following error messages for about 5 minutes:
time="2017-06-23T14:22:07Z" level=debug msg="error while authorizing: reachability test failed: wrong status code '502'" context=acme domain=blogg.sut.cloud
time="2017-06-23T14:22:15Z" level=debug msg="testing reachability of http://blogg.sut.cloud/.well-known/acme-challenge/_selftest" context=acme domain=blogg.sut.cloud
After 5 minutes, suddenly the certificate gets created. But https still doesn't work. To get https working, I have to destroy the ingress instance, and re-create it. After that, everything works fine, until you destroy the namespace. Once that is done, you get the exact same issue again when trying to redeploy it.