munnerz
commented
7 years ago So this isn't as simple as it sounds, because as soon as kube-lego makes a request to validate the challenge with the ACME server, if that request fails then the challenge request must be restarted.
Therefore, it's essential that kube-lego is sure that route has propegated to the ingress controller. If we were to add a skip selfcheck option, then every challenge request would fail. The closest thing we could offer is, as you suggest, a simple wait 120 seconds and then request a certificate, but that's a tricky thing in and of itself.
I've noticed this issue myself too, specifically when running my cluster in a NAT environment - it's a requirement that you have hairpin NAT configured properly to make the HTTP01 selfcheck work 😬
paulwalker
In some setups from within the kube cluster itself.. the public hostname being exposed for Ingress traffic is not actually working and accessible by that name from within the kube (nat / load balancer etc) . The kube-lego pod within the cluster fails it's own health check as a result doesn't even bother requesting a certificate even though the traffic back from lets encrypt would make it to the published acme-challenge just fine.. User should be able to replace this check with a skip and or sleep or perhaps kube-lego should use the kube internal service if that's possible.