search

snowdrop / godaddy-webhook

Cert Manager Godaddy Webhook performing ACME challenge using DNS record
Apache License 2.0
77 stars 65 forks source link

Error presenting challenge cannot create resource "godaddy" in API group "acme.amprajin.in" at the cluster scope #25

Open PRAJINPRAKASH opened 1 year ago

PRAJINPRAKASH commented 1 year ago

Error presenting challenge: godaddy.acme.amprajin.in is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "godaddy" in API group "acme.amprajin.in" at the cluster scope

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # ACME Server
    # prod : https://acme-v02.api.letsencrypt.org/directory
    # staging : https://acme-staging-v02.api.letsencrypt.org/directory
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # ACME Email address
    email: prajinprakash4u@gmail.com
    privateKeySecretRef:
      name: letsencrypt-staging # staging or production
    solvers:
    - selector:
        dnsNames:
        - '*.amprajin.in'
      dns01:
        webhook:
          config:
            apiKeySecretRef:
              name: godaddy-api-key
              key: token
            production: true
            ttl: 600
          groupName: acme.amprajin.in
          solverName: godaddy
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-amprajin-in
spec:
  secretName: wildcard-amprajin-in-tls
  renewBefore: 240h
  dnsNames:
  - '*.amprajin.in'
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
spencertr commented 1 year ago

did you figure this out? i have the same exact issue

giacomotontini commented 1 year ago

Have you tried creating a ClusterRole and a ClusterRoleBinding like someone else stated online here

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dns-challenge-missing-role
rules:
- apiGroups: ["acme.amprajin.in"] # "" indicates the core API group
  resources: ["godaddy"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dns-challenge-missing-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dns-challenge-missing-role
subjects:
- kind: ServiceAccount
  name: cert-manager
  namespace: cert-manager
cmoulliard commented 1 year ago

Can we close this ticket if you have been able to resolve it ? @PRAJINPRAKASH

ckt114 commented 9 months ago

This error happens when installing godaddy-webhook using the kubectl apply -f ... method. The cert-manager.yaml have the string acme.mycompany.com hard-coded for the groupName. What you have to do is download that file and replace that value with the value you want.

OR

Install it using Helm with helm upgrade --install -n cert-manager godaddy-webhook godaddy-webhook/godaddy-webhook --set groupName=acme.YOURCOMPANY.com

cmoulliard commented 9 months ago

Can you propose a PR to improve the readme file of this project to warn the user and propose solutions as you suggested ? @ckt114

ckt114 commented 9 months ago

@cmoulliard https://github.com/snowdrop/godaddy-webhook/pull/42