search

snowdrop / godaddy-webhook

Cert Manager Godaddy Webhook performing ACME challenge using DNS record
Apache License 2.0
72 stars 62 forks source link

Unable to check the TXT record: ### Unexpected HTTP status: 403 #39

Closed Siradjedd closed 7 months ago

Siradjedd commented 8 months ago

I got error while configuring cert-manager with godaddy webhook, Here are the logs:

1) Certificate 

Name:         letsencrypt-prod
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate

Events:
  Type    Reason     Age   From                                       Message
  ----    ------     ----  ----                                       -------
  Normal  Issuing    11m   cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal  Generated  11m   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "letsencrypt-prod-vk6fg"
  Normal  Requested  11m   cert-manager-certificates-request-manager  Created new CertificateRequest resource "letsencrypt-prod-1

2) CertificateRequest

Name:         letsencrypt-prod-1
Namespace:    default
Labels:       <none>
Annotations:  cert-manager.io/certificate-name: letsencrypt-prod
              cert-manager.io/certificate-revision: 1
              cert-manager.io/private-key-secret-name: letsencrypt-prod-vk6fg
API Version:  cert-manager.io/v1
Kind:         CertificateRequest

Events:
  Type    Reason              Age   From                                                Message
  ----    ------              ----  ----                                                -------
  Normal  WaitingForApproval  12m   cert-manager-certificaterequests-issuer-vault       Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  12m   cert-manager-certificaterequests-issuer-selfsigned  Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  12m   cert-manager-certificaterequests-issuer-acme        Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  12m   cert-manager-certificaterequests-issuer-ca          Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  12m   cert-manager-certificaterequests-issuer-venafi      Not signing CertificateRequest until it is Approved
  Normal  cert-manager.io     12m   cert-manager-certificaterequests-approver           Certificate request has been approved by cert-manager.io
  Normal  OrderCreated        12m   cert-manager-certificaterequests-issuer-acme        Created Order resource default/letsencrypt-prod-1-112517667
  Normal  OrderPending        12m   cert-manager-certificaterequests-issuer-acme        Waiting on certificate issuance from order default/letsencrypt-prod-1-112517667: ""

3) Order

Name:         letsencrypt-prod-1-112517667
Namespace:    default
Labels:       <none>
Annotations:  cert-manager.io/certificate-name: letsencrypt-prod
              cert-manager.io/certificate-revision: 1
              cert-manager.io/private-key-secret-name: letsencrypt-prod-vk6fg
API Version:  acme.cert-manager.io/v1
Kind:         Order

Events:
  Type    Reason   Age   From                 Message
  ----    ------   ----  ----                 -------
  Normal  Created  13m   cert-manager-orders  Created Challenge resource "letsencrypt-prod-1-112517667-2756939281" for domain "testps.adeiz.com"

4) Challenge

Name:         letsencrypt-prod-1-112517667-2756939281
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  acme.cert-manager.io/v1
Kind:         Challenge

Events:
  Type     Reason        Age                  From                     Message
  ----     ------        ----                 ----                     -------
  Normal   Started       14m                  cert-manager-challenges  Challenge scheduled for processing
  Warning  PresentError  3m49s (x8 over 14m)  cert-manager-challenges  Error presenting challenge: the server is currently unable to handle the request (post godaddy.acme.mycompany.com)

5) cert-manager

I0109 20:13:50.0830181 dns.go:88] "cert-manager/challenges/Present: presenting DNS01 challenge for domain" resource_name="letsencrypt-prod-1-112517667-2756939281" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="testps.adeiz.com" type="DNS-01" resource_name="letsencrypt-prod-1-112517667-2756939281" resource_namespace="default" resource_kind="Challenge" resource_version="v1" domain="testps.adeiz.com"

E0109 20:13:50.0916421 controller.go:167] "cert-manager/challenges: re-queuing item due to error processing" err="the server is currently unable to handle the request (post godaddy.acme.mycompany.com)" key="default/letsencrypt-prod-1-112517667-2756939281"

6) godaddy webhook 

E0109 20:19:10.1000231 runtime.go:77] Observed a panic: runtime error: index out of range [1] with length 1

7) Api-server

I0109 20:21:49.651391       1 controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.mycompany.com: Rate Limited Requeue.
E0109 20:23:49.655186       1 controller.go:116] loading OpenAPI spec for "v1alpha1.acme.mycompany.com" failed with: OpenAPI spec does not exist

Here are the config files: 1) Godaddy Api secret

apiVersion: v1
kind: Secret
metadata:
  name: godaddy-api-key
  namespace: default
type: Opaque
stringData:
  token: <api_key:secret> # echo -n "<api_key:secret>" | base64

2) Issuer

apiVersion: cert-manager.io/v1
kind:  Issuer #ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: default
  labels:
     app: adeiz-ca-cert
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: <email>
    privateKeySecretRef:
      name:  adeiz-ca
    solvers:
    - selector:
        dnsNames:
        - '*.testps.adeiz.com'
      dns01:
        webhook:
          config:
            apiKeySecretRef:
              name: godaddy-api-key
              key: token
            production: true
            ttl: 600
          groupName: acme.mycompany.com
          solverName: godaddy

3) Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: adeiz-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    #cert-manager.io/cluster-issuer: "letsencrypt-prod"
    #cert-manager.io/issuer: "letsencrypt-prod"
spec:
  tls:
  - hosts:
    - '*.testps.adeiz.com'
    secretName: adeiz-ca
  rules:
  - host: test.testps.adeiz.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-hello-world
            port:
              number: 80

4) Certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: adeiz-ca
  labels:
    app: adeiz-ca-cert
  namespace: default
spec:
  renewBefore: 2136h
  duration: 2190h
  privateKey:
    size: 2048
    algorithm: RSA
  issuerRef:
    kind: Issuer
    name: letsencrypt-prod
  secretName:  adeiz-ca 
  dnsNames:
    - '*.testps.adeiz.com'
Cluster configured with kubeadm in a baremetal

I am also not sure if i should change the groupName cause changing it gave me errors, or should i edit the clusterrole and clustrerrolebinding before deploying godaddywebhook ?

cmoulliard commented 8 months ago

Here are the config files:

Are you sure that you declared correctly the Godaddy apikey and its secret my_apy_key:my_apy_secret -> https://github.com/snowdrop/godaddy-webhook/blob/main/main.go#L188-L190 ?

Siradjedd commented 8 months ago

it was encoded now i edited it --> api_key:api_secret and same issue

Siradjedd commented 8 months ago

Update:

godaddywebhook:

INFO[3899] ### URL request issued to check if the TXT DNS record is present: /v1/domains/adeiz.com/records/TXT/_acme-challenge.testps

Cert-manager: cert-manager/challenges: re-queuing item due to error processing" err="Unable to check the TXT record: ### Unexpected HTTP status: 403" key="default/adeiz-ca-1-3158728248-3752762942"

challenger: Warning PresentError 19m (x8 over 61m) cert-manager-challenges Error presenting challenge: Unable to check the TXT record: ### Unexpected HTTP status: 403

i can hit the api using : curl -X GET -H "Authorization: sso-key $key:$secret" "https://api.godaddy.com/v1/domains/available?domain=adeiz.com" result: {"available":false,"definitive":true,"domain":"adeiz.com"} @cmoulliard any updates ?

-----UPDATE--- the problem was related the api_key:api_secret i didnt have the right permissions.

cmoulliard commented 7 months ago

Many thanks to report what the problem was ==> the problem was related the api_key:api_secret i didnt have the right permissions. and not related to this project