search

voyagermesh / voyager

🚀 Secure L7/L4 (HAProxy) Ingress Controller for Kubernetes
https://voyagermesh.com
Apache License 2.0
1.35k stars 134 forks source link

Let's Encrypt staging will use dns-01 but production will try TLS-ALPN-01 #1244

Open mekanoe opened 5 years ago

mekanoe commented 5 years ago

On voyager 7.4.0, for a given cert, say

apiVersion: voyager.appscode.com/v1beta1
kind: Certificate
metadata:
  name: examplecom
  namespace: default
spec:
  domains:
  - example.com
  acmeUserSecretName: acme-account-staging
  challengeProvider:
    dns:
      provider: gce
      credentialSecretName: voyager-gce

Using LE production, voyager will seem to ignore DNS as a possible challenge, but will try TLS-ALPN-01 in very fast succession, and fail on my config, until it gets rate limited. Logs mention there not being a solver for http-01.

However, with LE staging, voyager will immediately use the DNS challenge and succeed.

richerlariviere commented 5 years ago

I think I have the same issue here.

Cluster provider: Azure (generated using acs-engine). Kubernetes version: v1.10.2. Voyager version: voyager-7.4.0 (installed with Helm) Certificate description: kubectl describe certificates.voyager.appscode.com/waykdencert

Name:         waykdencert
Namespace:    default
Labels:       app=lucid
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"voyager.appscode.com/v1beta1","kind":"Certificate","metadata":{"annotations":{},"labels":{"app":"lucid"},"name":"waykdencer...
API Version:  voyager.appscode.com/v1beta1
Kind:         Certificate
Metadata:
  Cluster Name:
  Creation Timestamp:  2018-07-30T13:58:50Z
  Generation:          1
  Resource Version:    20488009
  Self Link:           /apis/voyager.appscode.com/v1beta1/namespaces/default/certificates/waykdencert
  UID:                 af7f1705-9400-11e8-b924-000d3a4dce57
Spec:
  Acme User Secret Name:  acme-account
  Challenge Provider:
    Dns:
      Credential Secret Name:  voyager-azure
      Provider:                azure
  Domains:
    den.wayk.net
  Paused:  false
  Storage:
    Secret:
      Name:       waykdencert
      Namespace:  default
Status:
  Conditions:
    Last Update Time:  2018-10-21T13:07:24Z
    Type:              Issued
    Last Update Time:  2018-10-21T13:02:15Z
    Reason:            acme: Error -> One or more domains had a problem:
[den.wayk.net] acme: Error 403 - urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge

    Type:  Failed
  Last Issued Certificate:
    Cert Stable URL:  https://acme-v02.api.letsencrypt.org/acme/cert/043dfc870504af42ebbc09447eae6bb5d6b2
    Cert URL:         https://acme-v02.api.letsencrypt.org/acme/cert/043dfc870504af42ebbc09447eae6bb5d6b2
    Not After:        2019-01-19T12:07:23Z
    Not Before:       2018-10-21T12:07:23Z
    Serial Number:    369542034626015135306826078640482775586482
Events:               <none>
mouhsinelonly commented 5 years ago

I get this error when trying HTTP-challenge

Warning CertificateInvalid 14m voyager-operator failed to create certificate.: acme: Error -> One or more domains had a problem: [#####] acme: Error 400 - urn:ietf:params:acme:error:malformed - Server only speaks HTTP, not TLS