4

I followed this instruction to set up a cert-manager on my EKS cluster https://cert-manager.io/docs/tutorials/acme/ingress/.

here is my ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/issuer: "letsencrypt-staging"
spec:
  tls:
  - hosts:
      - '*.test.com'
    secretName: test-tls
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test-service
                port:
                  number: 80

Here is the issuer. I just copied the config from the instruction

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: info@test.com
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress:
            class: nginx

After deployment, I found the certificate ready state is false

kubectl get certificate
NAME          READY   SECRET        AGE
test-tls   False   test-tls   2m45s

Then I followed this to troubleshoot https://cert-manager.io/docs/faq/troubleshooting/

I ran kubectl describe certificaterequest <request name>, found error Waiting on certificate issuance from order test-tls-xxx: "pending"

then ran kubectl describe order test-tls-xxx, found error Warning Solver 20m cert-manager Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge.

Any idea why it couldn't determine a valid solver? how do I test if solver is working?

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
user3908406
  • 1,416
  • 1
  • 18
  • 32

1 Answers1

6

It's not working due you are using the staging URL in cluster issuer to verify the image.

Please try with the Production URL.

here a simple and proper example of Clusterissuer and ingress YAML (do note you were trying with staging API https://acme-staging-v02.api.letsencrypt.org/directory if possible use the production server address so it works properly with all browsers)

Example:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: cluster-issuer-name
  namespace: development
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: harsh@example.com
    privateKeySecretRef:
      name: secret-name
    solvers:
    - http01:
        ingress:
          class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-class-name
    cert-manager.io/cluster-issuer: cluster-issuer-name
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: example-ingress
spec:
  rules:
  - host: sub.example.com
    http:
      paths:
      - path: /api
        backend:
          serviceName: service-name
          servicePort: 80
  tls:
  - hosts:
    - sub.example.com
    secretName: secret-name

Note : When you are trying again please try deleting the old objects like ingress, Clusterissuer first.

Issuer vs ClusterIssuer

An Issuer is a namespaced resource, and it is not possible to issue certificates from an Issuer in a different namespace. This means you will need to create an Issuer in each namespace you wish to obtain Certificates in.

If you want to create a single Issuer that can be consumed in multiple namespaces, you should consider creating a ClusterIssuer resource. This is almost identical to the Issuer resource, however is non-namespaced so it can be used to issue Certificates across all namespaces.

Ref : https://cert-manager.io/docs/concepts/issuer/

Wildcard cert

You can use as per requirement, if you are using issuer you can update the ingress annotation line like

cert-manager.io/issuer: issuer-name

If you are trying to get the wildcard * certificate you won't be able to get it using HTTP auth method

solvers:
        - http01:
            ingress:
              class: nginx-class-name

instead of this you have to use the DNS-auth method for wildcard cert.

solvers:
    - dns01:
        cloudDNS:
          project: my-project
          serviceAccountSecretRef:
            name: prod-clouddns-svc-acct-secret
            key: service-account.json

Read more at : https://cert-manager.io/docs/configuration/acme/dns01/

Ref article to get the wildcard cert : https://medium.com/@harsh.manvar111/wild-card-certificate-using-cert-manager-in-kubernetes-3406b042d5a2

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
  • 1
    there might be issue due to you are using the wild card into the host name so please checkout first without wild card as let's encrypt not support wild card certs. – Harsh Manvar Jul 02 '21 at 10:18
  • thanks! I have hundreds of subdomains, if I can't use wildcard, is there a work around? – user3908406 Jul 02 '21 at 13:30
  • BTW, just tried your suggestion. Changed staging to prod and issuer to clusterissuer, also deleted everything and did a fresh redeployment, still getting the same error `Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge`. The only thing I haven't tried is changing wild card in hosts, as I don't know how to handle hundreds of domains – user3908406 Jul 02 '21 at 13:50
  • which solver are you using ? http or dns ? – Harsh Manvar Jul 02 '21 at 14:18
  • http ``` solvers: - http01: ingress: class: nginx ``` – user3908406 Jul 02 '21 at 14:23
  • `*` was the problem for me too, according to an article I found, wildcards are only possible with dns challenge instead of http (and only cover one dot-level). – Mark Aug 08 '21 at 09:41
  • Yes it’s there wild card only possible with DNS 01 auth dude it’s use the let’s encrypt in background and it’s limitation of let’s encrypt mentioned in official doc – Harsh Manvar Aug 08 '21 at 10:48
  • please feel free to update the status of question if resolve your question and do upvote if found it helpful – Harsh Manvar Mar 18 '23 at 03:56