-1

busy with learning about setting up a dns management (directAdmin) to my virtual private server(DigitalOcean) with a k8s cluster with example.com host with a http-01 challenge letsencrypt and I stuck with the https bit and pointing to my vps. I might think the one influences the other so that is why it is a 2 part question.

DNS management (most of it is out of the box)

name TTL Type Value
ftp 3600 A 123.12.123.123
imap 3600 A 123.12.123.123
mail 3600 A 123.12.123.123
example.com 3600 A 444.55.666.777
pop 3600 A 123.12.123.123
smtp 3600 A 123.12.123.123
www 3600 A 444.55.666.777
example.com - NS dn1.provider.eu.
example.com - NS dn2.provider.eu.
example.com - NS dn3.provider.eu.

My understanding so far is that most of the config is mail stuff and only www and example.com A record are relevant to point to my VPS and that is what I changed (the 444.55.666.777 ones) Problem 1 here is that I still get the base page of DirectAdmin (Something amazing will be constructed here...) when I browse to https://example.com.

On VPS side the treafik loadbalancer is on 444.55.666.777 external-ip with 80 & 443 opened and in the /etc/hosts I added 444.55.666.777 example.com (just to be sure and lucky guess)

I presume the domain is not properly pointing to my vps's IP. Is there something I miss here?

Inside the VPS I am also trying to curl the example.com

 curl http://example.com --> website
 curl https://example com -v --> SSL certificate problem: self-signed certificate

I think I can assume that the traefik routing ingress is fine because http returns the website. The error I find is linked to LetsEncrypt. When I describe the clusterissuer I see it failing at the challenge and when I describe the challenge I see the following output:

> Error accepting authorization: acme: authorization error for
> example.com: 403 urn:ietf:params:acme:error:unauthorized:
> 2a03:b0c0:2:d0::14bf:4001: Invalid response from
> https://example.com/.well-known/acme-challenge/1jCkfOGWPGmma9waQdeKaG55ZsQoGXB4pVRxVpJkcnU:
> 404
  • Where should I start debugging?
  • Is the dns management connected to this http-01 LetsEncrypt issue I am having? I think it could be because maybe the LetsEncrypt challenge also tries to go via www and it does not stay local on my VPS.

Sorry for the long epistle, appreciate you reading it

Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54
furion2000
  • 79
  • 7
  • `444.55.666.777` is not a valid IPv4 address. Other than that and this very bad obfuscation, your question is offtopic here as unrelated to programming. – Patrick Mevzek Jan 15 '23 at 17:58
  • As it is only to show the difference between the other example addresses, so maybe you misinterpret this. Other than that, you could have left it at offtopic, I am trying to formulate the question the best I can at this point @PatrickMevzek – furion2000 Jan 16 '23 at 14:51
  • " I am trying to formulate the question the best I can at this point" Then don't obfuscate and even more don't obfuscate badly. – Patrick Mevzek Jan 16 '23 at 15:58

1 Answers1

1

I faced a similar issue in the DigitalOcean Kubernetes cluster. I've resolved this by using the below configurations in service.

To fix the problem on the DOKS cluster, enough add these annotations on ingress-nginx-controller service:

apiVersion: v1
kind: Service
metadata:
    annotations:
    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
    service.beta.kubernetes.io/do-loadbalancer-hostname: "anyDNSEntryWithThisLoadBalancer, ex: prefix.mydomain.com"

Add Annotations On Ingress Yaml :

acme.cert-manager.io/http01-edit-in-place: true

You can find the whole discussion here: https://github.com/cert-manager/cert-manager/issues/3238

Dharman
  • 30,962
  • 25
  • 85
  • 135
Dhaval Thakkar
  • 144
  • 8