I am working with the cert-manager version 1.11.0 in my local RKE2 cluster and would like to issue certificate using ACME and DNS-01 challenge validation.
I have hard time to debug and figure out what is going on with request. I see in the cert-manager logs the following:
I0331 09:06:34.479464 1 sync.go:227] cert-manager/orders "msg"="All challenges are in a final state, updating order state" "resource_kind"="Order" "resource_name"="cert-testacme-dat-local-tlvkj-3507087216" "resource_namespace"="default" "resource_version"="v1"
I0331 09:06:34.479482 1 sync.go:70] cert-manager/orders "msg"="updating Order resource status" "resource_kind"="Order" "resource_name"="cert-testacme-dat-local-tlvkj-3507087216" "resource_namespace"="default" "resource_version"="v1"
E0331 09:06:34.510116 1 sync.go:73] cert-manager/orders "msg"="failed to update status" "error"=null "resource_kind"="Order" "resource_name"="cert-testacme-dat-local-tlvkj-3507087216" "resource_namespace"="default" "resource_version"="v1"
E0331 09:06:34.510156 1 controller.go:167] cert-manager/orders "msg"="re-queuing item due to error processing" "error"="admission webhook \"webhook.cert-manager.io\" denied the request: status.url: Forbidden: field is immutable once set" "key"="default/cert-testacme-dat-local-tlvkj-3507087216"
It says that admission webhook \"webhook.cert-manager.io\" denied the request: status.url: Forbidden: field is immutable once set but do not understand what it is trying to do as the TXT challenge was successfully propagated to DNS and it should request finalize endpoint to check the challenge from the CA side.
Spending few hours trying to debug this and finding the similar issues on the internet does not provide any result...
I would appreciate suggestions, what can be wrong.
I am using the following ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: clusterissuer-ejbca-acme
spec:
acme:
server: https://ejbca.dat.local:8442/ejbca/acme/server/directory
# Email address used for ACME registration
email: admin@dat.local
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: issuer-ejbca-acme-secret
# Enable DNS-01 validations
solvers:
- dns01:
rfc2136:
nameserver: 10.200.61.14
tsigKeyName: dat.local.
tsigAlgorithm: HMACSHA512
tsigSecretSecretRef:
name: acmednst01-tsig-secret
key: tsig-secret
I am using bind9 as a named server on Debian. I believe it is configured properly as I can issue certificates through other ACME clients with DNS-01 like acme.sh or certbot. ACME TXT challenge is properly added to the named server, I can see it also from the syslog.
The ClusterIssuer is also properly registered:
Status:
Acme:
Last Registered Email: admin@ddat.local
Uri: https://ejbca.dat.local:8442/ejbca/acme/server/acct/KrBJFJTRWVghIYUyA8GnOw
Conditions:
Last Transition Time: 2023-03-31T08:10:27Z
Message: The ACME account was registered with the ACME server
Observed Generation: 1
Reason: ACMEAccountRegistered
Status: True
Type: Ready
I am trying to create Certificate resource:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cert-testacme-dat-local
namespace: default
spec:
secretName: cert-secret-testacme-dat-local
renewBefore: 365h # 15d
issuerRef:
name: clusterissuer-ejbca-acme
kind: ClusterIssuer
commonName: testacme.dat.local
dnsNames:
- testacme.dat.local
And it fails with the reason I described above.
This is the state of challenge:
Spec:
Authorization URL: https://ejbca.dat.local:8442/ejbca/acme/server/acct/KrBJFJTRWVghIYUyA8GnOw/authz/a4b0338915f3dd5e120345e488a926759690e66b822a435b0dc17ea11586120a
Dns Name: testacme.dat.local
Issuer Ref:
Kind: ClusterIssuer
Name: clusterissuer-ejbca-acme
Key: 0724XajSX6W6Gz7yU-ZzdidJZvPegxXBPApNfbS-qQE
Solver:
dns01:
rfc2136:
Nameserver: 10.200.61.14
Tsig Algorithm: HMACSHA512
Tsig Key Name: dat.local.
Tsig Secret Secret Ref:
Key: tsig-secret
Name: acmednst01-tsig-secret
Token: DohvGmDcKo-ymEDgNR2Ofw
Type: DNS-01
URL: https://ejbca.dat.local:8442/ejbca/acme/server/acct/KrBJFJTRWVghIYUyA8GnOw/chall/pN6nDhVJYq7GTXtPHGEumw
Wildcard: false
Status:
Presented: false
Processing: false
Reason: Successfully authorized domain
State: valid
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 33m cert-manager-challenges Challenge scheduled for processing
Normal Presented 33m cert-manager-challenges Presented challenge using DNS-01 challenge mechanism
Normal DomainVerified 32m cert-manager-challenges Domain "testacme.dat.local" verified with "DNS-01" validation
And the order is stuck:
Spec:
Common Name: testacme.dat.local
Dns Names:
testacme.dat.local
Issuer Ref:
Kind: ClusterIssuer
Name: clusterissuer-ejbca-acme
Request: omitting long request
Status:
Authorizations:
Challenges:
Token: DohvGmDcKo-ymEDgNR2Ofw
Type: dns-01
URL: https://ejbca.dat.local:8442/ejbca/acme/server/acct/KrBJFJTRWVghIYUyA8GnOw/chall/pN6nDhVJYq7GTXtPHGEumw
Identifier: testacme.dat.local
Initial State: pending
URL: https://ejbca.dat.local:8442/ejbca/acme/server/acct/KrBJFJTRWVghIYUyA8GnOw/authz/a4b0338915f3dd5e120345e488a926759690e66b822a435b0dc17ea11586120a
Wildcard: false
Finalize URL: https://ejbca.dat.local:8442/ejbca/acme/server/acct/KrBJFJTRWVghIYUyA8GnOw/orders/_FTaqI-vkHA_0HXE7-66jtgpnLLZQFcJt1eV0ppwrRA/finalize
State: pending
URL: https://ejbca.dat.local:8442/ejbca/acme/server/acct/KrBJFJTRWVghIYUyA8GnOw/orders/_FTaqI-vkHA_0HXE7-66jtgpnLLZQFcJt1eV0ppwrRA
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 36m cert-manager-orders Created Challenge resource "cert-testacme-dat-local-tlvkj-3507087216-2356716248" for domain "testacme.dat.local"
