-
Bug
-
Resolution: Not a Bug
-
Undefined
-
None
-
4.12
-
Quality / Stability / Reliability
-
False
-
-
None
-
Critical
-
No
-
None
-
None
-
Proposed
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
http01 solver does not work in OpenStack and vSphere env.
Version-Release number of selected component (if applicable):
OCP 4.12.8, cert-manager operator 1.10.2-21 bundle.
How reproducible:
Always
Steps to Reproduce:
1. Launch OpenStack / vSphere envs. Install RH cert-manager operator.
2. $ cat clusterissuer-acme-http01-example.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
preferredChain: ""
privateKeySecretRef:
name: example-issuer-account-key-prod
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: openshift-default
$ oc create -f clusterissuer-acme-http01-example.yaml
$ oc get clusterissuer
NAME READY AGE
letsencrypt-prod True 7m
3.
$ oc new-project hello
$ oc new-app openshift/hello-openshift
4.
$ cat ingress-using-clusterissuer-must-modify-with-your-cluster-domain-before-use.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-test
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
rules:
- host: hello.apps.xxia-22-hs.qe.devcluster.openshift.com
http:
paths:
- path: "/"
backend:
service:
name: hello-openshift
port:
number: 8080
pathType: "Prefix"
tls:
- hosts:
- hello.apps.xxia-22-hs.qe.devcluster.openshift.com
secretName: ingress-secret
$ oc create -f ingress-using-clusterissuer-must-modify-with-your-cluster-domain-before-use.yaml
5.
$ oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
cm-acme-http-solver-77x7k-9xkwq hello.apps.xxia-22-hs.qe.devcluster.openshift.com /.well-known/acme-challenge/i525ONczcC38eaG58oSCID78rBDJbTFDgX02GN9Ctzo cm-acme-http-solver-sxfkh http None$ oc get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
cm-acme-http-solver-sxfkh NodePort 172.30.124.180 <none> 8089:31241/TCP 30s
hello-openshift ClusterIP 172.30.101.93 <none> 8080/TCP,8888/TCP 10m$ oc get po
NAME READY STATUS RESTARTS AGE
cm-acme-http-solver-pjzxr 1/1 Running 0 56s
hello-openshift-6fbbcff95-6t5wh 1/1 Running 0 10m$ oc get po
NAME READY STATUS RESTARTS AGE
hello-openshift-6fbbcff95-6t5wh 1/1 Running 0 12m$ oc get route
No resources found in hello namespace.$ oc get challenge
NAME STATE DOMAIN AGE
ingress-secret-j95x6-3116253941-1394304551 invalid hello.apps.xxia-22-hs.qe.devcluster.openshift.com 2m37s
$ oc get cert
NAME READY SECRET AGE
ingress-secret False ingress-secret 2m52s
$ oc get challenge ingress-secret-j95x6-3116253941-1394304551 -o yaml
...
spec:
authorizationURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/212995587577
dnsName: hello.apps.xxia-22-hs.qe.devcluster.openshift.com
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: letsencrypt-prod
key: i525ONczcC38eaG58oSCID78rBDJbTFDgX02GN9Ctzo.dEdTPUvKojJqSuOY5M9LC9i4WBzj3H-QQ8DuVARrDvU
solver:
http01:
ingress:
class: openshift-default
token: i525ONczcC38eaG58oSCID78rBDJbTFDgX02GN9Ctzo
...
status:
presented: false
processing: false
reason: 'Error accepting authorization: acme: authorization error for hello.apps.xxia-22-hs.qe.devcluster.openshift.com:
400 urn:ietf:params:acme:error:dns: no valid A records found for hello.apps.xxia-22-hs.qe.devcluster.openshift.com;
no valid AAAA records found for hello.apps.xxia-22-hs.qe.devcluster.openshift.com'
state: invalid
$ curl https://acme-v02.api.letsencrypt.org/acme/authz-v3/212995587577
{
"identifier": {
"type": "dns",
"value": "hello.apps.xxia-22-hs.qe.devcluster.openshift.com"
},
"status": "invalid",
"expires": "2023-03-29T08:06:44Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "no valid A records found for hello.apps.xxia-22-hs.qe.devcluster.openshift.com; no valid AAAA records found for hello.apps.xxia-22-hs.qe.devcluster.openshift.com",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/212995587577/ukvXAg",
"token": "i525O...",
"validated": "2023-03-22T08:08:02Z"
}
]
}
$ curl https://acme-v02.api.letsencrypt.org/acme/chall-v3/212995587577/ukvXAg
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "no valid A records found for hello.apps.xxia-22-hs.qe.devcluster.openshift.com; no valid AAAA records found for hello.apps.xxia-22-hs.qe.devcluster.openshift.com",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/212995587577/ukvXAg",
"token": "i525...o",
"validated": "2023-03-22T08:08:02Z"
}
$ oc get ingresses.networking.k8s.io ingress-test -o yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
...
status:
loadBalancer: {}
Actual results:
In step 5, we can see: the acme route was auto created with below HOST and .well-known PATH, the acme pod was in Running. the route should be able to provide checks for the computed key. But the challenge is shown "invalid".
Expected results:
Should work successfully.
Additional info:
oc get ingresses.networking.k8s.io ingress-test -o yaml shows loadBalancer: {} under "status".