Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.16.z
Component/s: cert-manager
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
OAPE Sprint 267
sprint_count:
1

RH Private Keywords:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Attempting to get a certificate issued for the API server endpoint of the cluster. The http01 challenge never succeeds because the endpoint routes to the API VIP on control plane nodes but the challenge pod is behind the ingress routers on worker nodes.

Following the procedure in the documentation.

Create ClusterIssuer:

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: test-private-acme
spec:
  acme:
    preferredChain: ""
    privateKeySecretRef:
      name: test-private-acme-key
    server: https://pebble-svc-pebble.apps.ran-vcl04.ptp.eng.rdu2.dc.redhat.com/dir
    # server PEM, base64 encoded
    caBundle: # <trimmed>
    solvers:
    - http01:
        ingress:
          class: openshift-default

Create Certificate:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: custom-api-cert
  namespace: openshift-config
spec:
  isCA: false
  commonName: "api.cnfdf02.telco5gran.eng.rdu2.redhat.com"
  secretName: custom-api-cert
  dnsNames:
  - "api.cnfdf02.telco5gran.eng.rdu2.redhat.com"
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: test-private-acme

The challenge pod and ingress/route get created:

$ oc get pod -n openshift-config
NAME                        READY   STATUS    RESTARTS   AGE
cm-acme-http-solver-x2b5p   1/1     Running   0          19m

$ oc get route -n openshift-config
NAME                              HOST/PORT                                    PATH                                                                      SERVICES                    PORT   TERMINATION   WILDCARD
cm-acme-http-solver-gdkpp-bgs7c   api.cnfdf02.telco5gran.eng.rdu2.redhat.com   /.well-known/acme-challenge/NO-Tz3_QE7woxJnY7IIktjQ01PaSaEynpArtRp9Cy_8   cm-acme-http-solver-x4dtx   http                 None

Attempts to reach the challenge pod externally fail:

$ curl -k api.cnfdf02.telco5gran.eng.rdu2.redhat.com/.well-known/acme-challenge/NO-Tz3_QE7woxJnY7IIktjQ01PaSaEynpArtRp9Cy_8
curl: (7) Failed to connect to api.cnfdf02.telco5gran.eng.rdu2.redhat.com port 80 after 32 ms: Could not connect to server

However, if I update my /etc/hosts so that the api endpoint resolves to the cluster ingress VIP, I can reach the pod as expected:

$ sudo vi /etc/host
$ curl -k api.cnfdf02.telco5gran.eng.rdu2.redhat.com/.well-known/acme-challenge/NO-Tz3_QE7woxJnY7IIktjQ01PaSaEynpArtRp9Cy_8
NO-Tz3_QE7woxJnY7IIktjQ01PaSaEynpArtRp9Cy_8.wntMpvkklAJLtbCkY9GJHbY5flyNG-M7NoMX0ySg5tI

Version-Release number of selected component (if applicable):

Cert manager: 1.14.1
OCP: 4.16.15

How reproducible:

    100%

Steps to Reproduce:

see above

Actual results:

No secret issued

Expected results:

Challenge completes and secret issued

Additional info:

is related to

CM-435 Evaluate Telco Requirements for Cert-Manager

Assignee:: Brandon Palm

Reporter:: Ian Miller

Need Info From:: None

Contributors:: None

QA Contact:: Yuedong Wu

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 12 Start watching this issue

Created:: 2024/12/05 8:12 PM

Updated:: 2025/07/18 1:16 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide